My mt is permanently connected in vpn with a proton server via wireguard. Is it now possible to reach it with a non-lan-device-to-router wireguard connection? Let’s say from my phone with a wireguard client? Or, idk, it’s a nonsense, because proton server’s nat or something?
Before I configured proton on the router I had a working wireguard connection from my phone to my router, then I configured a permanent proton connection on the router (also via wireguard) so that all my client devices go through proton (and that’s working), but since then wireguard from my phone to the router doesn’t work any more.
I used different ports for the two wireguard interfaces to not overlap them.
On the wireguard client on the phone I tried both the isp-provided ip (as that was working before) and the proton-provided ip, but no handshake is made. Disabling all firewall blocking rules also doesn’t help.
I strongly believe I’m missing some basic knowledge here (I am for sure), but it may also be that what I’m trying to do is actually impossible so here I am asking.
Sure you can have two wireguard interfaces one acting as a client to handshake with the proton vpn server and a second one on the MT device acting as a WG server for the initial handshake so you can remotely connect to the router for config purposes while away or access LAN resources.
Would have to see your config…
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.. )
warning: firewall rules are all over the place atm, I’ve been throwing in a bunch of them just to see if something changed, and I bet many of them are unnecessary or redundant, I’ll tidy up as I learn more.
# 2023-11-06 22:24:06 by RouterOS 7.11.2
# software id = 4VVU-1JL1
#
# model = RB5009UG+S+
# serial number = ...
/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge-LAN1
add name=bridge-LAN2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
add listen-port=13232 mtu=1420 name=wireguard-server
/interface vlan
add interface=ether1-WAN name=vlan835-TIM vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan835-TIM name=\
pppoe-TIM-out user=...
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.1.1-192.168.1.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge-LAN1 lease-time=1d30m name=dhcp1
add address-pool=dhcp_pool2 interface=bridge-LAN2 name=dhcp2
/interface bridge port
add bridge=bridge-LAN1 comment=defconf interface=ether2
add bridge=bridge-LAN1 comment=defconf interface=ether3
add bridge=bridge-LAN1 comment=defconf interface=ether4
add bridge=bridge-LAN1 comment=defconf interface=ether5
add bridge=bridge-LAN1 comment=defconf interface=ether6
add bridge=bridge-LAN1 comment=defconf interface=ether7
add bridge=bridge-LAN2 comment=defconf interface=ether8
add bridge=bridge-LAN1 comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-LAN1 list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wireguard-server list=LAN
add disabled=yes interface=bridge-LAN2 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard-server public-key=...
add allowed-address=0.0.0.0/0 endpoint-address=[PROTON CONF ENDPOINT IP] endpoint-port=\
51820 interface=wireguard-inet persistent-keepalive=25s public-key=...
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge-LAN1 network=\
192.168.0.0
add address=192.168.1.254/24 interface=bridge-LAN2 network=192.168.1.0
add address=10.2.0.2/30 comment=PROTON interface=wireguard-inet network=\
10.2.0.0
add address=192.168.2.1/24 interface=wireguard-server network=192.168.2.0
/ip dhcp-client
add dhcp-options=clientid,clientid_duid,hostname disabled=yes interface=\
bridge-LAN1
add disabled=yes interface=ether1-WAN
add disabled=yes interface=vlan835-TIM
/ip dhcp-server lease
add address=192.168.0.5 client-id=... mac-address=... server=dhcp1
add address=192.168.0.4 client-id=... mac-address=... server=dhcp1
add address=192.168.0.2 client-id=... mac-address=... server=dhcp1
add address=192.168.1.7 client-id=... mac-address=... server=dhcp2
add address=192.168.1.6 client-id=... mac-address=... server=dhcp2
add address=192.168.0.15 client-id=... mac-address=... server=dhcp1
add address=192.168.1.1 client-id=... mac-address=... server=dhcp2
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=\
192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.0.5 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=192.168.0.5
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow wireguard" disabled=yes \
src-address-list=192.168.2.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="wireguard allow" dst-address=\
