Moved the WAN port, killed the VPN

dazzaling69 · October 22, 2025, 8:07pm

I had a working VPN connection, which I use to split tunnel traffic. I had to change the WAN port - should be easy - but it killed the VPN. I can’t see how it has done this - nothing is bound or hard wired to the old port. Spent a bit of time on this, thrown it at chatgpt (surprisingly useful for some things), but not figured it out. Can anyone see where I’ve gone wrong?

# 2025-10-22 20:56:34 by RouterOS 7.20.2
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE4****
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] name="Port 2"
set [ find default-name=ether3 ] name="Port 3"
set [ find default-name=ether4 ] name="Port 4"
set [ find default-name=ether5 ] name="Port 5"
set [ find default-name=ether6 ] name="Port 6"
set [ find default-name=ether7 ] name="Port 7"
set [ find default-name=ether8 ] mac-address=A4:43:8C:36:0B:E1 name="Port 8"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
set [ find default-name=ether1 ] mac-address=A4:43:8C:36:0B:B1 name=Wan
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 dhcp=no gateway=172.17.0.1 \
    gateway6=fd6c:b6e2:f488:: mac-address=44:4F:16:BE:02:9D name=veth1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    128035675648 type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dpd-interval=2m dpd-maximum-failures=5 name=NordVPN
/ip ipsec peer
add address=al55.nordvpn.com comment=Albania exchange-mode=ike2 name=NordVPN \
    profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
    dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlists=pihole_envs interface=veth1 logging=yes mounts=\
    dnsmasq_pihole,etc_pihole name=Pi_Hole remote-image=pihole/pihole:latest \
    root-dir=usb1-part1/pihole start-on-boot=yes workdir=/
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=DNSMASQ_USER list=pihole_envs value=root
add key=FTLCONF_webserver_api_password list=pihole_envs value=Ham1sh01
add key=TZ list=pihole_envs value=Europe/London
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2" internal-path-cost=10 path-cost=\
    10
add bridge="Local Bridge" interface="Port 7" internal-path-cost=10 path-cost=\
    10
add bridge="Local Bridge" interface=*F internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 3" internal-path-cost=10 path-cost=\
    10
add bridge="Local Bridge" interface="Port 4" internal-path-cost=10 path-cost=\
    10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 6"
add bridge="Local Bridge" interface="Port 5"
add bridge="Local Bridge" interface="Port 9 - SFP+"
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add interface="Local Bridge" list=listBridge
add interface=dockers list=listBridge
add interface=wireguard1 list=listBridge
add interface="Local Bridge" list=LAN
add interface=dockers list=LAN
add interface=wireguard1 list=LAN
add interface="Local Bridge" list=TRUSTED
add interface=wireguard1 list=TRUSTED
add interface=Wan list=WAN
/interface ovpn-server server
add mac-address=FE:A8:27:88:84:9C name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment="2 iPhone" interface=wireguard1 \
    name=peer5 public-key=""
add allowed-address=192.168.10.4/32 comment="4 Dell XPS13 Darren" interface=\
    wireguard1 name=peer7 public-key=\
    ""
add allowed-address=192.168.10.5/32 comment="5 iPad" interface=wireguard1 \
    name=peer8 public-key=""
add allowed-address=192.168.10.11/32 interface=wireguard1 name=peer1 \
    public-key=""
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
    192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
    dockers network=172.17.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=Wan
/ip dhcp-server lease
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
    EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.150 client-id=1:f8:25:51:b6:4a:bc mac-address=\
    F8:25:51:B6:4A:BC server=dhcp1
add address=10.160.100.93 client-id=1:5a:63:f6:f3:6d:11 mac-address=\
    5A:63:F6:F3:6D:11 server=dhcp1
add address=10.160.100.97 client-id=1:d8:5e:d3:a6:37:14 mac-address=\
    D8:5E:D3:A6:37:14 server=dhcp1
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
    00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.75 client-id=\
    30:3a:31:3a:31:3a:36:63:3a:31:66:3a:66:37:3a:34:30:3a:34:62:3a:64:38 \
    mac-address=6C:1F:F7:40:4B:D8 server=dhcp1
add address=10.160.100.152 client-id=1:70:49:a2:21:4a:9 mac-address=\
    70:49:A2:21:4A:09 server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=104.16.248.249 name=cloudflare-dns.com type=A
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=telegraph.co.uk list=VPN
add address=10.160.100.97 comment="admin local desktop" list=Authorized
add address=10.160.100.69 comment="admin Dell XPS 13 laptop" list=Authorized
add address=10.160.100.93 comment="admin Dell iPad" list=Authorized
add address=10.160.100.94 comment="admin iPhone" list=Authorized
