[Help] VLAN Routing to VPN, with Local connections - Unusable performance when routing out Wireguard Interface

consoletotherescue · May 3, 2024, 11:57pm

Hi, I’m really sorry to post yet another thread about this, since I can find many threads about VPNs and dealing with VLANs and things, and I think I have things, like, 90% of the way there, but I’m struggling to actually get decent performance when it is working, if it works at all.

Overview:
There’s 7 VLANs in my network:

99 Management
10 My stuff / Always-on VPN (or that’s the goal)
20 Normal home users
30 IoT
40 Stuff restricted from any kind of WAN (printers)
50 Guest WiFi
60 Servers

What I’m trying to achieve
I want just 1 of my VLANs (VL10) to go to my VPN provider via the Wireguard interface, and everything else (not otherwise blocked) should go out my ISP gateway as normal. And critically, I want to KEEP the ability for machines on my VLANs to talk to each other: VLAN10 can contact VLAN99 and vice versa, and so long as I don’t have any VPN configured, this is currently working.

I think I’m mostly there, but with my configuration as it is, it’s so slow and horrible that there’s something wrong, and I have to turn off the VPN routes.

Currently, my full ISP speed is around 500/20mbps (asymmetric cable internet). If I set my router as below, I can only get about 1/0.01mbps from machines on VLAN 10, and everything else is fine.

I know that there’s something wrong with either the routing, or the connections, or SOMETHING, but I can’t figure out what. I’ve tried figuring out policy routing with Mangle rules, but all that did was break all my connections and I had to revert the change to the RB5009 with the oob console. I have seen in other posts that if I’m trying to route whole subnets, I shouldn’t use mangle, but should use Routing Rules and Tables, so that’s what I’ve tried to achieve here.