192.168.2.0/24 src-address=192.168.0.0/24
add action=accept chain=input comment="wireguard allow" in-interface=\
wireguard-server
add action=accept chain=forward comment="wireguard allow" in-interface=\
wireguard-server
add action=accept chain=input comment="wireguard allow" disabled=yes \
dst-port=13232 protocol=udp
add action=accept chain=input comment="wireguard allow" disabled=yes \
src-address=192.168.2.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix="[!LAN]"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"allow lan0 to lan1" dst-address=\
192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment=\
"allow jellyfin port to lan1" dst-address=\
192.168.0.5 dst-port=8096 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"allow jellyfin port to lan1" dst-address=\
192.168.0.5 dst-port=8096 protocol=udp src-address=192.168.1.0/24
add action=drop chain=forward comment=\
"block generic traffic lan1 to lan0" dst-address=\
192.168.0.0/24 log=yes log-prefix="[1>0 DROP]" src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=ISP out-interface=pppoe-TIM-out
add action=masquerade chain=srcnat comment=PROTON log-prefix=WG-INET \
out-interface=wireguard-inet src-address=192.168.0.0/16
/ip route
add comment=PROTON disabled=no distance=1 dst-address=0.0.0.0/1 gateway=\
10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment="PROTON - disable to switch off" disabled=no distance=1 \
dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add comment="PROTON - disable to switch off" disabled=no distance=1 \
dst-address=[PROTON CONF ENDPOINT IP]/32 gateway=pppoe-TIM-out pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system scheduler
add interval=1d name="sync namecheap ip" on-event=":global ddnshostname \"@\"\
\r\
\n:global ddnsdomain \"mydomainname.com\"\r\
\n:global ddnspass ...
\n\r\
\n:log info (\"DDNS: Updating\")\r\
\n:local str \"https://dynamicdns.park-your-domain.com/update\\3Fhost=\$dd\
nshostname>\r\
\n/tool fetch url=(\$str) mode=https keep-result=no" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-04 start-time=10:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
I’m also trying to add a route from the ip class of my telephone to the gateway. Trying all the gateways, still no luck :\
For firewall rules → https://forum.mikrotik.com/viewtopic.php?t=180838
(1) The IP route you have for Proton is not necessary and thus it should be deleted.
The router creates the route automatically when you enter in the IP address for the wireguard interface.
/ip route
add comment=PROTON disabled=no distance=1 dst-address=0.0.0.0/1 gateway=
10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
- Yes the plethora of rules you have now make it near impossible to see what you may have wrong.
Conceptually
INPUT CHAIN
You only need to allow the listening port of the WG Server on the input chain.
You ony need to allow the wireguard-server interface to the input chain (so remote user can access the router for config purposes)
FORWARD CHAIN
You only need to allow the subent going out PROTON to out out the wg-inet interface.
You only need to allow wg-server interface to dst subnet… to allow remote user access to local LAN.
You have something funny going on with regards to DNS but seem to be using some device or the like..
(3) This rule serves no purpose that I am aware of…
add comment=“PROTON - disable to switch off” disabled=no distance=1
dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=10
Now to dedicate a subnet to a third party VPN.
You need a table, route, routing rule.
/routing table
add fib name=usePROTON
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=usePROTON
/routing rule
add src-address=192.168.0.0/24 action=lookup table=usePROTON
-
ALSO recommend some other things GET RID OF TWO BRIDGES… Just attach 192.168.1.0 subnet to ether 8 directly.
Change this
add disabled=yes interface=bridge-LAN2 list=LAN and get rid of bridge port entry for ether8!!!
TO
interface=ether8 list=LAN and ensure you change the IP Address setting and IP DHCP server setting/ -
Yes you can get rid of iP DHCP client entries as this is handled by pppoe
-
Change the DNS setting of the subnet going out WG to PROTON, to the DNS address they gave YOU!!
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=
192.168.0.1
add address=192.168.1.0/24 dns-server=PROTON-DNS gateway=192.168.1.254 gateway=192.168.1.254 -
Add this mangle rule…
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard-=inet passthrough=yes protocol=tcp tcp-flags=syn -
Add WG-server to LAN interface list as a member.