add address=192.168.10.2 comment="remote admin iphone" list=Authorized
add address=192.168.10.4 comment="remote admin laptop" list=Authorized
add address=192.168.10.5 comment="remote admin iPad" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
    "Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
    in-interface=wireguard1
add action=accept chain=input comment="admin access" in-interface-list=\
    TRUSTED src-address-list=Authorized
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Forward established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
    in-interface="Local Bridge" out-interface-list=WAN packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
    dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
    wireguard1 out-interface-list=WAN
add action=accept chain=forward comment="Accept dst-nat" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
add action=drop chain=forward out-interface-list=LAN src-address-list=\
    back-to-home-lan-restricted-peers
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
    connection-state=new dst-port=563 in-interface="Local Bridge" \
    new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment="Mark Telegraph traffic" \
    connection-state=new dst-address-list=VPN in-interface="Local Bridge" \
    new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "Mark Telegraph ICMP traffic" connection-state=new dst-address-list=VPN \
    in-interface="Local Bridge" new-connection-mark=ipsec protocol=icmp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
    dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
    protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
    in-interface="Local Bridge" new-connection-mark=ipsec protocol=udp
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
    protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=postrouting ipsec-policy=out,ipsec new-mss=1300 \
    protocol=tcp tcp-flags=syn tcp-mss=1301-65535
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
    masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
    in-interface-list=WAN log=yes log-prefix=PlexNAT protocol=tcp \
    to-addresses=10.160.100.75 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
    dst-port=888 in-interface-list=LAN protocol=tcp to-addresses=172.17.0.2 \
    to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Force any UDP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface-list=LAN protocol=udp \
    src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
    "Force any TCP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface-list=LAN protocol=tcp \
    src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 \
    generate-policy=port-override mode-config=NordVPN peer=NordVPN \
    policy-template-group=NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl certificate=Webfig disabled=no
set ssh port=2200
set winbox address=10.160.100.0/24
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=::4aa9:8aff:fe57:4601 from-pool=IPv6_Pool interface=\
    "Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
    interface=dockers
/ipv6 dhcp-client
add add-default-route=yes custom-iana-id=0 custom-iapd-id=0 \
    default-route-tables=main interface=Wan pool-name=IPv6_Pool prefix-hint=\
    ::/56 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=youtube.com disabled=yes list=VPN
add address=youtube.com list=YouTube
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
add action=accept chain=output protocol=icmpv6
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="Masquerade DNS traffic TCP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=tcp \
    src-address-list=""
add action=masquerade chain=srcnat comment="Masquerade DNS traffic UDP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN log=\
    yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN \
    protocol=tcp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=masquerade chain=srcnat comment="Masquerade for the Pihole" \
    out-interface-list=WAN src-address=fd6c:b6e2:f488::/64
add action=dst-nat chain=dstnat comment=Pihole dst-address=\
    fd94:4dc1:86fb::2/128 dst-port=888 in-interface="Local Bridge" \
    in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
    to-ports=80
/ipv6 nd
add dns=fe80::4aa9:8aff:fe57:4601 interface="Local Bridge" \
    other-configuration=yes retransmit-interval=20s
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system logging
add action=disk topics=interface
add topics=ipsec,!packet
add topics=ipsec,debug
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface="Port 8"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes
/tool traffic-monitor
add disabled=yes interface="Port 8" name=tmon1
```

jaclaz · October 22, 2025, 9:08pm

I guess you mean unsurprising unuseful.

mkx · October 23, 2025, 5:41am

So which two ports are involved in "I had to change WAN port"? Which was the old one and which is the new one?

