Hi everyone,
Most recently, I have changed the provider and started using Dual-Stack Lite (DS-Lite).
The traffic is being routed without local NAT over the ipipv6-tunnel interface to the provider network.
Everything works fine except the SurfShark VPN. I can see a dynamically created NAT rule for the 172.130.8.0/24
subnet and have internet access from the private wifi WIFI network. Accessing to most sites is very slow (Google services, Youtube, and Gmail) or does not work at all.
I’m out of ideas and if someone could help that would be great.
# jul/13/2022 21:43:19 by RouterOS 7.4rc2
# software id = G22P-GRK6
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add name=private
add admin-mac=2C:C8:1B:BD:2B:63 auto-mac=no name=public
add name=ssvpn_blackhole protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=bangladesh disabled=no distance=indoors frequency=2447 \
installation=indoor mode=ap-bridge ssid=publicwifi wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce \
country=germany disabled=no distance=indoors frequency=5260 installation=\
indoor mode=ap-bridge nv2-security=enabled ssid=privatewifi wireless-protocol=\
802.11
/interface ipipv6
add dscp=0 !keepalive local-address=:: name=ipipv6-tunnel remote-address=\
2a02:3040:0:200::b
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=under_ssvpn name="SS VPN mode config" responder=no
/ip ipsec policy group
add name=ssvpn
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,ecp521,modp2048,modp1024 \
enc-algorithm=aes-256,aes-192,3des proposal-check=strict
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd \
enc-algorithm=aes-256 hash-algorithm=sha256 name="SS VPN profile"
/ip ipsec peer
add address=de-ber.prod.surfshark.com exchange-mode=ike2 name="SS VPN server" \
profile="SS VPN profile"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 \
enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,3des pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-192-cbc name=\
proposal-H
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name=\
"SS VPN proposal" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=public-ip-pool ranges=192.168.0.10-192.168.0.40
add name=private-ip-pool ranges=172.30.8.5-172.30.8.55
/ip dhcp-server
add address-pool=public-ip-pool interface=public name=defconf
add address-pool=private-ip-pool interface=private name=dhcp-server-private
/routing table
add fib name=ssvpn_blackhole
/interface bridge port
add bridge=public comment=defconf interface=ether2
add bridge=public comment=defconf interface=ether3
add bridge=private comment=defconf interface=ether4
add bridge=public comment=defconf interface=ether5
add bridge=public comment=defconf interface=wlan1
add bridge=private comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add interface=public list=LAN
add interface=ether1_wan list=WAN
add interface=private list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=public network=\
192.168.0.0
add address=192.0.0.2/29 interface=ipipv6-tunnel network=192.0.0.0
add address=172.30.8.1/24 interface=private network=172.30.8.0
/ip dhcp-server network
add address=172.30.8.0/24 dns-server=1.1.1.1 gateway=172.30.8.1
add address=192.168.0.0/24 dns-server=1.1.1.1 gateway=\
192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.30.8.0/24 list=under_ssvpn
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward connection-mark=under_ssvpn
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_ssvpn \
passthrough=yes src-address-list=under_ssvpn
add action=mark-routing chain=prerouting new-routing-mark=ssvpn_blackhole \
passthrough=yes src-address-list=under_ssvpn
add action=change-mss chain=forward connection-mark=under_ssvpn new-mss=1360 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip ipsec identity
add auth-method=eap certificate="SS VPN CA" eap-methods=eap-mschapv2 \
generate-policy=port-strict mode-config="SS VPN mode config" peer=\
"SS VPN server" policy-template-group=ssvpn username=xxx
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ssvpn proposal="SS VPN proposal" src-address=\
0.0.0.0/0 template=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.0.0.1 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add gateway=ssvpn_blackhole routing-table=*401
add gateway=ssvpn_blackhole routing-table=ssvpn_blackhole
/ipv6 dhcp-client
add add-default-route=yes interface=ether1_wan pool-name=ipv6-pool \
rapid-commit=no request=address
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Please note that the ipipv6-tunnel interface got 10.6.0.233/32 from the VPN and maybe it can be related to the issue.
[admin@MikroTik] > ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 192.0.0.1 1
DAc 10.6.0.233/32 ipipv6-tunnel 0
DAc 172.30.8.0/24 private 0
DAc 192.0.0.0/29 ipipv6-tunnel 0
DAc 192.168.0.0/24 public 0
1 As 0.0.0.0/0 ssvpn_blackhole 1
[admin@MikroTik] > ip/address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.0.1/24 192.168.0.0 public
1 192.0.0.2/29 192.0.0.0 ipipv6-tunnel
2 172.30.8.1/24 172.30.8.0 private
3 D 10.6.0.233/32 10.6.0.233 ipipv6-tunnel
[admin@MikroTik] > ipv6/route/print
Flags: D - DYNAMIC; I, A - ACTIVE; c, d, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DIdH ::/0 ::%ether1_wan 1
DAc 2a02:3102:4c00:6c::/64 ether1_wan 0
DAc fe80::%ether1_wan/64 ether1_wan 0
DAc fe80::%public/64 public 0
DAc fe80::%private/64 private 0
DAc fe80::%ssvpn_blackhole/64 ssvpn_blackhole 0
[admin@MikroTik] > ipv6/address/print
Flags: D - DYNAMIC; G, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE
# ADDRESS INTERFACE ADVERTISE
0 DL fe80::2ec8:1bff:febd:2b63/64 public no
1 DL fe80::f4a6:b9ff:fe19:4b29/64 ssvpn_blackhole no
2 DL fe80::2ec8:1bff:febd:2b65/64 private no
3 DL fe80::2ec8:1bff:febd:2b62/64 ether1_wan no
4 DG 2a02:3102:4c00:6c:2176:6163:4a5b:89c3/64 ether1_wan no
[admin@MikroTik] > ip/ipsec/policy/print
Flags: T - TEMPLATE; D, A - ACTIVE; * - DEFAULT
Columns: PEER, TUNNEL, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, ACTION, LEVEL, PH2-COUNT
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 T 0.0.0.0/0 0.0.0.0/0 all
2 D SS VPN server yes 10.6.0.233/32 0.0.0.0/0 all encrypt unique 1
[admin@MikroTik] > ip/ipsec/active-peers/print
Columns: ID, STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS
0 de-ber.prod.surfshark.com established 15m49s 1 217.138.216.245