Hi All,
I’ve had a stable connection with my setup for a while now.
I have a hAP connected to a Hex S, and on the hAP I use NordVPN with (what I thought) was the blackhole config. I’ve been playing with a new local DNS resolver and I noticed queries coming from clients behind the hAP during a device reboot; which I would not expect to see. I also checked the logs and I could see TCP SYN packets with a source address belonging to machines on the VPN subnet…which again, I would not expect to see.
VPN Network Range:: 192.168.88.0/24
Upstream Router: 192.168.1.254 (This is my regular LAN subnet)
VPN Router <> Regular Router <> pppoe
I could see for example 192.168.88.68 in the log of my upstream router sending TCP syn packets out…
Here is the config of the VPN Router:
/interface bridge add name=blackhole
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/ip ipsec mode-config add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group add name=NordVPN
/ip ipsec profile add enc-algorithm=aes-256 hash-algorithm=sha256 name=NordVPN
/ip ipsec peer add address=xxxx.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal set [ find default=yes ] disabled=yes
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=NordVPN pfs-group=none
/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge lease-time=23h59m59s name=defconf
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=yes interface=ether2
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=yes interface=ether3
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=yes interface=ether4
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=yes interface=ether5
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=yes interface=sfp1
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf disabled=no interface=ether1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list add address=192.168.88.0/24 list=local
/ip firewall address-list add address=192.168.88.2-192.168.88.254 disabled=yes list=local-range
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=invalidrule
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=notlan
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=via-vpn passthrough=yes src-address-list=local
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=xxxxxxxxx
/ip ipsec policy set 0 disabled=yes
/ip ipsec policy add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0
/ip ipsec policy add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route add distance=1 gateway=blackhole routing-mark=via-vpn
/ip route add disabled=yes distance=1 gateway=192.168.1.254
I noticed with the system rebooting (or with manually dropping the VPN) that I could see DNS queries and TCP SYN that were not being sent down the VPN or to the blackhole. I could not however reach any websites from machines behind the VPN router, either by DNS nor IP
I also noticed that this line had disappeared from the config:
/ip route add distance=1 gateway=blackhole routing-mark=via-vpn
And it looked like this instead:
/ip route
add disabled=yes distance=1 gateway=192.168.1.254 routing-mark=via-vpn
add disabled=yes distance=1 gateway=192.168.1.254
I have NAT disabled via the quickset which I think helped prevent full TCP handshakes but that config blooper suggests to me that for a while anyway the blackhole was not being put into service on VPN drop.
Does this config look correct otherwise? How come I still see some queries upstream? I have added the line back but still see the DNS requests leaking
As a second layer I’ve set the next hop router to reject anything outside it’s local range, and only allowed port 4500 & (Nord) DNS out to the Internet. This is more of a fun project for a guest network than protecting anything of importance (the leaked traffic is to like, youtube and google!) but nontheless I am still interested to understand what’s up
I looked back at this thread where I see there is some discussion about the risk of traffic escape but it’s not conclusive (to me anyway) as to why that may be the case http://forum.mikrotik.com/t/blackhole-unreachable-with-ipsec-policies/131549/31
Thanks!