Most often the problem is that one forgets to properly update interface list memberships ... and WAN interface list is used all over firewall configuration.

dazzaling69 · October 23, 2025, 8:22am

I went from port 8 to port 1. I can’t see anywhere that would hard code the VPN route. I don’t have a filter rule to explicitly allow the traffic, but I didn’t before I moved the port either, so it couldn’t be about that.

dazzaling69 · November 6, 2025, 7:17pm

Does anyone have any ideas why my config no longer creates a VPN tunnel?

jaclaz · November 6, 2025, 10:47pm

In the configuration you posted, It seems like in:

/interface list member

"Port 8"
Is missing?
(while "Wan" Is WAN)

eltikpad · November 6, 2025, 11:02pm

Ether1 (OP said he moved from 8 to 1) was named to “Wan” which is in list “WAN”. Got my head spinning but should work

eltikpad · November 6, 2025, 11:49pm

Since Im here I guess Ill ask is the VPN you killed the “nord vpn” ispec, or the WireGuard? Also making sure you have rebooted your router since the interface change and gone back through any instructions nord gave you. Anything in the logs? Checked with the vpn provider?

dazzaling69 · November 7, 2025, 12:05pm

It’s the NordVPN IPSEC tunnel - Wireguard uses a different protocol and doesn’t get treated the same way in the split tunnelling.

I note the earlier poster’s mention of one of the ports not being a part of the local bridge - thanks.

Not sure what you mean about Wan and WAN. I can see why it might be something to do with that, but I don’t see anywhere in the config where I should change Wan (the interface) with WAN (the interface list) to make this work.

Have I missed your point?

jaclaz · November 7, 2025, 12:44pm

I don't know.

I just noticed that you have renamed:
ether1=Wan (it would be smarter IMHO to call it Wan_port or - better - Wan_eth1)
ether8="Port 8"

Then "Port 8" disappears, as it is not part of the bridge, nor it has an entry in interface list member.

Cannot say how it was (reversed) when you had that VPN working, I have to note (and again no idea if connected with the issue at hand) that these two ports (and these two ports only) have a manually set MAC.

You also have a * (asterisk) in your configuration that shouldn't normally be there, see Point #21 here:
GP & CSA for Mikrotik devices

Logically the *F in /interface bridge port belonged to this Port 8, so somehow when you made the changes some references were lost, no idea if this can be related.

dazzaling69 · November 7, 2025, 2:05pm

Thanks for your help.

I have added port 8 to the local bridge - I forgot to complete that in the move. I renamed to Wan_eth1 - good suggestion. I also removed the asterisk (or rather, it is now not there) - no idea how that happened.

No change to the VPN behaviour, though.

PS. I set the MAC address manually because of my ISP’s long DHCP lease times. However, I could reset these to the defaults. The instruction I can find online for this seems to have been deprecated, so not sure how to do it.

Amm0 · November 7, 2025, 2:26pm

I think you're missing the default accept's for IPSec in firewall filter forward chain:

/ip firewall filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy" 

/ip firewall filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"

These need to be before any drop action on the forward chain.

dazzaling69 · November 7, 2025, 3:07pm

Thanks. I didn’t have these rules before I changed the ports, but adding them doesn’t fix the issue.

Amm0 · November 7, 2025, 3:10pm

My other thought is ether1 has a mac-address set explicitly. Are you sure that's not duplicated? Unless you have some modem that requires a specific MAC, I'd leave those the defaults.

Otherwise, I think you'll have to be more specific on "killed the VPN", and perhaps re-post configuration are whatever changes. One subtle thing wrong/different from the OP and current.

If you have a backup of config while WAN on ether8, that might be helpful to post – since that worked.

dazzaling69 · November 7, 2025, 3:26pm

I can’t figure out how to reset the mac address to default - it is an ISP semi-restriction.

Good idea re. pre-swap backup. Does this help?