Wow, I didn’t expect so many things! Now I want to study all your indications line by line. There’s a lot to learn here and lot to thank you for.
p.s. dns looks funky because I use a local one on my nas
Sure, but why?
it’s pi-hole, in order to filter out advertisement domains. Pi-hole is set to resolve non-blacklisted domains with 8.8.8.8 (and also to allow me to do some split tunnels as some of my company’s vpns are not properly set up, it’s either add a static entry in pihole or an entry in pc hosts file to solve the issue). When the router is connected via a proton server, using my pihole as dns, why isn’t the dns leaked? Or why it “doesn’t look to me” like it’s leaked? If I go dnsleaktest website it doesn’t show a dns from my country (as I expected, as I’m not using a proton dns), it shows chosen proton server country’s dns. Am I unable to understand the test results or it is just working because of some reason?
(3) This rule serves no purpose that I am aware of…
add comment=“PROTON - disable to switch off” disabled=no distance=1
dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=10
If I disable this rule, the router isn’t connected through proton anymore, and goes straight through the isp. Trying to figure this out as I type.
I used these instructions here, on proton website, for configuring mikrotik routers. Most likely one with your deep knowledge could instantly understand what I’ve done with a quick glimpse of what it’s written here: https://protonvpn.com/support/wireguard-mikrotik-routers/
also why do they write
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
instead of
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
?
Oh, that feeling when you know in advance you just asked something really silly.
I have no clue as to PROTON in of itself and thus cannot comment on their suggestions to setup equipment they should keep their nose out of. 
- Confirm you have an IP route, automatically created by the MT router…
dst-address=10.2.0.0/30 gateway=wireguard-inet routing table=main ON YOUR IP ROUTES.
This is the route your router knows and provides for any traffic heading into the tunnel or out of the tunnel from those wireguard addresses.
You do not need any other such routes.
Where you need additional IP routes is for traffic elsewhere.
Ex. 1
Traffic to or from remote subnets from another device, subnets that are not LOCAL to your MT router.
add dst-address=remoteSUBNET gateway=wireguard-inet routing-table=main
Ex. 2
Traffic to another wireguard device for internet access… in this case one needs also to create a table and a route (and either routing rule or mangle)
add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=useWG
(2) Now, because you were assigned the IP address 10.20.0.2, that is what PROTON expect to see at their end coming from your connection,
Hence the need for a masquerade rule to ensure any local subnet addresses entering the tunnel are given the source IP 10.20.0.2.
This can be accomplished in two ways. ADD to standard default rul
add action=srcnat action=masquerade out-interface-list=WAN
add action=srcnat action=masquerade out-interface=wireguard-inet
OR
add interface=wireguard-inet list=WAN and your wireguard connection will be included in the default source nat rule.
(3) what you should do is add the mangle rule to ensure no MTU problems
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
(4) Also as recommended, for the subnet going to PROTON try changing the IP DHCP-network config line to
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=Proton-supplied-dns gateway=192.168.1.254
(5) Please post your actual LATEST config
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
that’s the situation, and yes I do have that line in my route list. Below that entry, note the comments I’ve added to the following 2 routes I’ve added following proton’s documentation. Didn’t try your way yet. Figuring out a way to test them without losing the bubble
currently my working proton config has a nat masquerade this way
(3) I’m more than sure that you’re right but before I’m doing this I’d be better read and learn what a mangle is. I don’t want to just add in things I’ve been told without understanding a bit of it 
current configuration [connection: working, connection via proton: working, subnets: working as I need (probably could be improved, simplified), wireguard connection from phone to router: broken after adding proton to the router] firewall rules still need merging or general cleanup
# 2023-11-07 16:43:14 by RouterOS 7.11.2
# software id = 4VVU-1JL1
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge-LAN1
add name=bridge-LAN2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
add listen-port=13232 mtu=1420 name=wireguard-server
/interface vlan
add interface=ether1-WAN name=vlan835-TIM vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan835-TIM name=\
pppoe-TIM-out user=
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.1.1-192.168.1.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge-LAN1 lease-time=1d30m name=dhcp1
add address-pool=dhcp_pool2 interface=bridge-LAN2 name=dhcp2
/interface bridge port
add bridge=bridge-LAN1 comment=defconf interface=ether2
add bridge=bridge-LAN1 comment=defconf interface=ether3
add bridge=bridge-LAN1 comment=defconf interface=ether4
add bridge=bridge-LAN1 comment=defconf interface=ether5
add bridge=bridge-LAN1 comment=defconf interface=ether6
add bridge=bridge-LAN1 comment=defconf interface=ether7
add bridge=bridge-LAN2 comment=defconf interface=ether8
add bridge=bridge-LAN1 comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-LAN1 list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wireguard-server list=LAN
add disabled=yes interface=bridge-LAN2 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard-server public-key=
add allowed-address=0.0.0.0/0 endpoint-address=185.107.56.224 endpoint-port=\
51820 interface=wireguard-inet persistent-keepalive=25s public-key=
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge-LAN1 network=\
192.168.0.0
add address=192.168.1.254/24 interface=bridge-LAN2 network=192.168.1.0
add address=10.2.0.2/30 comment=PROTON interface=wireguard-inet network=\
10.2.0.0
add address=192.168.2.1/24 interface=wireguard-server network=192.168.2.0
/ip dhcp-client
add dhcp-options=clientid,clientid_duid,hostname disabled=yes interface=\
bridge-LAN1
add disabled=yes interface=ether1-WAN
add disabled=yes interface=vlan835-TIM
/ip dhcp-server lease
...lot of leases here...