# 2024-05-03 16:21:55 by RouterOS 7.14.2
#
# model = RB5009UG+S+
/caps-man datapath
add local-forwarding=no name=vl20 vlan-id=20 vlan-mode=use-tag
add local-forwarding=no name=vl40 vlan-id=40 vlan-mode=use-tag
add local-forwarding=no name=vl50 vlan-id=50 vlan-mode=use-tag
/interface bridge
add admin-mac=48:A9:8A:FD:9E:BC auto-mac=no comment=localBridge name=bridge \
    port-cost-mode=short pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
/interface wireguard
add comment="Moderate NAT; All blocking; for VLAN 10 connections" \
    listen-port=13231 mtu=1420 name=protonVPN_US-CA183
/interface vlan
add interface=bridge name=AoVPN vlan-id=10
add interface=bridge name=Guests vlan-id=50
add interface=bridge name=IoT vlan-id=30
add interface=bridge name=Management vlan-id=99
add interface=bridge name=NoInternet vlan-id=40
add interface=bridge name=Normies vlan-id=20
add interface=bridge name=PubServers vlan-id=60
/caps-man datapath
add bridge=bridge name=datapath1
add bridge=bridge local-forwarding=no name=vl10 vlan-id=10 vlan-mode=use-tag
add bridge=bridge local-forwarding=no name=vl30 vlan-id=30 vlan-mode=use-tag
/caps-man configuration
add country="united states3" datapath=datapath1 installation=indoor name=cfg1 \
    security.authentication-types=wpa-psk,wpa2-psk ssid=Bree
add country="united states3" datapath=vl10 installation=indoor name=\
    "MyStuff VL10" security.authentication-types=wpa-psk,wpa2-psk ssid=\
    Rivendell
add country="united states3" datapath=vl30 installation=indoor name=\
    "IoT VL30" security.authentication-types=wpa-psk,wpa2-psk ssid=Numenor
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="MAC filter" name=listBridge
add comment="All VLANs" name=VLAN-All
add comment="List of ProtonVPN connections" name=ProtonVPNInternet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add name=Kid
/ip pool
add name=vlan01-DHCP ranges=192.168.0.150-192.168.0.250
add name=vlan10-DHCP ranges=192.168.10.150-192.168.10.250
add name=vlan20-DHCP ranges=192.168.20.150-192.168.20.250
add name=vlan30-DHCP ranges=192.168.30.150-192.168.30.250
add name=vlan40-DHCP ranges=192.168.40.150-192.168.40.250
add name=vlan50-DHCP ranges=192.168.50.150-192.168.50.250
add name=vlan99-DHCP ranges=192.168.99.100-192.168.99.200
add name=vlan60-DHCP ranges=192.168.60.150-192.168.60.250
/ip dhcp-server
add add-arp=yes address-pool=vlan01-DHCP insert-queue-before=bottom \
    interface=bridge lease-time=10m name="vlan 01"
add add-arp=yes address-pool=vlan10-DHCP insert-queue-before=bottom \
    interface=AoVPN name="vlan 10"
add add-arp=yes address-pool=vlan20-DHCP insert-queue-before=bottom \
    interface=Normies name="vlan 20"
add add-arp=yes address-pool=vlan30-DHCP insert-queue-before=bottom \
    interface=IoT name="vlan 30"
add add-arp=yes address-pool=vlan40-DHCP insert-queue-before=bottom \
    interface=NoInternet lease-time=1h name="vlan 40"
add address-pool=vlan50-DHCP insert-queue-before=bottom interface=Guests \
    name="vlan 50"
add add-arp=yes address-pool=vlan99-DHCP insert-queue-before=bottom \
    interface=Management lease-time=10m name="vlan 99"
add add-arp=yes address-pool=vlan60-DHCP insert-queue-before=bottom \
    interface=PubServers lease-time=10m name="vlan 60"
/queue type
add kind=fq-codel name=fq-codel
/queue simple
add max-limit=12M/460M name=simple-bufferbloat-q queue=fq-codel/fq-codel \
    target=ether8 total-queue=fq-codel
/routing table
add disabled=no fib name=useProtonVPN
/snmp community
set [ find default=yes ] addresses=192.168.99.0/24 name=LibreNMS security=\
    private
/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
add disabled=no interface=Management
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="MyStuff VL10" \
    slave-configurations="IoT VL30"
/interface bridge port
add bridge=bridge comment="Management Backup Port" interface=ether2 \
    internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=crs326 frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment="2.5g port" interface=ether1 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment=AoVPN tagged=sfp-sfpplus1,bridge untagged=ether1 \
    vlan-ids=10
add bridge=bridge comment=Management tagged=sfp-sfpplus1,bridge untagged=\
    ether2 vlan-ids=99
add bridge=bridge comment=Normies tagged=sfp-sfpplus1,bridge vlan-ids=20
add bridge=bridge comment=IoT tagged=sfp-sfpplus1,bridge vlan-ids=30
add bridge=bridge comment=NoInternet tagged=sfp-sfpplus1,bridge vlan-ids=40
add bridge=bridge comment=Guests tagged=sfp-sfpplus1,bridge vlan-ids=50
add bridge=bridge comment=PubServers tagged=sfp-sfpplus1,bridge vlan-ids=60
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether8 list=WAN
add interface=bridge list=listBridge
add interface=Management list=LAN
add interface=AoVPN list=VLAN-All
add interface=Guests list=VLAN-All
add interface=IoT list=VLAN-All
add interface=Management list=VLAN-All
add interface=NoInternet list=VLAN-All
add interface=Normies list=VLAN-All
add interface=PubServers list=VLAN-All
add interface=AoVPN list=LAN
add interface=Normies list=LAN
add interface=protonVPN_US-CA183 list=ProtonVPNInternet
/interface wifi capsman
set enabled=yes interfaces=bridge
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=146.70.174.162 endpoint-port=\
    51820 interface=protonVPN_US-CA183 persistent-keepalive=25s public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.0.1/23 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.10.1/24 interface=AoVPN network=192.168.10.0
add address=192.168.20.1/24 interface=Normies network=192.168.20.0
add address=192.168.30.1/24 interface=IoT network=192.168.30.0
add address=192.168.40.1/24 interface=NoInternet network=192.168.40.0
add address=192.168.50.1/24 interface=Guests network=192.168.50.0
add address=192.168.60.1/24 interface=PubServers network=192.168.60.0