# 2025-10-08 13:24:28 by RouterOS 7.20
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Living Room"
set [ find default-name=ether3 ] name="Port 3 - Girl's Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - VH Backup"
set [ find default-name=ether6 ] name="Port 6"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mac-address=A4:43:8C:36:0B:B1 name=\
    "Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 dhcp=no gateway=172.17.0.1 \
    gateway6=fd6c:b6e2:f488:: mac-address=44:4F:16:BE:02:9D name=veth1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    128035675648 type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dpd-interval=2m dpd-maximum-failures=5 name=NordVPN
/ip ipsec peer
add address=al55.nordvpn.com comment=Albania exchange-mode=ike2 name=NordVPN \
    profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
    dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlists=pihole_envs interface=veth1 logging=yes mounts=\
    dnsmasq_pihole,etc_pihole name=Pi_Hole remote-image=pihole/pihole:latest \
    root-dir=usb1-part1/pihole start-on-boot=yes workdir=/
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=DNSMASQ_USER list=pihole_envs value=root
add key=FTLCONF_webserver_api_password list=pihole_envs value=Ham1sh01
add key=TZ list=pihole_envs value=Europe/London
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Living Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface=*F internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 3 - Girl's Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
    path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 6"
add bridge="Local Bridge" interface="Port 5 - VH Backup"
add bridge="Local Bridge" interface="Port 9 - SFP+"
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add interface="Local Bridge" list=listBridge
add interface="Port 8 - WAN" list=WAN
add interface=dockers list=listBridge
add interface=wireguard1 list=listBridge
add interface="Local Bridge" list=LAN
add interface=dockers list=LAN
add interface=wireguard1 list=LAN
add interface="Local Bridge" list=TRUSTED
add interface=wireguard1 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:A8:27:88:84:9C name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment="2 iPhone" interface=wireguard1 \
    name=peer5 public-key=""
add allowed-address=192.168.10.4/32 comment="4 Dell XPS13 Darren" interface=\
    wireguard1 name=peer7 public-key=\
    ""
add allowed-address=192.168.10.5/32 comment="5 iPad" interface=wireguard1 \
    name=peer8 public-key=""
add allowed-address=192.168.10.11/32 interface=wireguard1 name=peer1 \
    public-key=""
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
    192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
    dockers network=172.17.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface="Port 8 - WAN"
/ip dhcp-server lease
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
    EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.150 client-id=1:f8:25:51:b6:4a:bc mac-address=\
    F8:25:51:B6:4A:BC server=dhcp1
add address=10.160.100.93 client-id=1:5a:63:f6:f3:6d:11 mac-address=\
    5A:63:F6:F3:6D:11 server=dhcp1
add address=10.160.100.97 client-id=1:d8:5e:d3:a6:37:14 mac-address=\
    D8:5E:D3:A6:37:14 server=dhcp1
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
    00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.75 client-id=\
    30:3a:31:3a:31:3a:36:63:3a:31:66:3a:66:37:3a:34:30:3a:34:62:3a:64:38 \
    mac-address=6C:1F:F7:40:4B:D8 server=dhcp1
add address=10.160.100.152 client-id=1:70:49:a2:21:4a:9 mac-address=\
    70:49:A2:21:4A:09 server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=104.16.248.249 name=cloudflare-dns.com type=A
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=telegraph.co.uk list=VPN
add address=4.78.139.50 list=YouTube
add address=4.78.139.54 list=YouTube
add address=23.101.24.70 list=YouTube
add address=23.202.231.167 list=YouTube
add address=23.217.138.108 list=YouTube
add address=23.225.141.210 list=YouTube
add address=23.234.30.58 list=YouTube
add address=31.13.64.7 list=YouTube
add address=31.13.67.19 list=YouTube
add address=31.13.67.33 list=YouTube
add address=31.13.67.41 list=YouTube
add address=31.13.68.169 list=YouTube
add address=31.13.69.169 list=YouTube
add address=31.13.69.245 list=YouTube
add address=31.13.70.9 list=YouTube
add address=31.13.70.13 list=YouTube
add address=31.13.70.33 list=YouTube
add address=31.13.71.19 list=YouTube
add address=31.13.73.9 list=YouTube
add address=31.13.73.169 list=YouTube
add address=31.13.75.5 list=YouTube
add address=31.13.75.12 list=YouTube
add address=31.13.76.65 list=YouTube
