Ipsec vpn - disable tunnel ?

Hi,
I am on hex s 7.1.3.
I have configured an IPsec tunnel to NordVPN following the guide at https://support.nordvpn.com/Connectivity/Router/1360295132/MikroTik-IKEv2-setup-with-NordVPN.htm

Everything seems ok, but I need a way to temporarily disable the tunnel when I need to access the whole download bandwidth (it drops from 320mbps to about 90mbps).
For now the only solution I have come across is to split the address list into single ips (I usually need to download from 2 or 3 devices) and disable the list entry when needed. This seems to not work (traffic is still routed even for disabled entries) unless I kill the tunnel/restart.

Completely killing the tunnel is also fine

Any suggestion ?

Thanks

Giuliano

The thing is that the action=src-nat rule matching on the src-address-list specified on the /ip ipsec mode-config row is only consulted when the very first packet of a new connection is processed. Once a connection gets established, its subsequent packets get NATed to the address assigned by the VPN server automatically simply because they belong to the same connection as the first one. So to stop the traffic through the tunnel, you must either disable the tunnel, or add (enable) some rules in /ip firewall raw or in /ip firewall filter, dropping the packets whose source address doesn’t match the right address list.

Thanks for the information !