add address=192.168.99.1/24 interface=Management network=192.168.99.0
add address=10.2.0.2/30 interface=protonVPN_US-CA183 network=10.2.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server network
add address=192.168.0.0/23 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-none=yes gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=\
    9.9.9.9,149.112.112.112,2620:fe::fe,2620:fe::fe:9 use-doh-server=\
    https://dns.quad9.net/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
add address=192.168.10.5 comment=\
    "DNS Entry so unifi APs can find the controller on vaultzero" name=unifi
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6980 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6980 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6980 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast disabled=yes list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.10.0/24 comment="vlan 10 - AoVPN" list=Local-VLANs
add address=192.168.20.0/24 comment="vlan 20 - Normies" list=Local-VLANs
add address=192.168.30.0/24 comment="vlan 30 - IoT" list=Local-VLANs
add address=192.168.40.0/24 comment="vlan 40 - NoInternet" list=Local-VLANs
add address=192.168.50.0/24 comment="vlan 50 - Guests" list=Local-VLANs
add address=192.168.60.0/24 comment="vlan 60 - PubServers" list=Local-VLANs
add address=192.168.99.0/24 comment="vlan 99 - Management" list=Local-VLANs
add address=192.168.10.240 comment="avahi-reflection server" list=avahi
add address=192.168.20.240 comment="avahi-reflection server" list=avahi
add address=192.168.30.240 comment="avahi-reflection server" list=avahi
add address=192.168.10.0/24 comment="ProtonVPN Routed Networks" list=\
    RouteProtonVPN
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" \
    in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Allow my trusted stuff access to Router" in-interface=AoVPN
add action=accept chain=input comment="Allow VLAN DNS requests to Router" \
    dst-port=53 in-interface-list=VLAN-All protocol=udp
add action=accept chain=input comment="avahi broadcasts must be allowed" \
    protocol=udp src-address-list=avahi
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="shelly EM -> HomeAssistant" \
    dst-address=192.168.10.7 port=5683 protocol=udp src-address=192.168.40.7
add action=accept chain=forward comment="shelly EM <- HomeAssistant" \
    dst-address=192.168.40.7 port=5683 protocol=udp src-address=192.168.10.7
add action=accept chain=forward comment="Allow VLAN 10 to All VLANs" \
    connection-state=new dst-address-list=Local-VLANs src-address=\
    192.168.10.0/24
add action=accept chain=forward comment="Allow VLAN 99 to All VLANs" \
    connection-state=new dst-address-list=Local-VLANs src-address=\
    192.168.99.0/24
add action=accept chain=forward comment="Allow VLAN 20 to 10" \
    connection-state=new dst-address=192.168.10.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment="Allow VLAN 20 to 30" \
    connection-state=new dst-address=192.168.30.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment="Allow VLAN 20 to 40" \
    connection-state=new dst-address=192.168.40.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment="Allow VLAN 20 to 60" \
    connection-state=new dst-address=192.168.60.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment=\
    "Allow from caddy reverse proxy access to jellyfin and kavita host" \
    dst-address=192.168.10.5 protocol=tcp src-address=192.168.60.5
add action=drop chain=forward comment="Block VLAN 40 from reaching WAN" log=\
    yes log-prefix=vl40-wanblock_ out-interface-list=WAN src-address=\
    192.168.40.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Drop tries to reach non-public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge log=yes log-prefix=\
    "!public_from_LAN out-interface=!LAN"
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether8 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=reject chain=forward comment=\
    "Drop new Inter-VLAN connections not otherwise allowed" connection-state=\
    new connection-type="" dst-address-list=Local-VLANs reject-with=\
    icmp-admin-prohibited src-address-list=Local-VLANs
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.0.0/16
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!Local-VLANs \
    new-routing-mark=useProtonVPN passthrough=yes src-address=192.168.10.0/24
add action=change-mss chain=forward comment=\
    "Clamp MSS to PMTU for outgoing packets" new-mss=clamp-to-pmtu \
    out-interface=protonVPN_US-CA183 passthrough=yes protocol=tcp tcp-flags=\
    syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pi4-clear_tcp/80 dst-port=80 \
    in-interface=ether8 protocol=tcp to-addresses=192.168.60.5 to-ports=80
add action=dst-nat chain=dstnat comment=pi4-clear_tcp/443 dst-port=443 \
    in-interface=ether8 protocol=tcp to-addresses=192.168.60.5 to-ports=443
add action=masquerade chain=srcnat out-interface-list=ProtonVPNInternet
/ip kid-control device
add mac-address=68:DB:F5:59:3F:E6 name="Kid's Tablet" user=Kid
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    10.2.0.1 routing-table=useProtonVPN scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.99.0/24,192.168.10.0/24,192.168.0.0/23
set ssh address=192.168.99.0/24,192.168.10.0/24,192.168.0.0/23 port=10022
set api disabled=yes
set winbox address=192.168.99.0/24,192.168.10.0/24,192.168.0.0/23
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup disabled=no routing-mark=useProtonVPN src-address=\
    192.168.10.0/24 table=useProtonVPN
/snmp
set contact=Chase enabled=yes location=office
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=rb5009
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool sniffer
set filter-interface=bridge filter-ip-address=192.168.60.5/32 \
    filter-operator-between-entries=and streaming-enabled=yes \
    streaming-server=192.168.10.10