add address=31.13.76.99 list=YouTube
add address=31.13.80.37 list=YouTube
add address=31.13.80.54 list=YouTube
add address=31.13.80.169 list=YouTube
add address=31.13.81.4 list=YouTube
add address=31.13.82.33 list=YouTube
add address=31.13.82.169 list=YouTube
add address=31.13.83.2 list=YouTube
add address=31.13.83.34 list=YouTube
add address=31.13.84.2 list=YouTube
add address=31.13.84.34 list=YouTube
add address=31.13.85.2 list=YouTube
add address=31.13.85.34 list=YouTube
add address=31.13.85.53 list=YouTube
add address=31.13.85.169 list=YouTube
add address=31.13.86.21 list=YouTube
add address=31.13.87.9 list=YouTube
add address=31.13.87.19 list=YouTube
add address=31.13.87.33 list=YouTube
add address=31.13.87.34 list=YouTube
add address=31.13.88.26 list=YouTube
add address=31.13.88.169 list=YouTube
add address=31.13.90.19 list=YouTube
add address=31.13.90.33 list=YouTube
add address=31.13.91.6 list=YouTube
add address=31.13.91.33 list=YouTube
add address=31.13.92.5 list=YouTube
add address=31.13.94.7 list=YouTube
add address=31.13.94.10 list=YouTube
add address=31.13.94.23 list=YouTube
add address=31.13.94.36 list=YouTube
add address=31.13.94.37 list=YouTube
add address=31.13.94.41 list=YouTube
add address=31.13.94.49 list=YouTube
add address=31.13.95.17 list=YouTube
add address=31.13.95.18 list=YouTube
add address=31.13.95.33 list=YouTube
add address=31.13.95.34 list=YouTube
add address=31.13.95.35 list=YouTube
add address=31.13.95.37 list=YouTube
add address=31.13.95.38 list=YouTube
add address=31.13.95.48 list=YouTube
add address=31.13.95.169 list=YouTube
add address=31.13.96.192 list=YouTube
add address=31.13.96.193 list=YouTube
add address=31.13.96.194 list=YouTube
add address=31.13.96.195 list=YouTube
add address=31.13.96.208 list=YouTube
add address=10.160.100.97 comment="admin local desktop" list=Authorized
add address=10.160.100.69 comment="admin Dell XPS 13 laptop" list=Authorized
add address=10.160.100.93 comment="admin Dell iPad" list=Authorized
add address=10.160.100.94 comment="admin iPhone" list=Authorized
add address=192.168.10.2 comment="remote admin iphone" list=Authorized
add address=192.168.10.4 comment="remote admin laptop" list=Authorized
add address=192.168.10.5 comment="remote admin iPad" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
    "Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
    in-interface=wireguard1
add action=accept chain=input comment="admin access" in-interface-list=\
    TRUSTED src-address-list=Authorized
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Forward established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
    in-interface="Local Bridge" out-interface="Port 8 - WAN" packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
    dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
    wireguard1 out-interface="Port 8 - WAN"
add action=accept chain=forward comment="Accept dst-nat" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
add action=drop chain=forward out-interface-list=LAN src-address-list=\
    back-to-home-lan-restricted-peers
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
    "special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
    connection-state=new dst-port=563 in-interface="Local Bridge" \
    new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment="YouTube Traffic ipsec" \
    connection-state=new disabled=yes dst-address-list=YouTube in-interface=\
    "Local Bridge" new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment="YouTube Traffic ipsec" \
    connection-state=new disabled=yes dst-address-list=YouTube in-interface=\
    "Local Bridge" new-connection-mark=ipsec protocol=udp
add action=mark-connection chain=prerouting comment="Mark Telegraph traffic" \
    connection-state=new dst-address-list=VPN in-interface="Local Bridge" \
    new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "Mark Telegraph ICMP traffic" connection-state=new dst-address-list=VPN \
    in-interface="Local Bridge" new-connection-mark=ipsec protocol=icmp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
    dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
    protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
    in-interface="Local Bridge" new-connection-mark=ipsec protocol=udp
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
    protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=postrouting ipsec-policy=out,ipsec new-mss=1300 \
    protocol=tcp tcp-flags=syn tcp-mss=1301-65535
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
    masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
    in-interface="Port 8 - WAN" log=yes log-prefix=PlexNAT protocol=tcp \
