Mikrotik WireGuard VPN + Netflix

Hello everyone!

I’m new one user of Mikrotik hardware, so please be lenient to my questions.
I have small local network in my house: central router RB2011UiAS-2HnD (1st port connected to WAN from provider, other ports are conneced via cable to local devices (most important - ether2 (TCL TV with Android TV) and ether5 (PC)).

I’ve bought private server for VPN and configurate WireGuard there. I’ve done configure where not all traffic run through VPN - only that one in adress list. It work well (with good speed), i need only add IP or domain into my adress list.

But I have a problem with runnig Netflix through my VPN. I read, it use dynamic system of changing IPs, so adress list doesn’t work. I try to do like here (https://buananetpbun.github.io/mikrotik/get-ip-address-list-netflix-with-raw.html - use dynamic determination of IPs), but it was happen some problems:

1. VPN stop wiorking on my PC (but still working on mobile devices into my Wi-Fi network);
2. TV don’t open Netflix app (mistake -12), but in this moment IPs added into dynamic list;
3. Main connection speed drops up to very low value (CPU load near 80-85%).
   So, I asked about your advises how to get it work (priority - TV device on ether2).

By the way I have question about speed of my connection. I have 300 Mbps from provider, but, for example in torrent tracker i have limit ~11 Mbps. Could you please give me some advises to my config?

# 2024-07-28 14:39:01 by RouterOS 7.15.2
# software id = **ELIDED**
#
# model = RB2011UiAS-2HnD
# serial number = 
/interface bridge
add name=bridge1-LAN port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors installation=outdoor max-station-count=50 \
    mode=ap-bridge name="wlan1-2.4 GHz" ssid="**ELIDED**" wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether6 ] comment=ACUVOX
/interface wireguard
add listen-port=13231 name=wireguard1
/interface list
add name=list1-WAN
add name=list2-LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.168.21-192.168.168.199
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1-LAN lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge1-LAN interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge1-LAN interface="wlan1-2.4 GHz" internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1-WAN list=list1-WAN
add interface=bridge1-LAN list=list2-LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address= **ELIDED** endpoint-port=\
    51820 interface=wireguard1 name=WereguardVPN preshared-key=\
    "" public-key=\
    ""
/ip address
add address=192.168.168.1/24 interface=bridge1-LAN network=192.168.168.0
add address=10.247.218.17/24 interface=ether1-WAN network=10.247.218.0
add address=10.10.10.5 interface=wireguard1 network=10.10.10.5
/ip dhcp-client
add default-route-distance=2 interface=ether1-WAN
/ip dhcp-server lease
add address= **ELIDED** server=dhcp1
/ip dhcp-server network
add address=192.168.168.0/24 gateway=192.168.168.1
/ip dns
set allow-remote-requests=yes servers=\
    10.240.8.2,77.241.17.2,1.1.1.1,10.10.10.5
/ip firewall address-list
add address= **VERY LONG LIST ELIDED**
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface-list=!list2-LAN
add action=accept chain=forward out-interface-list=list1-WAN
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=\
    established,related disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1-WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=no-mark connection-state=established,related hw-offload=\
    yes
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=to-wg \
    new-routing-mark=wg passthrough=yes
add action=mark-connection chain=prerouting connection-state=new \
    dst-address-list=to-wg new-connection-mark=to-wg passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Netflix by Heirro Networking" disabled=yes dst-address-list=to-wg \
    new-connection-mark=to-wg passthrough=yes src-address-list=IP-Local
add action=mark-packet chain=forward connection-mark=NetflixConnection \
    disabled=yes in-interface=wireguard1 new-packet-mark=NetflixDownload \
    passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=list1-WAN
add action=dst-nat chain=dstnat **ELIDED** protocol=tcp \
    src-address-list=admlist to-addresses=192.168.168.198 to-ports=80
add action=masquerade chain=srcnat out-interface=wireguard1 src-address=\
    192.168.168.0/24 src-address-list=""
/ip firewall raw
add action=add-dst-to-address-list address-list=to-wg address-list-timeout=\
    35w3d chain=prerouting comment="Netflix by Heirro Networking" content=\
    netflix.com disabled=yes
add action=add-dst-to-address-list address-list=to-wg address-list-timeout=\
    35w3d chain=prerouting content=nflxso.net disabled=yes
add action=add-dst-to-address-list address-list=to-wg address-list-timeout=\
    35w3d chain=prerouting content=nflxext.com disabled=yes
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.247.218.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 \
    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address= **ELIDED**/32 gateway=10.247.218.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name= **ELIDED**
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes

Prior to looking at your config, it should not matter and it should work.
The key is you want the DNS request to go through wireguard and all traffic from the IP address you wish to use wireguard.
Did the vpn provider give you a specific DNS address to use??

Observations.

1. You should only either use IP addresss for your WANIP address ( if its a static public address ) , OR IP DHCP client but not both.
   ( also assuming the address you put in is not the actual one, change it if it is, for security purposes.

2. The wireguard address is not correct should be:
   /ip address
   …
   add address=10.10.10.5/24 interface=wireguard1 network=10.10.10.5

3. You should be identifying users that need to go through wireguard, not WAN destinations…
   You may wish to use another subnet just for wireguard users and also make another wifi SSID associated for this subnet, so wifi
   users needing to go out VPN can just access the appropriate SSID.

4. Until we figure out what is required, not clear what IP dns settings should be.

5. Dont understand the purpose of the rule in orange. I suspect you are trying to port forward to a LAN server?
   Elidide is not clear in the rule. The other two are duplicate just get rid of the second one ??
   /ip firewall nat
   add action=masquerade chain=srcnat out-interface-list=list1-WAN
   add action=dst-nat chain=dstnat ELIDED protocol=tcp
   src-address-list=admlist to-addresses=192.168.168.198 to-ports=80
   add action=masquerade chain=srcnat out-interface=wireguard1 src-address=
   192.168.168.0/24 src-address-list=“”

6. Firewall rules, need work, but would rather understand config better before commenting/

7. Purpose of raw rules??

8. Dont understand routes either… elided ???

Hello!
First of all, thank you for your answers. I’m nebie in net administration, so I’ve done all this config with guides found in the Internet. I try to answer, but it’s difficult to me to understand some things.

1. I have no static IP adress from provider. I have from provider DNS primary, secondary and Gateway address. I put them into DNS Settings (when I’ve configure connection without WireGuard - all this worked correct). When I start configere WireGuard, I saw in some guide, that it need to be additional public DNS (I use 1.1.1.1) and adress from my WireGuard server (10.10.10.5). Without this settings VPN doesn’t work.

About WireGuard. I’ve bought VPS on Aesa, install here Ubuntu 20.4 + WireGuard. Last one provide me this IP - 10.10.10.5. This process was similuar as in lots of guides.

In DHCP Client I have (but it seems like not working - infinity “searching…”
https://prnt.sc/PIEzemS0uU3-

2. I correct this mistake.

3. So my scheme of using VPN was so:
   Basicly connection go through main way without VPN → Mikrotik check adress list → If he find needed adress or IP, so he routes connection through VPN
   This is my home network, so I allow all devices into my network go through this way. It works correct (for example, smartfone connected to WiFi go to Adress List through VPN).
   In guides it was done with NAT and Mangle rules:
   https://prnt.sc/NiZCegnw4bU8
   https://prnt.sc/OgbIJgqkV_pQ

I have a problem, when trying to route through VPN Netflix, because of dynamic system of changing IPs. I add one IP to my Adress List, but Netflix rapidly change it to another, so I cannot get access.

5. This rule added by my provider’s technical support - they help me to configure my Mikrotik with remote access. I don’t know how it work, but I guess it’s for unblocking some port.

6. Here is the screen of my firewall rules
   https://prnt.sc/-WQK5KgGqgEn

7. There is no working rules in RAW. But the guide says, it’s for dynamic addition of changing IPs into my WireGuard list. It was like this:
   https://prnt.sc/-WQK5KgGqgEn

8. Here is Routes screen:
   https://prnt.sc/Lq9-s3WjLy5b

Hello everyone!
Bump for my thread.