Bridge Mode + Ikev2

Steven12345 · February 4, 2022, 5:17pm

Hello all,

Please help. I cannot get any traffic to go through my IKEV2 VPN client in bridge mode. I’m using HAP AC2 as a client bridge.

Please see attached config file.
myconfig.cfg.rsc (7.52 KB)

Steven12345 · February 4, 2022, 8:05pm

I notice that that system time has updated to the region of the VPN location. So I presume that it’s connected ok, just that the LAN traffic doesn’t go through the VPN.

I would really appreciate any help.

Sob · February 5, 2022, 10:24pm

What’s the idea here? I see all ports bridged, there are both dhcp client and server on bridge, where dhcp server doesn’t provide any gateway, … it looks weird. Anyway, if it somehow works at all, and clients don’t have this router as gateway, then it’s expected behaviour, any traffic passing trough this router is bridged, forwarding won’t touch it.

Steven12345 · February 6, 2022, 11:06am

Hi Sob,

The HAP automatically made all those settings when I used quick set to make a bridge mode in CPE.

I have a Huawei 4g Router, and use the HAP in WIFI bridge mode to connect my devices to. I cannot get the website traffic to route through the VPN.

I have now tried to concentrate on getting the VPN to work, so have reset all settings, and plugged straight into my Huawei Modem/Router. The problem is when I configure the IPSEC VPN following the instructions here https://support.surfshark.com/hc/en-us/articles/360012906220-Mikrotik-router-tutorial-with-IKEv2. I can see from the connected peers that the VPN is active, but as soon as I make the firewall address list to tell traffic to go through the VPN, then the websites all timeout during loading.

Please can someone look at the attached config and tell me why the VPN doesn’t work? I have also tried removing all firewall rules, but it’s still the same.

Many Thanks
config.rsc (7.53 KB)

Sob · February 6, 2022, 1:10pm

So now you have wlan2 as WAN port connected to Huawai, and router is default gateway for connected devices. It looks like it should work for addresses listed in “local” address list, which right now is just 192.168.88.254.

Steven12345 · February 6, 2022, 1:24pm

Yes, 192.168.88.254 is my pc address. I have also tried 192.168.88.0/24. Neither of these work. If I disable them from the firewall address list then the websites load again, but not through the VPN. When I enable the firewall list address then the websites time out.

I’ve tried in 3 seperate configuartions:
1 - HAP in bridge mode connected via WIFI to Huawei router
2 - HAP in router mode connected via WIFI to Huawei router
3 - HAP connected directly from Huawei ethernet to HAP WAN port via ethernet cable

All off these configarions load websites until I enable the firewall address list and then the website connection times out.

I’ve also removed all filter rules from the firewall and it makes no difference.

The VPN is showing as established in the IPSEC connected peers.

The dynamic DNS addresses have automatically updated to the addresses provided by Surfshark.

I’ve been going round in circles for 5 days, and no matter what configuration method I try, I always end up with the same outcome.

Any ideas anyone?

Sob · February 6, 2022, 1:50pm

You can test VPN from router. I don’t remember exact details about this type, but I think you should have dynamic IP address from it. Look in IP->Addresses (or /ip/address/print in CLI). Then try traceroute to any address on internet (e.g. 1.1.1.1) with that dynamic address as source (/tool/traceroute src-address=x.x.x.x address=1.1.1.1) and see if that works.

Steven12345 · February 6, 2022, 3:38pm

Hi Sob. Thanks for trying to help. Here are the results:

This is the result with the firewall address lists disabled (websites work ok but no VPN)
/tool/traceroute src-address=192.168.88.1 address=1.1.1.1

1 192.168.8.1 0% 4 1ms 1.2 1 1.4 0.2
2 100% 4 timeout
3 172.25.147.5 25% 4 20.2ms 26.4 20.2 32 4.8
4 100% 4 timeout
5 172.25.152.122 25% 4 20.5ms 28.1 20.5 37.3 7
6 172.25.152.89 50% 4 timeout 41 34.8 47.2 6.2
7 100% 4 timeout
8 172.25.131.146 0% 3 27.1ms 28.4 25.9 32.1 2.7
9 100% 3 timeout
10 195.66.227.207 0% 3 41ms 40.2 31.7 48 6.7
11 172.70.160.4 0% 3 23.8ms 24.8 23.8 25.8 0.8
12 1.1.1.1 0% 3 34.8ms 27.6 22.9 34.8 5.2

This is the result with the firewall address lists enabled for the pc to use the vpn (websites don’t load)
/tool/traceroute src-address=192.168.88.1 address=1.1.1.1

1 192.168.8.1 0% 6 1.1ms 2.7 0.7 10.5 3.5
2 100% 6 timeout
3 172.25.147.5 16.7% 6 20.7ms 27 17.9 46.2 10.8
4 100% 6 timeout
5 172.25.152.122 16.7% 6 34.6ms 27.7 17.5 34.6 6.4
6 172.25.152.89 0% 6 20ms 33.8 20 49.1 10.2
7 100% 6 timeout
8 172.25.131.146 0% 6 23.1ms 27.4 20.5 36.1 5.2
9 195.66.226.209 80% 6 timeout 22.8 22.8 22.8 0
10 195.66.227.207 0% 5 49.1ms 47.2 32.8 68.5 12.3
11 172.70.160.4 0% 5 51.4ms 42.9 22.8 78.8 20.3
12 1.1.1.1 0% 5 21.3ms 24.6 21.3 27.6 2.4

By the way - 192.168.8.1 is the address of my Huawei router

Sob · February 6, 2022, 4:15pm

No, 192.168.88.1 is not correct address. Isn’t there another dynamic one? And address list doesn’t influence traffic from router itself.