IPSEC / IKEv2 tunnel for only selected devices

badwithnetworking · August 5, 2019, 12:58am

All,

I have a fresh install of the default configuration of a RB4011 wireless model for home use. Wired network is as follows

ISP router - > RB4011 (first ethernet interface)
RB4011 - > Pi hole
RB4011 - > Laptop
RB4011 - > MoCA adapter set
Moca adqapter set - > Nighthawk R700 acting as switch and wireless AP
Nighthawk R700 - > Nvidia Shield TV

Only changes are DNS server being set as the Pi Hole address and added the NAT rules at https://www.reddit.com/r/pihole/comments/aj9mxd/force_all_dns_traffic_to_go_through_pihole_using/

Additionally, I have configured IPSEC ikev2 based on https://nordvpn.com/tutorials/mikrotik/ikev2/. The only change is that in step 7, instead of covering my whole home IP range, I have added an address list which only includes my Nvidia Shield TV static ip and changed the ipsec mode-config to only be for the Nvidia Shield TV static ip list (which only contains 1 IP address).

Once this is turned on, the Nvdia Shield TV connects VERY slowly if at all.

I have verified that the server I have selected and am connecting to works using the native apps on my phone / laptop
I have verified that if I use the setting exactly as is in the NordVPN instructions to cover the whole network, it also works to funnel all my home network traffic through the VPN
I have verified that if I turn off the NAT rules on the reddit pihole sub that the configuration for the Nvidia Shield TV still does not work
I have Blokada installed on my Nvidia Shield TV but did not think to check if this was the issue (so this may be a problem). It was for adblocking only and no custom DNS settings etc
I have not tried changing the DNS server / pi hole settings on my network
The apps I tried are Youtube (extremely slow / barely usable) and Netflix (not usable)

Any ideas on this?

badwithnetworking · August 5, 2019, 3:35pm

I have tried disabling blokada and it is still the same. Anyone have any ideas?

msatter · August 5, 2019, 4:32pm

Remember if you use the source address, that your DNS requests will also go to the VPN.

You can now also mark connection, see link to Mikrotik on the NordVPN page top, and then you can mark specific which traffic you want to goto the VPN.

badwithnetworking · August 6, 2019, 1:47am

Hi thanks.

Just to confirm, you mean this link https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS ?

So are you saying, instead of using source address I should use connection-mark instead? Do I still need to allow DNS requests?

Does the rule below make sense? SHIELDTV will only contain 1 IP which is the static IP related to the shield

/ip firewall mangle
add action=mark-connection chain=prerouting src-address-list=SHIELDTV new-connection-mark=NordVPN passthrough=yes

msatter · August 6, 2019, 11:19am

Yes yes no.

You are still using source address for all traffic and in NAT the NordVPN Nat is always on top.
So you have to add in your proposed rule UDP!/!53 and duplicate that line and change to TCP/!53

!53 stands for everything except 53.

So DNS traffic should then go to your Pi-hole as that was the situation before.

badwithnetworking · August 6, 2019, 2:12pm

Thank you. I am very new so thank you for your patience.

So it sounds like that I still need to use a firewall rule to push the shieldtv through the IPSEC tunnel so I will need to have the code below

/ip ipsec mode-config
set [ find name=NordVPN ] src-address-list=shieldtv

Then is it a filter, NAT or mangle rule? Any chance you can assist me with the right rule? My pihole address is 192.168.88.3

Thanks again in advance.

msatter · August 6, 2019, 4:10pm

Lets take a step back. You had it working but it was slow.

My suggrstion is to not put DNS traffic into the VPN and use the Pihole instead. To get traffic to the pihole you put the IP of pihole into, the DNS given to clients, in your DHCP.

So your rule is the mangle rule and from one rule you hsve tos split to two tules because DNS uses UDP and TCP. Then you make the first one to do TCP and not catch port 53 (DNS).
The second line does UDP and not catch port 53.

msatter · August 7, 2019, 7:08am

/ip firewall mangle
add action=mark-connection chain=prerouting src-address-list=SHIELDTV new-connection-mark=NordVPN passthrough=yes protocol=udp port=!53
add action=mark-connection chain=prerouting src-address-list=SHIELDTV new-connection-mark=NordVPN passthrough=yes protocol=tcp port=!53

/ip ipsec mode-config
set [ find name=NordVPN ] connection-mark=NordVPN

You have now marking traffic coming from ShieldTV, on the src-addres-list, to go through the VPN except for the TCP/UDP traffic on port 53.

If you still not getting up to speed then contact NordVPN to get some advise on this. They could advise to use dedicated IP addresses of them and to use the DNS service of them. Then you remove the protocol and port part from the lines I gave.

msatter · August 7, 2019, 8:23am

Also the TCP MTU could be off. In Mangle add this line and move it up as high as possible. You need still to mark the traffic and the DNS could be working with your or against you. So try both ways.

/ip firewall mangle
add action=change-mss chain=forward connection-mark=!no-mark src-address-list=SHIELDTV new-mss=1280 passthrough=no protocol=tcp tcp-flags=syn

This set a MTU of 1280 on not yet connection marked traffic coming from the ShieldTV.

badwithnetworking · August 7, 2019, 2:25pm

Thanks so much for your help. Ill try asap and let you know. This is a great learning experience for me.

mch · April 9, 2020, 2:50pm

@badwithnetworking, did you end up resolving your issue with this? If so, what did you end up doing?