Community discussions

MikroTik App
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Tue Jul 16, 2019 2:43 am

Hey,
I've just configured RB951G with NordVPN using Mikrotik's guide, everything works fine except... upload speed. It's equal almost to zero. I think there's something wrong with the config, because when I was using OpenVPN with OpenWRT, everything was working fine. Any ideas?
Cheers
Last edited by sliwma on Wed Jul 31, 2019 10:46 pm, edited 1 time in total.
Proud owner of RB760iGS & RB951G-2HnD.
 
sindy
Forum Guru
Forum Guru
Posts: 5550
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB951G & NordVPN (IKEv2/IPsec)

Tue Jul 16, 2019 11:06 am

If you think there is something wrong with the config, what about posting it (see my automatic signature below)?
What's the current upload and download speed?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec)

Tue Jul 16, 2019 5:20 pm

When connecting without VPN, 16Mbps, upload about 1,5Mbps, with VPN, about down 12Mbps, up almost zero (can't measure using SpeedTest).
Config:

Code: Select all

[[admin@MikroTik] > /export hide-sensitive
# jul/16/2019 16:14:57 by RouterOS 6.45.1
# software id = H0WX-WRI7
#
# model = 951G-2HnD
# serial number = 5D610578998E
/interface bridge
add admin-mac=E4:8D:8C:9C:A3:35 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid="<my SSID>" \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=NordVPN
/ip ipsec peer
add address=pl79.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.5.100-192.168.5.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.5.2/24 comment=defconf interface=ether2 network=192.168.5.0
add address=192.168.1.2/24 network=192.168.1.0
/ip arp
add address=192.168.5.41 interface=bridge mac-address=3C:A9:F4:35:9F:60
add address=192.168.5.50 interface=bridge mac-address=48:2C:A0:7D:08:6B
add address=192.168.5.60 interface=bridge mac-address=34:CE:00:8B:55:CC
add address=192.168.5.61 interface=bridge mac-address=34:CE:00:8C:FA:18
add address=192.168.5.62 interface=bridge mac-address=34:CE:00:8B:97:2E
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.5.61
add address=192.168.5.60
add address=192.168.5.50
add address=192.168.5.62
add address=192.168.5.41
add address=192.168.5.30
add address=192.168.5.40
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf gateway=192.168.5.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.5.2 name=router.lan
/ip firewall address-list
add address=192.168.5.0/24 disabled=yes list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=sliwma@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-name=Europe/Warsaw
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN/Codebox]
Last edited by sliwma on Tue Jul 16, 2019 6:18 pm, edited 1 time in total.
Proud owner of RB760iGS & RB951G-2HnD.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 960
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: RB951G & NordVPN (IKEv2/IPsec)

Tue Jul 16, 2019 5:31 pm

I bet it's your hardware. the 951 is MipsBE and this is far from ideal for encrypting IPsec traffic. You might want to try a 750Gr3, 3011, 4011 or CCR series - these offer hardware acceleration.
I personally run a 750Gr3 in my remote office which talks to our main office (CCR1036) through IPsec and I can easily reach 200MBps - which is the limit of my link in my remote office.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
sindy
Forum Guru
Forum Guru
Posts: 5550
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB951G & NordVPN (IKEv2/IPsec)

Tue Jul 16, 2019 5:52 pm

the 951 is MipsBE and this is far from ideal for encrypting IPsec traffic.
I fully agree with @cdiedrich that MipsBE devices aren't encryption champions but I still believe that encryption and decryption using symmetric ciphers is almost equally CPU-intensive, or am I wrong here?

So if it was something like 2 Mbit/s download and 1 Mbit/s upload, I would attribute that to weak hardware, however 12 Mbit/s down & "almost nothing" up makes me think that fasttracking strikes again in 6.45.1 although I had a surprising experience where it didn't in 6.44.something.

So for a test, please disable the chain=forward action=fasttrack-connection rule in /ip firewall filter and see whether it brings better balance betwen DL and UL.

