Hi,
I have NordVPN configured on Mikrotik and I want all the traffic from 192.168.88.32 go through the VPN tunnel but the rest of addresses should stay untouched.
The setup was working without issues but today I have noticed that only the 192.168.88.32 has access to Internet but the rest don’t have access.
Everything is fine if I hardcode DNS servers on devices other than 192.168.88.32 instead of using 192.168.88.1 (My Mikrotik) as DNS resolver. I guess 192.168.88.32 has access to Internet is because it uses VPN’s dynamic DNS servers.
So my my first bet is that there is something wrong with DNS server set on my Mikrotik when IPSec is enabled. Can it be that devices which are not under the VPN try to use dynamic DNS entries added by IPSec and that’s why it doesn’t work? It kinda looks like similar problem: http://forum.mikrotik.com/t/v6-47beta-testing-is-released/135326/1
Any clues? Here is my configuration:
# apr/02/2023 04:08:07 by RouterOS 7.8
# software id = 7IRF-VR4Y
#
# model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add admin-mac=C4:AD:34:EB:2B:F6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] advertise=1000M-half,1000M-full comment="Pok\F3j - Prawe" name=ether1-gabinet-prawe
set [ find default-name=ether3 ] advertise=1000M-half,1000M-full comment="Pok\F3j - Lewe" name=ether2-gabinet-lewe
set [ find default-name=ether4 ] comment="Salon - Prawe" name=ether3-salon-prawe
set [ find default-name=ether5 ] comment="Salon - Lewe" name=ether4-salon-lewe
set [ find default-name=ether1 ] comment=WAN name=wan
/interface pppoe-client
add add-default-route=yes comment="GPON - PPPoE" disabled=no interface=wan name=pppoe-ostnet user=
/interface wireguard
add comment=VPN listen-port=51820 mtu=1200 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment=WIFI country=poland distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan-2.4G security-profile=wlan ssid=Krystian-2.4G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=poland distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan-5G security-profile=wlan ssid=Krystian-5G wireless-protocol=802.11
/interface wireless nstreme
set wlan-2.4G comment=WIFI
/interface wireless manual-tx-power-table
set wlan-2.4G comment=WIFI
/ip ipsec mode-config
add connection-mark=no-mark name=NordVPN responder=no src-address-list=NordVPN
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add dh-group=modp3072 enc-algorithm=aes-256 hash-algorithm=sha384 name=NordVPN
/ip ipsec peer
add address=pl203.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1-gabinet-prawe
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-gabinet-lewe
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3-salon-prawe
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4-salon-lewe
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan-2.4G
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan-5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wan list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.22.0.2/32 comment=iPhone interface=wireguard public-key=""
add allowed-address=172.22.0.3/32 comment=Macbook interface=wireguard public-key=""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=172.22.0.1/24 comment=Wireguard interface=wireguard network=172.22.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=wan
/ip dhcp-server lease
add address=192.168.88.32 client-id=1:0:17:9a:28:a6:48 comment=UnderVPN mac-address=00:17:9A:28:A6:48 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.32 list=NordVPN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="WireGuard UDP" dst-port=51820 log=yes log-prefix="[WireGuard]" protocol=udp
add action=accept chain=input comment="WireGuard access to router" dst-port="" in-interface=wireguard log=yes log-prefix=WireGuard protocol=tcp src-address=172.22.0.2
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!NordVPN connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="Firewall [Invalid]"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Add \"NordVPN\" routing mark to all the connections from \"NordVPN\" address list" dst-address=0.0.0.0 dst-address-list="" log=yes log-prefix=Mangle new-routing-mark=main passthrough=yes src-address-list=NordVPN
add action=mark-connection chain=forward comment="NordVPN exclude from fasttrack" ipsec-policy=in,ipsec new-connection-mark=NordVPN passthrough=yes src-address-list=""
add action=mark-connection chain=forward comment="NordVPN exclude from fasttrack" ipsec-policy=out,ipsec new-connection-mark=NordVPN passthrough=yes src-address-list=""
/ip firewall nat
add action=return chain=srcnat comment=killswitch log=yes log-prefix=killswitch src-address-list=NordVPN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log-prefix=masquerade out-interface=pppoe-ostnet out-interface-list=all
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=GBVZYzdtVFsAgnhDj1aFPJC7
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add disabled=yes topics=pppoe
/system note
set note="The router's owner has been notified about the interface access! All your doings are tracked!"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp.gmail.com from=@example port=587 tls=starttls user=@example
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=ISP disabled=no down-script="" host=8.8.8.8 interval=1m test-script="" timeout=1s type=simple up-script=""