Can someone point me in the right direction? I feel like I’m so close to success.
Thank you.

anav · May 4, 2024, 1:03pm

Before I look at the config, what is the purpose of your management VLAN?
If you want vlan10 and 99 to fully talk to each other drop vlan99 and keep vlan10.

As for the other vlans, only the management vlan should really see all other vlans.
All vlans should be able to access a shared printer.
Do any local users access the servers ( that are not on the server vlan ).

In other words, the requirements are not well detailed.
a. identify all user(s)/devices and groups of users/devices including you the admin
b. identify the traffic they should be able to execute.

So far the only clear thing is that vlan10 should go out WG for www traffic and even this is not clear because we dont know what is required if the wireguard network is not working. Does vlan10 go out normal local WAN or NOT.

CGGXANNX · May 4, 2024, 5:21pm

Can you try to either disable the fasttrack rule or place an action=accept chain=forward rule ABOVE that fasttrack rule, for src-address=192.168.10.0/24? It could be that that fasttrack rule, which only works for connections using the main routing table, is eating your packets, those that should use the useProtonVPN table. Not all packets are fasttrack’ed, that’s why you could still get some packets through, but only a fraction of them.

consoletotherescue · May 4, 2024, 7:33pm

Hi,
Thanks for replying - I’ll try to answer everything here.

anav:

what is the purpose of your management VLAN?

It’s where all my network management interfaces and network management software runs.

If you want vlan10 and 99 to fully talk to each other drop vlan99 and keep vlan10.

This is a valid idea. I wanted to make sure that I could separate things out logically as much as possible - mostly to practice, but also to have granular control.

All vlans should be able to access a shared printer.

No, I don’t think I’d like my guest wifi, or untrusted things allowed to access my printers and other things on that network.

Do any local users access the servers ( that are not on the server vlan ).

Yes, and later I’m going to try and tackle things like Split-Horizon DNS, or maybe NAT Hairpinning to allow local routing of users to these local services.

a. identify all user(s)/devices and groups of users/devices including you the admin
b. identify the traffic they should be able to execute.

I have an extensive spreadsheet working all this out.

Does vlan10 go out normal local WAN or NOT.

No internet connection allowed if WG interface goes down. Ideally I’d like to configure several VPN profiles and set it up so that multiple endpoints are available, but I wanted to get 1 working first.
Here’s my summary VLAN/Gateway table I worked out:
Screenshot from 2024-05-04 12-29-25.png
(NOTE: yes, I realize I haven’t fully carved out the vlan 50 blocking rules in my current firewall config as posted above. It’s on the to-do list.)

CGGXANNX:

Can you try to either disable the fasttrack rule

This actually made things way better, but still seems to be leaving a lot of performance on the floor:
I’m now able to get 11/20Mbps via VPN, even though using the desktop VPN client I’m able to achieve some ~300/20Mbps.
Unfortunately, with Fasttrack disabled, even with a naked network connection, I’m only seeing around that limited 11Mbps download speed.
If I revert settings and re-enable fasttrack, I can go back to pulling my ISP rated speed (plus a little more, actually) - 523/25Mbps (out of 500/20 plan)

or place an action=accept chain=forward rule ABOVE that fasttrack rule, for src-address=192.168.10.0/24?

This suggestion didn’t work, and led to the same terrible performance (including near impossible upload) as originally noted.

Is fasttrack really that critical to things running as expected (ie, getting full bandwidth through to my ISP modem)? Is there a way to have fasttrack on both routing tables? Or should I try and go about this with Mangle rules again? It really doesn’t seem like having differing gateways for different subnets should be this hard, but I admit that I’m at the limits of my knowledge.

Thanks for the feedback and help! I’ll try and research what fasttrack is actually doing and understand what’s going on in the meantime.

CGGXANNX · May 4, 2024, 7:46pm

Fasttrack should not be needed at all on a RB5009 with your connection speed. With fasttrack turned off on my RB5009 (or when using IPv6, for which fasttrack is not available), I can still achieve 2.27Gbps down/930Mbps up on speedtest.net. The router should be able to route 3Gbps without fasttrack. Certainly not only 11Mbps. Something else is wrong with the config that cause that low speed. But as of now, you cannot use fasttrack with the connections that use the useProtonVPN table. Can you make another try and keep the fasttrack rule enabled, but put a new rule ABOVE it with action=accept chain=forward routing-mark=useProtonVPN?

Also, I’ve recently made tests with WG running on my RB5009 and its CPU can achieve 1.29Gbps traffic inside the WG tunnel (one WG peer is the router, the other peer is a VM running on Hyper-V). Which means the CPU is well capable of encrypting/decrypting WG traffic at Gbps speed.

consoletotherescue · May 7, 2024, 11:56pm

I think I solved the issue!
I had an old queue setup that I suspect is incompatible with multiple routing tables - or something to that effect. The consistency of the speed limit was what kinda tipped me off. It was like it was limiting both Upload and Download to the Upload speed, and completely disregarding the separate, higher limit on the download side.

I now have it working without the fasttrack, and everything else is going as expected. Speeds are slightly less than ISP line speed, but I suspect that that’s just due to overhead and server load or whatever. As mentioned, the RB5009 has no trouble with this load and is only at about 2-7% CPU load.

I took a while to figure out how and where to configure things to fix the DNS leak, since my local connections are using the Mikrotik for DNS, rather than tunneling via the Wireguard interface, which I still haven’t completely fixed, and I’m not totally sure whether that’d be set at the DHCP level, or the mikrotik via IP>DNS? I’m also trying to wedge in PiHole here, too, so figuring that out complicates things further.