The two rules before it don't prevent packets which need to be matched by IPsec policy from reaching the fasttracking rule in cases like this where the packet header starts matching the policy's traffic selector only after the src-nat operation.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec)

Tue Jul 16, 2019 6:14 pm

With both, VPN connected and disconnected, CPU's and RAM's usage doesn't exceed 2%. I'll try to borrow hexS or something else with hardware IPsec support, or maybe gonna buy... :v

After disabiling that rule, my Speedtest looks almost same - 15Mbps download, Ookla can't measure upload. Another Speedtest shows about 0.12Mbps upload until half of measurement, second half is always 0Mbps.
Proud owner of RB760iGS & RB951G-2HnD.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 619
Joined: Thu Dec 11, 2014 8:53 am

Re: RB951G & NordVPN (IKEv2/IPsec)

Thu Jul 18, 2019 9:29 am

When disabling Fast Track, make sure all established connections are either removed or timed out. When disabling the fasttrack-connection rule already established connections will still be Fast Tracked. The most easiest way to verify that is not the case here is to reboot the router after disabling the rule and redo the test.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec)

Mon Jul 22, 2019 3:45 pm

No effect, I'm gonna try configuring it on CRS328-24P-4S+, as it should have hardware IPsec support, and compare speed.
Proud owner of RB760iGS & RB951G-2HnD.
 
User avatar
eworm
Long time Member
Long time Member
Posts: 627
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: RB951G & NordVPN (IKEv2/IPsec)

Mon Jul 22, 2019 5:52 pm

No effect, I'm gonna try configuring it on CRS328-24P-4S+, as it should have hardware IPsec support, and compare speed.
No, it does not. Where did you find that information?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec)

Wed Jul 24, 2019 10:41 pm

It's owner. Just figured that it's not CCR but CRS. I'm gonna buy HexS, we'll see if it helps.
Proud owner of RB760iGS & RB951G-2HnD.
 
sindy
Forum Guru
Forum Guru
Posts: 5550
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB951G & NordVPN (IKEv2/IPsec)

Wed Jul 24, 2019 10:56 pm

If things have reached the level of purchasing new hardware, I'd rather recommend hAP ac². As compared to hEX S, it has a switch chip with independent VLAN learning and support of hybrid ports, and wireless hardware which you may just disable if you don't need it but it's there if you ever need it, and the throughput and encryption capabilities are same or even better.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec)

Sun Jul 28, 2019 7:22 pm

Yeah, but HexS has microSD and PoE out, that's why I wanted it. We'll see, if IPsec hardware support will solve my problems, if yes, I'm gonna check, how's the VLAN performance. And after this, we'll figure out if it'll stay with me.
Proud owner of RB760iGS & RB951G-2HnD.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec)

Wed Jul 31, 2019 8:49 pm

I have configured hexS and 951G as I wanted. I have another question, how to configure IKEv2/IPsec with VLANs. Currently I have three of them, MGMT, home and guest (WiFi network).
I configured my connection in the same way, but when I set 192.168.10.0/24 (VLAN/home), NAT shows up, but traffic doesn't go through VPN.
[admin@RB760iGS] >  /export hide-sensitive
# jul/31/2019 19:43:49 by RouterOS 6.45.2
# software id = HJFI-YNP6
#
# model = RB760iGS
# serial number =
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-livebox
set [ find default-name=ether5 ] name=ether5-TRUNK-RB951G
/interface vlan
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=MANAGEMENT vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=HOME
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ca458.nordvpn.com exchange-mode=ike2 name=NordVPN_CA458 profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=HOME ranges=192.168.10.100-192.168.10.254
add name=GUEST ranges=192.168.20.2-192.168.20.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=HOME disabled=no interface=HOME_VLAN name=HOME
add address-pool=GUEST disabled=no interface=GUEST_VLAN name=GUEST
add address-pool=BASE_POOL disabled=no interface=MANAGEMENT name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5-TRUNK-RB951G
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5-TRUNK-RB951G untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=99
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=20
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=30
/interface list member
add interface=ether1-WAN-livebox list=WAN
add interface=MANAGEMENT list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=MANAGEMENT list=BASE
/ip address
add address=192.168.0.1/24 interface=MANAGEMENT network=192.168.0.0
add address=192.168.10.1/24 interface=HOME_VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST_VLAN network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN-livebox use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.0 list=HOME
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid
add chain=forward comment="Allow established connections through router" connection-state=established
add chain=forward comment="Allow related connections through router" connection-state=related
add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="Drop all other connections through the router"
add action=accept chain=input comment="Allow everything from the LAN interface to the router" in-interface-list=VLAN
add chain=input comment="Allow established  connections to the router, these are OK because we aren't allowing new connections" connection-state=established
add chain=input comment="Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=related
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.0.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN_CA458 policy-template-group=NordVPN username=\
    sliwma@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB760iGS
Proud owner of RB760iGS & RB951G-2HnD.
 