    to-addresses=10.160.100.75 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
    dst-port=888 in-interface-list=LAN protocol=tcp to-addresses=172.17.0.2 \
    to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Force any UDP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface-list=LAN protocol=udp \
    src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
    "Force any TCP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface-list=LAN protocol=tcp \
    src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl certificate=Webfig disabled=no
set ssh port=2200
set winbox address=10.160.100.0/24
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=::4aa9:8aff:fe57:4601 from-pool=IPv6_Pool interface=\
    "Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
    interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface="Port 8 - WAN" pool-name=IPv6_Pool \
    prefix-hint=::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=youtube.com disabled=yes list=VPN
add address=youtube.com list=YouTube
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="Masquerade DNS traffic TCP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=tcp \
    src-address-list=""
add action=masquerade chain=srcnat comment="Masquerade DNS traffic UDP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN log=\
    yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN \
    protocol=tcp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=masquerade chain=srcnat comment="Masquerade for the Pihole" \
    out-interface-list=WAN src-address=fd6c:b6e2:f488::/64
add action=dst-nat chain=dstnat comment=Pihole dst-address=\
    fd94:4dc1:86fb::2/128 dst-port=888 in-interface="Local Bridge" \
    in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
    to-ports=80
/ipv6 nd
add dns=fe80::4aa9:8aff:fe57:4601 interface="Local Bridge" \
    managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system logging
add action=disk topics=interface
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface="Port 8 - WAN"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes
/tool traffic-monitor
add disabled=yes interface="Port 8 - WAN" name=tmon1

Amm0 · November 7, 2025, 3:45pm

If I do a quick diff of the two configs:

On is using 7.20 while another is using 7.20.2. I wouldn't discount a bug unrelated to moving the port. Perhaps get to the latest stable, which 7.20.4 & also make sure to upgrade firmware, /system/routerboard/upgrade (although doubt firmware related here)
Configuration look really similar... Although seems the YouTube rules are removed, perhaps for clarity in post - but if that how traffic gets to VPN, the address-list is missing
In /ip ipsec identity, you switch from generate-policy=port-override to generate-policy=port-strict - IDK what's needed but I'd try setting that back to port-override. i.e. this was working:

add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=WN...

vs not working:

add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 \
    generate-policy=port-override mode-config=NordVPN peer=NordVPN \
    policy-template-group=NordVPN username=WN...

dazzaling69 · November 13, 2025, 9:56am

I am beginning to suspect that the packets are not being correctly marked. If I try to fault find the traffic by searching for connection marks I can’t find connections that are marked ipsec. The other odd thing is that very few packets are Fasttracked. I have 1.4GB traffic fast-tracked, but the next forward rule has 71GB of traffic. I think this is unusual - AFAIK, most packets should be fasttracked.

Since I didn’t touch the VPN setup by moving the ports, I wonder if I’ve accidentally broken a rule in Firewall settings.

Could that be a clue to the cause?

dazzaling69 · November 14, 2025, 5:15pm

OK. I semi fixed this. It turned out that connections are getting marked correctly - I could see that by filtering by connection mark. The tunnel wasn’t being created because NordVPN has a per-server password - and I changed the server. My bad. I think you used to be able to do this, so perhaps it’s a policy change.

So, now the tunnel is created, marked connections get to it. However, this traffic doesn’t complete the connection - I get an error with the software I’m using that it can’t complete the SSL handshake. I guess an attempt is made to establish the connection, which then fails in the response…?

dazzaling69 · November 15, 2025, 11:18am

I have now fixed this. It turned out that clamping the MSS to 1300 in the input and post-routing chains solved the problem.

I’m a bit puzzled by why this worked, as I didn’t have to do it with the previous config, before I changed the WAN port.