Deleted for privacy / account security
Please post a real config in the standard format. That was a horrible abomination to look at.
/export file=anynameyouwish (minus router serial number and any public WANIP information, keys etc…)
Deleted for privacy / account security
(1) Wrong order.… think through the logic. Will traffic from VPN subnet ever reach another local subnet with the order you have???
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.10.20.0/24 table=
Proton_UK_WG
add action=lookup-only-in-table disabled=no src-address=10.10.10.0/24 table=
main
(2) You need to add the vlans to the list interface LAN.
(3) Should be set to the DNS Proton gives you!!
/ip dhcp-server network
add address=10.0.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.50.1
netmask=24
add address=10.10.10.0/24 comment=defconf dns-server=8.8.8.8 gateway=
10.10.10.1 netmask=24
add address=10.10.20.0/24 comment=defconf dns-server=PROTON-DNS gateway=
10.10.20.1 netmask=24
(5) add this mangle rule to prevent any mtu issues.
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets”
new-mss=clamp-to-pmtu out-interface=Proton_UK passthrough=yes protocol=tcp tcp-flags=syn
Deleted for privacy / account security
Please post the latest config for me to look at.
Deleted for privacy / account security
- You have these two entries in /interface bridge ports
add bridge=BRIDGE_FAL_EOIP interface=VLAN_0050_FAL_EOIP_bridge
add bridge=BRIDGE_FAL_EOIP interface=FAL_EOIP_50_TUNNEL
But the bridge is never defined…
/interface bridge
add admin-mac=C4:AD:34:F5:C8:F7 a uto-mac=no comment=defconf name=
BRIDGE_FAL_LOCAL
/interface ethernet
Furthermore…
A. you have no /interface bridge vlan settings…
B. you dont have bridge vlan filtering enabled, if all are supposed to be on one bridge…
Until you solve basic config issue looking at proton is insignificant.
In terms of wireguard… this is wrong for two reasons. ORDER is one of them…
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.10.20.0/24 table= Proton_UK_WG
add action=lookup-only-in-table disabled=no src-address=10.10.10.0/24 table=main
FIXED: we have to capture local traffic before we send it out the tunnel…
/routing rule
add action=lookup-only-in-table dst-address=10.10.10.0/24 table=main comment=“traffic to local subnet”
add action=lookup-only-in-table src-address=10.10.20.0/24 table= Proton_UK_WG
Firewall is weak…or horrible or both…
/ip firewall address-list { use static dhcp leases }
add address=adminIP1 list=Authorized comment=“admin local desktop”
add address=adminIP2 list=Authorized comment=“admin local laptop”
add address=adminIP3 list=Authorized comment=“admin local smartphone/ipad”
/ip firewall filter
add action=accept chain=input comment=“Allow Established/Related”
connection-state=established,related
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“allow ICMP” protocol=icmp
add action=accept chain=input comment=“Admin access” src-address-list=Authorized
add action=accept chain=input comment=“router services” dst-port=53 protocol=udp
ini-interface-list=LAN
add action=accept chain=input comment=“router services” dst-port=53 protocol=tcp
ini-interface-list=LAN
add action=drop chain=input comment=“DROP ALL ELSE” { add this as the last rule }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
add action=accept chain=forward comment=“entry to wg” src-address=10.10.20.0/24 out-interface=Proton_UK
add action=drop chain=forward comment=“drop all else”