Thanks for the help.

anav · May 8, 2024, 2:01pm

Better to understand all the requirements BEFORE working on the config. As an overall approach is needed as many parts of the config are related.
Post your latest config for review.

consoletotherescue · May 10, 2024, 2:58am

Hi anav, thanks.
Yes, I mostly agree - if this was a corporate/professional/production environment.
But this is my homelab / home network where things change often and the eventual state of things depends heavily upon what I am able to do and what I’m able to implement.
A couple years ago my network was flat, and I didn’t own any Mikrotik hardware at all. It was just an old Asus Wifi router and a couple dumb switches for wired things.
Now I have Mikrotik for switching, routing, and Wifi, along with a Ubiquiti ceiling AP, etc. etc. I have virtual machines running on proxmox with trunked 10-gig networking to it, where I can make individual VMs attach to various VLANs depending on need. This massively reduces hardware connections and wiring, and allows me to approach a similar situation to corporate networks as well.
I used to have PiHole on my old flat network, and then I abandoned it when I went to a new structure, now I’m bringing those things back in. I’m hosting various services behind a reverse proxy, I want there to be separation and security, and the ability to use stateful firewalls in a way where I can really dig into the protocols and allowed traffic so that I can make sure that I mitigate some of the potential issues with modern and legacy hardware. All of that requires learning, re-evaluation, changes, etc. Maybe one day I decide that it’s not worth all the hassle and I revert it all to devconf and just leave it alone, but so far, I’m able to successfully create a situation where I have a better understanding of how things work, and a better idea of how to control everything and make sure it’s secure.

Whew, that got long. Anyway,

The problematic config that I disabled was this:

/queue type
add kind=fq-codel name=fq-codel
/queue simple
add max-limit=12M/460M name=simple-bufferbloat-q queue=fq-codel/fq-codel \
    target=ether8 total-queue=fq-codel

In my experience so far, it seems like the “max-limit” setting only works for the default routing table and default WAN connection. Over the VPN routing table and such, it seems like that upload limit of 12M applied both directions, which explains why that was all I managed to get out when testing.

I’ve disabled the simple fq-codel queue, pending better understanding— but really I think with my current equipment bufferbloat (the thing that that was supposed to solve, translated from an older pfsense appliance where it did help somewhat, is unnecessary with the RB5009.

All that being said,

Here’s the current state of things: (subject to change immediately because I’m in a state where I haven’t closed winbox in the last several days and am changing stuff constantly)