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=\
192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.0.5 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=192.168.0.5
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix="[!LAN]"
add action=accept chain=input comment="wireguard allow" in-interface=\
wireguard-server
add action=accept chain=forward comment="wireguard allow" dst-address=\
192.168.2.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="wireguard allow" in-interface=\
wireguard-server
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"regola per consentire il traffico dalla lan1 alla lan2" dst-address=\
192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment=\
"regola per consentire il traffico rdp" dst-address=192.168.1.7 dst-port=\
3389 protocol=tcp src-address=192.168.0.15
add action=accept chain=forward comment=\
"regola per consentire il traffico rdp" dst-address=192.168.1.7 dst-port=\
3389 protocol=udp src-address=192.168.0.15
add action=accept chain=forward comment=\
"consenti traffico dalla lan2 a jellyfin sulla porta tcp" dst-address=\
192.168.0.5 dst-port=8096 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"consenti traffico dalla lan2 a jellyfin sulla porta udp" dst-address=\
192.168.0.5 dst-port=8096 protocol=udp src-address=192.168.1.0/24
add action=drop chain=forward comment=\
"regola per bloccare il traffico dalla lan1 alla lan0" dst-address=\
192.168.0.0/24 log=yes log-prefix="[1>0 DROP]" src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=ISP out-interface=pppoe-TIM-out
add action=masquerade chain=srcnat comment=PROTON log-prefix=WG-INET \
out-interface=wireguard-inet src-address=192.168.0.0/16
/ip route
add comment="PROTON - delete me, also seems not to have effect whether enabled\
\_or not" disabled=yes distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment="PROTON - if disabled, connection goes through ISP, not proton" \
disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="PROTON - if disabled there's no connection at all any more" \
disabled=no distance=1 dst-address=185.107.56.224/32 gateway=\
pppoe-TIM-out pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system scheduler
add interval=1d name="sync namecheap ip" on-event=":global ddnshostname \"@\"\
\r\
\n:global ddnsdomain .....
\n:global ddnspass .....
\n\r\
\n:log info (\"DDNS: Updating\")\r\
\n:local str \"https://dynamicdns.park-your-domain.com/update\\3Fhost=\$dd\
nshostname>\r\
\n/tool fetch url=(\$str) mode=https keep-result=no" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-04 start-time=10:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
(4) Also as recommended, for the subnet going to PROTON try changing the IP DHCP-network config line to
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=Proton-supplied-dns gateway=192.168.1.254
I don’t have this config, instead I do have each of the 2 subnets going with their respective gateway, and dns server is 192.168.0.5 - pihole. Yet as far as I can tell, both subnets are in proton vpn with the above config.
Nice now waiting for config as requested.
added editing previous post
Okay I am confused.
It is not clear to me which SUBNET is being used for what.
I initially thought it was bridge 2, what I am going to change to ether8 ( dual bridges is not advised in most situations ) 192.168.1.0 which is going out WIREGUARD-inet to proton.
However, rereading your posts it indicates all of the router was going out PROTON, which suggest no, its 192.168.0.0/24 subnet that is going out to PROTON.
If so what is the purpose of 192.168.1.0?24
Thus that started the question of which one, and then reading your forward chain rules where you have BOTH subnets going through your 192.168.0.5 for DNS makes no sense if they are going out through proton.