sindy
Forum Guru
Forum Guru
Posts: 5550
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Thu Aug 01, 2019 8:57 am

Do you test from a PC connected to some other switch which is connected to the new hEX via ether4? Because everything seems fine to me except the following:

/interface bridge port
...
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4 pvid=1
...

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5-TRUNK-RB951G untagged=ether2,ether3,ether4 vlan-ids=10
...


So if the VLAN 10 frames should really pass through ether4 tagged, move ether4 from untagged to tagged list in vlan-ids=10 row of /interface bridge vlan.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Thu Aug 01, 2019 2:59 pm

I forgot to change it, but ether4 wasn't used right there.
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4-TRUNK-MR3020
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G untagged=ether2,ether3 vlan-ids=10
Diagram attached. I want to route my traffic from VLAN10 via VPN, and wherever I check (access ports on hex or RG951G), it doesn't.
You do not have the required permissions to view the files attached to this post.
Proud owner of RB760iGS & RB951G-2HnD.
 
sindy
Forum Guru
Forum Guru
Posts: 5550
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Thu Aug 01, 2019 3:17 pm

Now it is even more confusing. Please post the current config of both machines.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Thu Aug 01, 2019 7:26 pm

Configured using: viewtopic.php?t=143620

hex S:
# aug/01/2019 18:21:07 by RouterOS 6.45.2
# software id = HJFI-YNP6
#
# model = RB760iGS
# serial number = 
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-livebox
set [ find default-name=ether4 ] name=ether4-TRUNK-MR3020
set [ find default-name=ether5 ] advertise=100M-full,1000M-full name=ether5-TRUNK-RB951G
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=MANAGEMENT vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=HOME
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ca458.nordvpn.com exchange-mode=ike2 name=NordVPN_CA458 profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=HOME ranges=192.168.5.100-192.168.5.254
add name=GUEST ranges=192.168.20.2-192.168.20.254
add name=MANAGEMENT ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=GUEST disabled=no interface=GUEST_VLAN name=GUEST
add address-pool=MANAGEMENT disabled=no interface=MANAGEMENT name=MANAGEMENT
add address-pool=HOME disabled=no interface=HOME_VLAN lease-time=12h name=HOME
/dude
set enabled=yes
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4-TRUNK-MR3020
add bridge=BR1 ingress-filtering=yes interface=ether5-TRUNK-RB951G
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G untagged=ether2,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G vlan-ids=99
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1-WAN-livebox list=WAN
add interface=MANAGEMENT list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=MANAGEMENT list=BASE
/ip address
add address=192.168.0.1/24 interface=MANAGEMENT network=192.168.0.0
add address=192.168.5.1/24 interface=HOME_VLAN network=192.168.5.0
add address=192.168.20.1/24 interface=GUEST_VLAN network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN-livebox use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.5.40 client-id=1:6c:88:14:9:f4:dc comment="" mac-address=6C:88:14:09:F4:DC server=HOME
add address=192.168.5.41 client-id=1:3c:a9:f4:35:9f:60 comment="" mac-address=3C:A9:F4:35:9F:60 server=HOME
add address=192.168.5.61 comment= mac-address=34:CE:00:8B:97:2E server=HOME
add address=192.168.5.60 comment= mac-address=34:CE:00:8C:FA:18 server=HOME
add address=192.168.5.30 client-id=1:3c:97:e:86:dd:4a comment="" mac-address=3C:97:0E:86:DD:4A server=HOME
add address=192.168.5.20 comment= mac-address=00:11:32:05:03:60 server=HOME
add address=192.168.5.10 comment= mac-address=1C:C1:DE:84:07:85 server=HOME
add address=192.168.5.11 comment= mac-address=04:B1:67:AD:57:EC server=HOME
add address=192.168.5.50 client-id=1:48:2c:a0:7d:8:6b comment="" mac-address=48:2C:A0:7D:08:6B server=HOME
add address=192.168.0.41 client-id=1:3c:a9:f4:35:9f:60 comment="" mac-address=3C:A9:F4:35:9F:60 server=MANAGEMENT