# 2024-05-09 19:42:00 by RouterOS 7.14.2
# model = RB5009UG+S+
/caps-man datapath
add local-forwarding=no name=vl20 vlan-id=20 vlan-mode=use-tag
add local-forwarding=no name=vl40 vlan-id=40 vlan-mode=use-tag
add local-forwarding=no name=vl50 vlan-id=50 vlan-mode=use-tag
/interface bridge
add admin-mac=48:A9:8A:FD:9E:BC auto-mac=no comment=localBridge name=bridge \
    port-cost-mode=short pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
/interface wireguard
add comment="Moderate NAT; All blocking; for VLAN 10 connections" \
    listen-port=13231 mtu=1420 name=protonVPN_US-CA183
# Listen port already used
add comment="Moderate NAT; All blocking; for VLAN 10 connections" disabled=\
    yes listen-port=13231 mtu=1420 name=protonVPN_US-WA81
/interface vlan
add interface=bridge name=AoVPN vlan-id=10
add interface=bridge name=Guests vlan-id=50
add interface=bridge name=IoT vlan-id=30
add interface=bridge name=Management vlan-id=99
add interface=bridge name=NoInternet vlan-id=40
add interface=bridge name=Normies vlan-id=20
add interface=bridge name=PubServers vlan-id=60
/caps-man datapath
add bridge=bridge name=datapath1
add bridge=bridge local-forwarding=no name=vl10 vlan-id=10 vlan-mode=use-tag
add bridge=bridge local-forwarding=no name=vl30 vlan-id=30 vlan-mode=use-tag
/caps-man configuration
add country="united states3" datapath=datapath1 installation=indoor name=cfg1 \
    security.authentication-types=wpa-psk,wpa2-psk ssid=Bree
add country="united states3" datapath=vl10 installation=indoor name=\
    "MyStuff VL10" security.authentication-types=wpa-psk,wpa2-psk ssid=\
    Rivendell
add country="united states3" datapath=vl30 installation=indoor name=\
    "IoT VL30" security.authentication-types=wpa-psk,wpa2-psk ssid=Numenor
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="MAC filter" name=listBridge
add comment="All VLANs" name=VLAN-All
add comment="List of ProtonVPN connections" name=ProtonVPNInternet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add name=kid
/ip pool
add name=vlan01-DHCP ranges=192.168.0.150-192.168.0.250
add name=vlan10-DHCP ranges=192.168.10.150-192.168.10.250
add name=vlan20-DHCP ranges=192.168.20.150-192.168.20.250
add name=vlan30-DHCP ranges=192.168.30.150-192.168.30.250
add name=vlan40-DHCP ranges=192.168.40.150-192.168.40.250
add name=vlan50-DHCP ranges=192.168.50.150-192.168.50.250
add name=vlan99-DHCP ranges=192.168.99.100-192.168.99.200
add name=vlan60-DHCP ranges=192.168.60.150-192.168.60.250
/ip dhcp-server
add add-arp=yes address-pool=vlan01-DHCP insert-queue-before=bottom \
    interface=bridge lease-time=10m name="vlan 01"
add add-arp=yes address-pool=vlan10-DHCP insert-queue-before=bottom \
    interface=AoVPN name="vlan 10"
add add-arp=yes address-pool=vlan20-DHCP insert-queue-before=bottom \
    interface=Normies name="vlan 20"
add add-arp=yes address-pool=vlan30-DHCP insert-queue-before=bottom \
    interface=IoT name="vlan 30"
add add-arp=yes address-pool=vlan40-DHCP insert-queue-before=bottom \
    interface=NoInternet lease-time=1h name="vlan 40"
add address-pool=vlan50-DHCP insert-queue-before=bottom interface=Guests \
    name="vlan 50"
add add-arp=yes address-pool=vlan99-DHCP insert-queue-before=bottom \
    interface=Management lease-time=10m name="vlan 99"
add add-arp=yes address-pool=vlan60-DHCP insert-queue-before=bottom \
    interface=PubServers lease-time=10m name="vlan 60"
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=usb1 parity=none \
    stop-bits=1
/queue type
add kind=fq-codel name=fq-codel
/queue simple
add bucket-size=1/1 disabled=yes max-limit=25M/520M name=simple-bufferbloat-q \
    queue=fq-codel/fq-codel target=ether8 total-queue=fq-codel
/routing table
add disabled=no fib name=useProtonVPN
/snmp community
set [ find default=yes ] addresses=192.168.99.0/24 name=LibreNMS security=\
    private
/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
add disabled=no interface=Management
/caps-man provisioning
add action=create-dynamic-enabled master-configuration="MyStuff VL10" \
    slave-configurations="IoT VL30"
/interface bridge port
add bridge=bridge comment="Management Backup Port" interface=ether2 \
    internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=crs326 frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment="2.5g port" interface=ether1 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment=AoVPN tagged=sfp-sfpplus1,bridge untagged=ether1 \
    vlan-ids=10
add bridge=bridge comment=Management tagged=sfp-sfpplus1,bridge untagged=\
    ether2 vlan-ids=99
add bridge=bridge comment=Normies tagged=sfp-sfpplus1,bridge vlan-ids=20
add bridge=bridge comment=IoT tagged=sfp-sfpplus1,bridge vlan-ids=30
add bridge=bridge comment=NoInternet tagged=sfp-sfpplus1,bridge vlan-ids=40
add bridge=bridge comment=Guests tagged=sfp-sfpplus1,bridge vlan-ids=50
add bridge=bridge comment=PubServers tagged=sfp-sfpplus1,bridge vlan-ids=60
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether8 list=WAN
add interface=bridge list=listBridge
add interface=Management list=LAN
add interface=AoVPN list=VLAN-All
add interface=Guests list=VLAN-All
add interface=IoT list=VLAN-All
add interface=Management list=VLAN-All
add interface=NoInternet list=VLAN-All
add interface=Normies list=VLAN-All
add interface=PubServers list=VLAN-All
add interface=AoVPN list=LAN
add interface=Normies list=LAN
add interface=protonVPN_US-CA183 list=ProtonVPNInternet
add interface=protonVPN_US-WA81 list=ProtonVPNInternet
/interface wifi capsman
set enabled=yes interfaces=bridge
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=146.70.174.162 endpoint-port=\
    51820 interface=protonVPN_US-CA183 persistent-keepalive=25s public-key=\
    ""
add allowed-address=0.0.0.0/0 endpoint-address=149.102.254.77 endpoint-port=\
    51820 interface=protonVPN_US-WA81 persistent-keepalive=25s public-key=\
    ""
/ip address
add address=192.168.0.1/23 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.10.1/24 interface=AoVPN network=192.168.10.0
add address=192.168.20.1/24 interface=Normies network=192.168.20.0
add address=192.168.30.1/24 interface=IoT network=192.168.30.0
add address=192.168.40.1/24 interface=NoInternet network=192.168.40.0
add address=192.168.50.1/24 interface=Guests network=192.168.50.0
add address=192.168.60.1/24 interface=PubServers network=192.168.60.0
add address=192.168.99.1/24 interface=Management network=192.168.99.0
add address=10.2.0.2/30 interface=protonVPN_US-CA183 network=10.2.0.0
add address=10.2.0.2/30 disabled=yes interface=protonVPN_US-WA81 network=\
    10.2.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether8 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.40.7 mac-address=34:94:54:7B:B4:47 server="vlan 40"
add address=192.168.10.5 client-id=1:0:11:32:d5:ad:9f mac-address=\
    00:11:32:D5:AD:9F server="vlan 10"
add address=192.168.10.6 client-id=1:0:11:32:d5:ad:a0 mac-address=\
    00:11:32:D5:AD:A0 server="vlan 10"
add address=192.168.10.7 client-id=1:e4:5f:1:8b:e3:67 mac-address=\
    E4:5F:01:8B:E3:67 server="vlan 10"
add address=192.168.40.250 client-id=1:0:1b:a9:47:c1:ca mac-address=\
    00:1B:A9:47:C1:CA server="vlan 40"
add address=192.168.10.10 client-id=1:90:de:80:18:6:ba mac-address=\
    90:DE:80:18:06:BA server="vlan 10"
add address=192.168.99.2 client-id=1:2c:c8:1b:df:7c:ed mac-address=\
    2C:C8:1B:DF:7C:ED server="vlan 99"
add address=192.168.99.100 client-id=\
    ff:b5:5e:67:ff:0:2:0:0:ab:11:96:3b:20:65:fd:f8:27:6d mac-address=\
    02:11:32:2C:31:79 server="vlan 99"
add address=192.168.10.240 client-id=\
    ff:11:90:68:30:0:1:0:1:2d:b6:33:44:bc:24:11:90:68:30 mac-address=\
    BC:24:11:90:68:30 server="vlan 10"
add address=192.168.20.240 client-id=\
    ff:11:a0:32:e5:0:1:0:1:2d:b6:33:45:bc:24:11:a0:32:e5 mac-address=\
    BC:24:11:A0:32:E5 server="vlan 20"
add address=192.168.30.240 client-id=\
    ff:11:99:17:ea:0:1:0:1:2d:b6:33:46:bc:24:11:99:17:ea mac-address=\
    BC:24:11:99:17:EA server="vlan 30"
add address=192.168.60.5 client-id=1:dc:a6:32:d5:17:cd mac-address=\
    DC:A6:32:D5:17:CD server="vlan 60"
add address=192.168.10.9 mac-address=BC:24:11:B5:F7:70 server="vlan 10"
add address=192.168.40.8 mac-address=34:94:54:7A:28:43 server="vlan 40"
/ip dhcp-server network
add address=192.168.0.0/23 dns-server=192.168.60.6 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=10.2.0.1,192.168.10.9,192.168.10.1 \
    gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.10.9,192.168.20.1 gateway=\
    192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-none=yes gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=192.168.10.9,192.168.60.1 gateway=\
    192.168.60.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=192.168.10.9 verify-doh-cert=yes
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
add address=192.168.10.5 comment=\
    "DNS Entry so unifi APs can find the controller on vaultzero" name=unifi
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6980 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6980 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6980 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast disabled=yes list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.10.0/24 comment="vlan 10 - AoVPN" list=Local-VLANs
add address=192.168.20.0/24 comment="vlan 20 - Normies" list=Local-VLANs
add address=192.168.30.0/24 comment="vlan 30 - IoT" list=Local-VLANs
add address=192.168.40.0/24 comment="vlan 40 - NoInternet" list=Local-VLANs
add address=192.168.50.0/24 comment="vlan 50 - Guests" list=Local-VLANs
add address=192.168.60.0/24 comment="vlan 60 - PubServers" list=Local-VLANs
add address=192.168.99.0/24 comment="vlan 99 - Management" list=Local-VLANs
add address=192.168.10.240 comment="avahi-reflection server" list=avahi
add address=192.168.20.240 comment="avahi-reflection server" list=avahi
add address=192.168.30.240 comment="avahi-reflection server" list=avahi
add address=192.168.10.0/24 comment="ProtonVPN Routed Networks" list=\
    RouteProtonVPN
add address=192.168.10.0/24 comment="vlan 10 - AoVPN" list=Trusted-VLANs
add address=192.168.20.0/24 comment="vlan 20 - Normies" list=Trusted-VLANs
add address=192.168.30.0/24 comment="vlan 30 - IoT" list=Trusted-VLANs
add address=192.168.60.0/24 comment="vlan 60 - PubServers" list=Trusted-VLANs