Next question, what happens if wg to proton fails did you want all users to revert back to local WAN use or NO internet???
Final question, in rules you have remote users coming in on wireguard and you want to be able to access the subnet that is going out wireguard via proton?
No rule to access 192.168.1.0 subnet for remote users???
I made 2 subnets with the idea that 192.168.0.X is for me and my own devices, and 192.168.1.X is for guests and whatever I don’t want to be able to explore/exploit/sniff my .0.X subnet.
At the moment there’s a wifi ap on eth8 (the only port I configured for 1.X subnet atm).
Now I can connect my company’s controlled laptop to guest network and stay sure its root-privileged antivirus monstruosity I can’t control can’t spoof anything (or this is the idea, looks like it’s working).
Since I want to be able to see and reach everything on the network from 0.X subnet, I added a rule to forward traffic fom 0.X to 1.X and one to drop the traffic from 1.X to 0.X.
Except for pihole dns (which is on 0.X subnet) port and jellyfin server port, which is also on 0.1 subnet while all tv, firesticks and chromecasts are on subnet 1.X.
Now since I already had a proton subscription, and I was used to only use it from client apps, I thought it was a good idea trying to having the router doing the connection instead. Why not, I mean.
Both subnet are going out with proton, as an initial configuration it’s ok for me. As soon as I learn more I’m gonna try adding a SECOND wifi access point and attach it to a 3rd subnet (let’s say 192.168.2.X) which instead is NOT going out with proton. I have absolutely no idea on how I’m going to achieve this, I don’t even know the correct terminology to make a proper question about this
The idea for this 3rd subnet without proton would enable firesticks and chromecast not to freak out because them bastards detect the vpn and won’t stream content unless the vpn is switched off.
Next question, what happens if wg to proton fails did you want all users to revert back to local WAN use or NO internet???
That is a very good question indeed. And it bugs me out as I don’t know how to easily change proton server or just to simply swich the vpn off because I decide so. Without entering winbox every time to do so.
Also, security: I don’t know if it’s better (as a general rule, even if there’s not a general rule) to halt the internet connection when proton fails, or just continuing on with my isp. Suggestions are appreciated.
Final question, in rules you have remote users coming in on wireguard and you want to be able to access the subnet that is going out wireguard via proton?
No rule to access 192.168.1.0 subnet for remote users???
Yeah, I wish I would be able to connect to my router via wireguard from my phone anytime from everywhere. To access my webservers or services in my network. Since I am the only person with access to my vpn, I also need to access the whole network from my phone when I’m away from home. And why, not, also browsing out my router whether or not it’s connected in proton.
this is more or less my masterplan, I don’t expect to fully work out in a snap, I wish to understand what I need and maybe proceed with baby steps.
Sorry if I sidetracked you with this last post, the post title is about being able to access my router/entire network from wireguard client on my phone wether or not the router is in vpn with proton, which is the broken thing right now.
Thank you so much for your time, I do really really appreciate that.
Context is critical, as one cannot design parts without understanding how it fits in the whole otherwise we end up wasting much time and effort.
Question1: what was the DNS address proton gives you to use??
Question2: what devices if any, do you not Want going through proton for internet access on a regular basis??
Recommendations.
Pi-Server going out wireguard for internet access is very tricky and it would be far better to disable that server for now as you want 2/3 subnets using Proton for internet and thus should use the proton dns setting.
We will discuss down the line, option is Pi-out proton and adguard for local traffic only so to speak or something like that but we need to get the rest working first.
However the above adds much complication and the priority should be establishing a working config for three subnets two out proton and one out local WAN, wheere the 0.1 network can reach all other subnets but not vice versa, and where the remote wireguard admin can reach everything.
Then and only then should we frig with PI and jellyfish for that mattter as I dont know if jelly fish needs internet access or is that all internal to the network??
Still requiring some more answers to finalize but here is the setup via normal DNS type setup.
.
