Hi Folks,
I’ve been using a hAP lite as a perma-VPN box and decided to upgrade to a Hex S as part of a network change. The device is running v6.49.4 (stable). I have pretty simple requirements of this unit:
- Route ALL traffic over VPN
- Blackhole the traffic if VPN is down
I’ve had this working before on the hAP but I’m having some sporadic performance issues now. I also note that ping (and other ICMP) doesn’t work sometimes… but does others. On the plus side, the performance via the VPN has gone up 10 fold; I was wondering if there are any best practices in terms of cipher/crpyto selection for the best performance but still maintaining high security? I am already using aes-128 w/ sha256 so suspect I am already at the sweet spot without going to v7 and redoing everything in Wireguard which…for now at least…looks a bit too steep of a change.
The blackhole route kicks in on VPN failure - however what I have also noticed is with NAT disabled globally (ie, quick start > untick NAT), this appears to act as an additional belt-and-braces setting in that traffic doesn’t escape. For now I do not need this box to do NAT other than via the dynamic policy that gets added. Other than obviously impacting other subnets that I might add in future (will deal with that when needed) is there anything wrong with doing this?
I also want to ensure that nothing in 192.168.88.x can talk to any other subnet on my network within RFC1918 (but obviously still allowing traffic to the internet over the VPN). Does the current setup achieve this? It’s certainly appears to
The setup is as follows:
> Hex S (192.168.88.x) > Set as Automatic connection > Connected to ISP Router (get’s IP In 192.168.1.x).
I have fasttrack disabled due to an issue last time I did this, which was discussed here on the forums in a few threads.
Example of ping that just stops working despite making no changes (I was lucky to catch it):
Reply from 8.8.8.8: bytes=32 time=13ms TTL=59
Reply from 8.8.8.8: bytes=32 time=12ms TTL=59
Reply from 192.168.88.1: Destination host unreachable.
Reply from 192.168.1.197: Destination host unreachable. (this is the Hex’s IP in the LAN side)
I assumed at first that this may be firewall related but, sporadic ICMP being a firewall issue seems weird, so I was wondering maybe something in terms of a connection state change, maybe VPN dropped and re-established. While the VPN seems to work OK, I do see in the logs every 30 minutes ‘IPsec-SA expired before finishing rekey’ - any ideas what that may be? As the longest uptime I see in ipsec > active peers correlates with this. I don’t recall having this issue on the hAP.
Here is the config:
/interface bridge
add name=blackhole
add admin-mac=<redacted> auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add enc-algorithm=aes-128 hash-algorithm=sha256 name=NordVPN
/ip ipsec peer
add address=<redacted> exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 name=NordVPN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
add action=mark-routing chain=prerouting new-routing-mark=via-vpn passthrough=yes src-address-list=local
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=<redacted> peer=NordVPN \
policy-template-group=NordVPN username=<redacted>
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0
add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=blackhole routing-mark=via-vpn
I always really enjoy tinkering with these devices, they have an uncanny ability to make time disappear 
Thanks for your help!