add address=192.168.5.246 comment= mac-address=34:CE:00:8B:55:CC server=HOME
add address=192.168.0.40 client-id=1:6c:88:14:9:f4:dc comment="" mac-address=6C:88:14:09:F4:DC server=MANAGEMENT
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1 ntp-server=192.168.5.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1 ntp-server=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.5.0 list=HOME
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid
add chain=forward comment="Allow established connections through router" connection-state=established
add chain=forward comment="Allow related connections through router" connection-state=related
add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="Drop all other connections through the router"
add action=accept chain=input comment="Allow everything from the LAN interface to the router" in-interface-list=VLAN
add chain=input comment="Allow established  connections to the router, these are OK because we aren't allowing new connections" connection-state=established
add chain=input comment="Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=related
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.0.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN_CA458 policy-template-group=NordVPN username=\
    sliwma@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=192.168.1.1
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB760iGS
/system ntp client
set enabled=yes primary-ntp=193.110.137.171 secondary-ntp=158.75.5.245
/system ntp server
set enabled=yes manycast=no multicast=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
RB951G-2HnD:
# aug/01/2019 18:22:13 by RouterOS 6.45.2
# software id = H0WX-WRI7
#
# model = 951G-2HnD
# serial number = 5D610578998E
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-TRUNK
/interface vlan
add interface=BR1 name=MANAGEMENT-VLAN vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=GUEST supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name= MANAGEMENT supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=HOME supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge name=wlan1-HOME security-profile=HOME ssid="Home 2G"
add disabled=no mac-address=E6:8D:8C:9C:A3:39 master-interface=wlan1-HOME name=wlan2-GUEST security-profile=GUEST ssid="Guest 2G" wps-mode=disabled
add disabled=no mac-address=E6:8D:8C:9C:A3:3A master-interface=wlan1-HOME name=wlan3-MANAGEMENT security-profile=MANAGEMENT ssid=Management wps-mode=disabled
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1-HOME pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2-GUEST pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan3-MANAGEMENT pvid=99
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-TRUNK
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=ether1-TRUNK untagged=wlan1-HOME,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=BR1 tagged=ether1-TRUNK untagged=wlan2-GUEST vlan-ids=20
add bridge=BR1 tagged=ether1-TRUNK untagged=wlan3-MANAGEMENT vlan-ids=30
add bridge=BR1 tagged=BR1,ether1-TRUNK untagged=wlan3-MANAGEMENT vlan-ids=99
/interface list member
add interface=MANAGEMENT-VLAN list=BASE
/ip address
add address=192.168.0.2/24 interface=MANAGEMENT-VLAN network=192.168.0.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=192.168.0.1
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB951G-2HnD
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
Proud owner of RB760iGS & RB951G-2HnD.
 
sindy
Forum Guru
Forum Guru
Posts: 5550
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN  [SOLVED]

Thu Aug 01, 2019 8:23 pm

On the 760,
/ip firewall address-list
add address=192.168.5.0 list=HOME

must say
/ip firewall address-list
add address=192.168.5.0/24 list=HOME
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sliwma
just joined
Topic Author
Posts: 13
Joined: Tue Jul 16, 2019 2:36 am

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Fri Aug 02, 2019 12:02 am

It was so easy...
Thanks man, you're great, now everything works as it should!

And, after switching to hexS (with IPsec hardware support) speed via VPN tunnel is reaching my link's speed. Thank you again. :D
Proud owner of RB760iGS & RB951G-2HnD.

Who is online

Users browsing this forum: Google [Bot] and 76 guests