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge-LAN1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
add listen-port=13232 mtu=1420 name=wireguard-server
/interface vlan
add interface=ether1-WAN name=vlan835-TIM vlan-id=835
add name=vlanHome11 interface=bridge-LAN1 vlan-id=11
add name=vlanguests20 interface=bridge-LAN1 vlan-id=20
add name=vlanMedia30 interface=bridge-LAN1 vlan-id=30
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan835-TIM name=\
pppoe-TIM-out user=
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.1.1-192.168.1.253
add name=dhcp_pool3 ranges=192.168.3.10-192.168.3.100
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlanHome11 lease-time=1d30m name=dhcp1
add address-pool=dhcp_pool2 interface=vlanGuests20 name=dhcp2
add address-pool=dhcp_pool3 interface=vlanMedia30 name=dhcp3
/interface bridge port
add bridge=bridge-LAN1 interface=ether2 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge-LAN1 interface=ether3 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge-LAN1 interface=ether4 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge-LAN1 interface=ether5 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge-LAN1 interface=ether6 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=11
add bridge=bridge-LAN1 interface=ether7 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=30 comment=MEDIA
add bridge=bridge-LAN1 interface=ether8 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=20 comment=Guests
add bridge=bridge-LAN1 interface=sfp-sfpplus1 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=11
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge-LAN1 tagged=bridge-LAN1 untagged=ether2,ether3,ether4,ether5,ether6,sfpplus1 vlan-ids=11
add bridge=bridge-LAN1 tagged=bridge-LAN1 untagged=ether7 vlan-ids=30
add bridge=bridge-LAN1 tagged=bridge-LAN1 untagged=ether8 vlan-ids=20
/interface list member
add comment=defconf interface=ether1-WAN list=WAN
add interface=pppoe-TIM-out list=WAN
add interface=wireguard-inet list=WAN
add comment=defconf interface=vlanHome11 list=LAN
add interface=vlanGuests20 list=LAN
add interface=vlanMedia30 list=LAN
add interface=wireguard-server list=LAN
add interface=vlanHome11 list=TRUSTED
add interface=wireguard-server list=TRUSTED
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard-server comment=RemoteAdmin1-smartphone public-key=
add allowed-address=10.10.10.3/32 interface=wireguard-server comment=RemoteAdmin2-laptop public-key=
add allowed-address=0.0.0.0/0 endpoint-address=185.107.56.224 endpoint-port=\
51820 interface=wireguard-inet persistent-keepalive=25s public-key=
/ip address
add address=192.168.0.1/24 comment=defconf interface=vlanHome11 network=\
192.168.0.0
add address=192.168.1.254/24 interface=vlanGuests20 network=192.168.1.0
add address=192.168.3.254/24 interface=vlanMedia30 network=192.168.1.0
add address=10.2.0.2/30 comment=PROTON interface=wireguard-inet network=\
10.2.0.0
add address=192.168.2.1/24 interface=wireguard-server network=192.168.2.0
/ip dhcp-server lease
...lot of leases here...
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=PROTON_DNS gateway=\
192.168.0.1
add address=192.168.1.0/24 dns-server=PROTON_DNS gateway=192.168.1.254
add address=192.168.3.0/24 comment=defconf dns-server=192.168.3.1 gateway=\
192.168.3.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment="DROP ALL ELSE"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to all vlans" in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment="access to pi-jelly" in-interface-list=LAN dst-address=192.168.0.5 disabled=yes { temporary }
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="DROP ALL ELSE"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=no \
ipsec-policy=out,none out-interface-list=WAN
/routing table
add fib name=usePROTON
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=usePROTON
/routing rule
add dst-address=192.168.0.0/22 action=lookup-only-in-table table=main comment="covers 192.168.0.1-192.168.3.254"
add src-address=192.168.0.0/24 action=lookup table=usePROTON
add src-address=192.168.1.0/24 action=lookup table=usePROTON
/ipv6 settings
set disable-ipv6=yes forward=no
/ipv6 firewall filter
add action=drop chain=forward
add action=drop chain=input
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system scheduler
add interval=1d name="sync namecheap ip" on-event=":global ddnshostname \"@\"\
\r\
\n:global ddnsdomain .....
\n:global ddnspass .....
\n\r\
\n:log info (\"DDNS: Updating\")\r\
\n:local str \"https://dynamicdns.park-your-domain.com/update\\3Fhost=\$dd\
nshostname>\r\
\n/tool fetch url=(\$str) mode=https keep-result=no" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-04 start-time=10:00:00
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes
I’ll try your configuration and let you know, thank you in advance!!!