add address=192.168.99.0/24 comment="vlan 99 - Management" list=Trusted-VLANs
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" \
    in-interface-list=!WAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Allow my trusted stuff access to Router" src-address=192.168.10.0/24
add action=accept chain=input comment="Allow VLAN DNS requests to Router" \
    dst-port=53 in-interface-list=VLAN-All protocol=udp src-address-list=\
    Local-VLANs
add action=accept chain=input comment="avahi broadcasts must be allowed - see \
    https://jack.barry.onl/blog/airprint-across-vlans-with-avahi" protocol=\
    udp src-address-list=avahi
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
    "Block VL50 (guest wifi) from other local VLANs" dst-address-list=\
    Trusted-VLANs src-address=192.168.50.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "Allow trusted VLANs to reach PiHole DNS" dst-address=192.168.10.9 \
    dst-port=53 in-interface-list=VLAN-All protocol=udp src-address-list=\
    Trusted-VLANs
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="(CoIoT) shelly EM -> HomeAssistant" \
    dst-address=192.168.10.7 port=5683 protocol=udp src-address=192.168.40.7
add action=accept chain=forward comment="(CoIoT) shelly EM <- HomeAssistant" \
    dst-address=192.168.40.7 port=5683 protocol=udp src-address=192.168.10.7
add action=accept chain=forward comment=\
    "(CoIoT) shelly-garage -> HomeAssistant" disabled=yes dst-address=\
    192.168.10.7 port=5683 protocol=udp src-address=192.168.40.8
add action=accept chain=forward comment=\
    "(CoIoT) shelly-garage <- HomeAssistant" disabled=yes dst-address=\
    192.168.40.8 port=5683 protocol=udp src-address=192.168.10.7
add action=accept chain=forward comment="Allow VLAN 10 to All VLANs" \
    connection-state=new dst-address-list=Local-VLANs src-address=\
    192.168.10.0/24
add action=accept chain=forward comment="Allow VLAN 99 to All VLANs" \
    connection-state=new dst-address-list=Local-VLANs src-address=\
    192.168.99.0/24
add action=accept chain=forward comment="Allow VLAN 20 to 10" \
    connection-state=new dst-address=192.168.10.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment="Allow VLAN 20 to 30" \
    connection-state=new dst-address=192.168.30.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment="Allow VLAN 20 to 40" \
    connection-state=new dst-address=192.168.40.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment="Allow VLAN 20 to 60" \
    connection-state=new dst-address=192.168.60.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment=\
    "Allow from caddy reverse proxy access to jellyfin and kavita host" \
    dst-address=192.168.10.5 protocol=tcp src-address=192.168.60.5
add action=drop chain=forward comment="Block VLAN 40 from reaching WAN" log=\
    yes log-prefix=vl40-wanblock_ out-interface-list=WAN src-address=\
    192.168.40.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Drop tries to reach non-public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge log=yes log-prefix=\
    "!public_from_LAN out-interface=!LAN"
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether8 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=reject chain=forward comment=\
    "Drop new Inter-VLAN connections not otherwise allowed" connection-state=\
    new connection-type="" dst-address-list=Local-VLANs reject-with=\
    icmp-admin-prohibited src-address-list=Local-VLANs
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.0.0/16
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!Local-VLANs \
    new-routing-mark=useProtonVPN passthrough=yes src-address=192.168.10.0/24
add action=mark-routing chain=prerouting dst-address-list=!Local-VLANs \
    new-routing-mark=useProtonVPN passthrough=yes src-address=192.168.60.6
add action=change-mss chain=forward comment=\
    "Clamp MSS to PMTU for outgoing packets" new-mss=clamp-to-pmtu \
    out-interface=protonVPN_US-CA183 passthrough=yes protocol=tcp tcp-flags=\
    syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pi4-clear_tcp/80 dst-port=80 \
    in-interface=ether8 protocol=tcp to-addresses=192.168.60.5 to-ports=80
add action=dst-nat chain=dstnat comment=pi4-clear_tcp/443 dst-port=443 \
    in-interface=ether8 protocol=tcp to-addresses=192.168.60.5 to-ports=443
add action=masquerade chain=srcnat out-interface-list=ProtonVPNInternet
/ip kid-control device
add mac-address=68:DB:F5:59:3F:E6 name="kid's Tablet" user=kid
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    10.2.0.1 pref-src="" routing-table=useProtonVPN scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.99.0/24,192.168.10.0/24,192.168.0.0/23
set ssh address=192.168.99.0/24,192.168.10.0/24,192.168.0.0/23 port=10022
set api disabled=yes
set winbox address=192.168.99.0/24,192.168.10.0/24,192.168.0.0/23
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table disabled=no routing-mark=useProtonVPN \
    src-address=192.168.10.0/24 table=useProtonVPN
/snmp
set contact=User enabled=yes location=office
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=rb5009
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge