IKEv2 VPN | LAN connectivity issues

LeoMinor · January 15, 2023, 12:22pm

First of all - Hi Everyone!

So, this is my first post here. I have my MT hAP ac3 since few months. Recently I have decided to use protonVPN and followed the proton’s configuration guide:
https://protonvpn.com/support/vpn-mikrotik-router/

Now, what I don’t get is how to get rid of connectivity issues that appear as soon as I enable VLANs to be a part of VPN:

 SEQ HOST                                     SIZE TTL TIME       STATUS      
   20 10.0.0.47                                  56 255 2ms522us  
   21 10.0.0.47                                  56 255 2ms834us  
   22 10.0.0.47                                  56 255 2ms553us  
   23 10.0.0.47                                  56 255 2ms672us  
   24 10.0.0.47                                  56 255 4ms900us  
   25 10.0.0.47                                  56 255 6ms611us  
   26 10.0.0.47                                  56 255 2ms977us  
   27 10.0.0.47                                  56 255 4ms269us  
   28 10.0.0.47                                  56 255 2ms500us

—> at this point I’m enabling concerned VLANs to fall under “under_protonvpn” address list in IP → Firewall → Address Lists

   29 10.0.0.47                                                    timeout     
   30 10.0.0.47                                                    timeout     
   31 10.0.0.47                                                    timeout     
   32 10.0.0.47                                                    timeout     
   33 10.0.0.47                                                    timeout     
   34 10.0.0.47                                                    timeout     
    sent=35 received=21 packet-loss=40% min-rtt=2ms340us avg-rtt=3ms120us 
   max-rtt=6ms611us

As you can see, even traffic from gateway to endpoint won’t work. I was testing end hosts connectivity between different VLANs, behaviour is always the same. I was trying to find the root cause, but it looks I’m lacking experience to figure it out.

Routing before and after enablement of VPN seems to be the same. If I understand correctly, enabling particular VLAN on the mentioned “under_protonvpn” address list is adding specific packet marking as per proton’s configuration guide:

5. Mark ALL traffic that you want to route through VPN server

/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=under_protonvpn new-connection-mark=under_protonvpn passthrough=yes

My aim is to have VPN enabled on all needed VLANs and keep the communication between VLANs and gateway or other VLANs based on firewall rules I’ll define. For example right now I cannot even reach my printer in PRINTER VLAN from PC VLAN, so every time when I want to print something, I need to disable entries in address lists to have the job done.

Any ideas?

Regards!

teleport · January 19, 2023, 3:03am

read this to get some ideas:

http://forum.mikrotik.com/t/mikrotik-wireguard-setup-for-protone-vpn/159161/10