You didnt answer my questions yet??
sadly I tried replicating your configuration line by line in winbox, modifying the preexisting entries if needed, removing what wasn’t included in your configuration, and adding what was new but I got no internet and was locked out of the router. I wasn’t getting an ip, wired connection status on all the ports was stuck on “connecting…”. So I had to reset the router and load the backup I made just before switching to your config.
I used “safe mode” all the time, but at some point a popup went out saying “safe mode was overriden by another process” or something similar. Altough the internet connection was already gone, I didn’t loose the network at that point. I lost it after I rebooted the router to see if I needed to do a reboot for the changes to kick in.
What looked weird to me, besides the fact that most likely it isnt’ weird at all (due to me being noob and not understanding everything I read in your config), is these things:
[short read: I wasn’t sure whether or not to leave some of my configuration there or not, so things that looked like they’re messing with pppoe isp connection were left there, mostly]
- firewall nat: my isp requires a connection via vlan with id 835 and pppoe client on that vlan interface. Previously I had a firewall nat for that (masquerade srcnat → ppoe-TIM-out) but since your config hasn’t anything like that I removed that line. Is this that broken the isp connection?
I also removed a nat rule for proton which was there, but not in your configuration. - route list: because of point 1, a route dst-address 0.0.0.0/0 - gateway pppoe-TIM-out was already there, but I add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=usePROTON from your config. This also make me thing it could have broken the connection.
- noobness as I never fiddled with vlans yet and I might have messed up something there.
- from your config:
/routing rule
add dst-address=192.168.0.0/29 action=lookup-only-in-table table=main comment="covers 192.168.0.1-192.168.5.254"
add src-address=192.168.0.0/24 action=lookup table=usePROTON
add src-address=192.168.1.0/24 action=lookup table=usePROTON
Where is this configuration available in winbox? I couldn’t find it, so I added it via console, but couldn’t check the results anywhere.
5) i wasnt’ sure what to do with route list regarding these two highlighted entries. Anyway disabling one or both of them (before I rebooted), didn’t bring back the internet connection. I also left there the first and the last of these rule here, since they look to me like they’re necessary for isp connection to work,
6) same thing for Address List: there’s a dynamic entry - adress: [my isp-provided ip] network: 192.168.100.1 interface:pppoe-TIM-out which I didn’t know what to do with it so I left it there.
Being locked out of the network after applying your configuration, I wasn’t able to export the resulting configuration in text format. I only have it as a backup file but altough being unencrypted, it’s not in readable format.
If you need that configuration I’ll try to reapply all of your configuration once again and then export the file before rebooting.
is there a way to add in your configuration in steps, instead of all at once? I’m thinking at maybe enabling vlans on just a few ports first, while leaving my current configuration as it is (to not loose connection or being locked out if something goes south). Then removing the existing config and applying the new one to the rest of the ports? Is this feasible? And in the end wireguard server?
Like what if I do remove proton connection at router level entirely, then I add in the vlans on ports 5 to 8, then if they are good to go I remove my config and apply your one also on ports 1 to 4? And then at the end I configure proton connection?
Also a generic question: how am I supposed to apply your config? Eyeballing from your config file from line 1 to the end and replicating it on the router, or maybe there’s a better way, maybe from console. Do I have to reset first the router and remove every script/configuration first leaving everything empty and only then applying your config from console line by line?
Oh sorry for that
Question1: what was the DNS address proton gives you to use??
Question2: what devices if any, do you not Want going through proton for internet access on a regular basis??
- proton dns from their config file is 10.2.0.1. I used this dns in your configuration where you wrote to use proton dns.
- I’m thinking to let out chromecasts and firestick out without vpn, because these things won’t work if they detect a vpn. Well they do work for streaming content from local network, but it’s streaming from prime video, or netflix, that does not work in vpn.
For now, I think I’ve managed to get rid of the 2 bridges, and attached the second subnet on ether8 directly. This is my previous configuration, plus some minor tweaks on 2nd subnet ip ranges, and not having another bridge any more, as you suggested
# 2023-11-08 15:21:10 by RouterOS 7.11.2
# software id = 4VVU-1JL1
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add admin-mac=xxx auto-mac=no comment=defconf name=bridge-LAN1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
add listen-port=13232 mtu=1420 name=wireguard-server
/interface vlan
add interface=ether1-WAN name=vlan835-TIM vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan835-TIM name=\
pppoe-TIM-out user=XXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge-LAN1 lease-time=1d30m name=dhcp1
add address-pool=dhcp_pool2 interface=ether8 name=dhcp2
/interface bridge port
add bridge=bridge-LAN1 comment=defconf interface=ether2
add bridge=bridge-LAN1 comment=defconf interface=ether3
add bridge=bridge-LAN1 comment=defconf interface=ether4
add bridge=bridge-LAN1 comment=defconf interface=ether5
add bridge=bridge-LAN1 comment=defconf interface=ether6
add bridge=bridge-LAN1 comment=defconf interface=ether7
add bridge=bridge-LAN1 comment=defconf interface=sfp-sfpplus1
add bridge=bridge-LAN1 comment="should this be disabled, right\? If it's enabl\
ed it must be on some bridge" disabled=yes interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-LAN1 list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wireguard-server list=LAN
add interface=*E list=LAN
add interface=ether8 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard-server public-key=\
"XXXXX"
add allowed-address=0.0.0.0/0 endpoint-address=185.107.56.224 endpoint-port=\
51820 interface=wireguard-inet persistent-keepalive=25s public-key=\
"XXXX"
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge-LAN1 network=\
192.168.0.0
add address=192.168.1.1/24 interface=ether8 network=192.168.1.0
add address=10.2.0.2/30 comment=PROTON interface=wireguard-inet network=\
10.2.0.0
add address=192.168.2.1/24 interface=wireguard-server network=192.168.2.0
/ip dhcp-client
add dhcp-options=clientid,clientid_duid,hostname disabled=yes interface=\
bridge-LAN1
add disabled=yes interface=ether1-WAN
add disabled=yes interface=vlan835-TIM
/ip dhcp-server lease
....
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=\
192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.0.5 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.5
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix="[!LAN]"
add action=accept chain=input comment="wireguard allow" in-interface=\
wireguard-server
add action=accept chain=forward comment="wireguard allow" dst-address=\
192.168.2.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="wireguard allow" in-interface=\
wireguard-server
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=tcp src-address=192.168.0.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="allow dns" dst-address=192.168.0.5 \
dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"regola per consentire il traffico dalla lan1 alla lan2" dst-address=\
192.168.1.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment=\
"regola per consentire il traffico rdp" dst-address=192.168.1.7 dst-port=\
3389 protocol=tcp src-address=192.168.0.15
add action=accept chain=forward comment=\
"regola per consentire il traffico rdp" dst-address=192.168.1.7 dst-port=\
3389 protocol=udp src-address=192.168.0.15
add action=accept chain=forward comment=\
"consenti traffico dalla lan2 a jellyfin sulla porta tcp" dst-address=\
192.168.0.5 dst-port=8096 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"consenti traffico dalla lan2 a jellyfin sulla porta udp" dst-address=\
192.168.0.5 dst-port=8096 protocol=udp src-address=192.168.1.0/24
add action=drop chain=forward comment=\
"regola per bloccare il traffico dalla lan1 alla lan0" dst-address=\
192.168.0.0/24 log=yes log-prefix="[1>0 DROP]" src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=ISP out-interface=pppoe-TIM-out
add action=masquerade chain=srcnat comment=PROTON disabled=yes log-prefix=\
WG-INET out-interface=wireguard-inet
/ip route
add comment="PROTON - if disabled, connection goes through ISP, not proton" \
disabled=yes distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment="PROTON - if disabled there's no connection at all any more. dst-address is the proton server IP" \
disabled=yes distance=1 dst-address=185.107.56.224/32 gateway=\
pppoe-TIM-out pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system note
set show-at-login=no
/system scheduler
add interval=1d name="sync namecheap ip" on-event=":global ddnshostname \"@\"\
\r\
\n:global ddnsdomain \"xxxxxx\"\r\
\n:global ddnspass \"xxxxx\"\r\
\n\r\
\n:log info (\"DDNS: Updating\")\r\
\n:local str \"https://dynamicdns.park-your-domain.com/update\\3Fhost=\$dd\
nshostname>\r\
\n/tool fetch url=(\$str) mode=https keep-result=no" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-04 start-time=10:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes