Page 1 of 1

RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Posted: Tue Jul 16, 2019 2:43 am
by sliwma
Hey,
I've just configured RB951G with NordVPN using Mikrotik's guide, everything works fine except... upload speed. It's equal almost to zero. I think there's something wrong with the config, because when I was using OpenVPN with OpenWRT, everything was working fine. Any ideas?
Cheers

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Tue Jul 16, 2019 11:06 am
by sindy
If you think there is something wrong with the config, what about posting it (see my automatic signature below)?
What's the current upload and download speed?

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Tue Jul 16, 2019 5:20 pm
by sliwma
When connecting without VPN, 16Mbps, upload about 1,5Mbps, with VPN, about down 12Mbps, up almost zero (can't measure using SpeedTest).
Config:

Code: Select all

[[admin@MikroTik] > /export hide-sensitive
# jul/16/2019 16:14:57 by RouterOS 6.45.1
# software id = H0WX-WRI7
#
# model = 951G-2HnD
# serial number = 5D610578998E
/interface bridge
add admin-mac=E4:8D:8C:9C:A3:35 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid="<my SSID>" \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 name=NordVPN
/ip ipsec peer
add address=pl79.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.5.100-192.168.5.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.5.2/24 comment=defconf interface=ether2 network=192.168.5.0
add address=192.168.1.2/24 network=192.168.1.0
/ip arp
add address=192.168.5.41 interface=bridge mac-address=3C:A9:F4:35:9F:60
add address=192.168.5.50 interface=bridge mac-address=48:2C:A0:7D:08:6B
add address=192.168.5.60 interface=bridge mac-address=34:CE:00:8B:55:CC
add address=192.168.5.61 interface=bridge mac-address=34:CE:00:8C:FA:18
add address=192.168.5.62 interface=bridge mac-address=34:CE:00:8B:97:2E
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.5.61
add address=192.168.5.60
add address=192.168.5.50
add address=192.168.5.62
add address=192.168.5.41
add address=192.168.5.30
add address=192.168.5.40
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf gateway=192.168.5.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.5.2 name=router.lan
/ip firewall address-list
add address=192.168.5.0/24 disabled=yes list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=sliwma@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-name=Europe/Warsaw
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN/Codebox]

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Tue Jul 16, 2019 5:31 pm
by cdiedrich
I bet it's your hardware. the 951 is MipsBE and this is far from ideal for encrypting IPsec traffic. You might want to try a 750Gr3, 3011, 4011 or CCR series - these offer hardware acceleration.
I personally run a 750Gr3 in my remote office which talks to our main office (CCR1036) through IPsec and I can easily reach 200MBps - which is the limit of my link in my remote office.
-Chris

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Tue Jul 16, 2019 5:52 pm
by sindy
the 951 is MipsBE and this is far from ideal for encrypting IPsec traffic.
I fully agree with @cdiedrich that MipsBE devices aren't encryption champions but I still believe that encryption and decryption using symmetric ciphers is almost equally CPU-intensive, or am I wrong here?

So if it was something like 2 Mbit/s download and 1 Mbit/s upload, I would attribute that to weak hardware, however 12 Mbit/s down & "almost nothing" up makes me think that fasttracking strikes again in 6.45.1 although I had a surprising experience where it didn't in 6.44.something.

So for a test, please disable the chain=forward action=fasttrack-connection rule in /ip firewall filter and see whether it brings better balance betwen DL and UL.

The two rules before it don't prevent packets which need to be matched by IPsec policy from reaching the fasttracking rule in cases like this where the packet header starts matching the policy's traffic selector only after the src-nat operation.

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Tue Jul 16, 2019 6:14 pm
by sliwma
With both, VPN connected and disconnected, CPU's and RAM's usage doesn't exceed 2%. I'll try to borrow hexS or something else with hardware IPsec support, or maybe gonna buy... :v

After disabiling that rule, my Speedtest looks almost same - 15Mbps download, Ookla can't measure upload. Another Speedtest shows about 0.12Mbps upload until half of measurement, second half is always 0Mbps.

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Thu Jul 18, 2019 9:29 am
by emils
When disabling Fast Track, make sure all established connections are either removed or timed out. When disabling the fasttrack-connection rule already established connections will still be Fast Tracked. The most easiest way to verify that is not the case here is to reboot the router after disabling the rule and redo the test.

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Mon Jul 22, 2019 3:45 pm
by sliwma
No effect, I'm gonna try configuring it on CRS328-24P-4S+, as it should have hardware IPsec support, and compare speed.

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Mon Jul 22, 2019 5:52 pm
by eworm
No effect, I'm gonna try configuring it on CRS328-24P-4S+, as it should have hardware IPsec support, and compare speed.
No, it does not. Where did you find that information?

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Wed Jul 24, 2019 10:41 pm
by sliwma
It's owner. Just figured that it's not CCR but CRS. I'm gonna buy HexS, we'll see if it helps.

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Wed Jul 24, 2019 10:56 pm
by sindy
If things have reached the level of purchasing new hardware, I'd rather recommend hAP acĀ². As compared to hEX S, it has a switch chip with independent VLAN learning and support of hybrid ports, and wireless hardware which you may just disable if you don't need it but it's there if you ever need it, and the throughput and encryption capabilities are same or even better.

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Sun Jul 28, 2019 7:22 pm
by sliwma
Yeah, but HexS has microSD and PoE out, that's why I wanted it. We'll see, if IPsec hardware support will solve my problems, if yes, I'm gonna check, how's the VLAN performance. And after this, we'll figure out if it'll stay with me.

Re: RB951G & NordVPN (IKEv2/IPsec)

Posted: Wed Jul 31, 2019 8:49 pm
by sliwma
I have configured hexS and 951G as I wanted. I have another question, how to configure IKEv2/IPsec with VLANs. Currently I have three of them, MGMT, home and guest (WiFi network).
I configured my connection in the same way, but when I set 192.168.10.0/24 (VLAN/home), NAT shows up, but traffic doesn't go through VPN.
[admin@RB760iGS] >  /export hide-sensitive
# jul/31/2019 19:43:49 by RouterOS 6.45.2
# software id = HJFI-YNP6
#
# model = RB760iGS
# serial number =
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-livebox
set [ find default-name=ether5 ] name=ether5-TRUNK-RB951G
/interface vlan
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=MANAGEMENT vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=HOME
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ca458.nordvpn.com exchange-mode=ike2 name=NordVPN_CA458 profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=HOME ranges=192.168.10.100-192.168.10.254
add name=GUEST ranges=192.168.20.2-192.168.20.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=HOME disabled=no interface=HOME_VLAN name=HOME
add address-pool=GUEST disabled=no interface=GUEST_VLAN name=GUEST
add address-pool=BASE_POOL disabled=no interface=MANAGEMENT name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5-TRUNK-RB951G
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5-TRUNK-RB951G untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=99
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=20
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=30
/interface list member
add interface=ether1-WAN-livebox list=WAN
add interface=MANAGEMENT list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=MANAGEMENT list=BASE
/ip address
add address=192.168.0.1/24 interface=MANAGEMENT network=192.168.0.0
add address=192.168.10.1/24 interface=HOME_VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST_VLAN network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN-livebox use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.0 list=HOME
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid
add chain=forward comment="Allow established connections through router" connection-state=established
add chain=forward comment="Allow related connections through router" connection-state=related
add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="Drop all other connections through the router"
add action=accept chain=input comment="Allow everything from the LAN interface to the router" in-interface-list=VLAN
add chain=input comment="Allow established  connections to the router, these are OK because we aren't allowing new connections" connection-state=established
add chain=input comment="Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=related
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.0.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN_CA458 policy-template-group=NordVPN username=\
    sliwma@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB760iGS

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Posted: Thu Aug 01, 2019 8:57 am
by sindy
Do you test from a PC connected to some other switch which is connected to the new hEX via ether4? Because everything seems fine to me except the following:

/interface bridge port
...
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4 pvid=1
...

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5-TRUNK-RB951G untagged=ether2,ether3,ether4 vlan-ids=10
...


So if the VLAN 10 frames should really pass through ether4 tagged, move ether4 from untagged to tagged list in vlan-ids=10 row of /interface bridge vlan.

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Posted: Thu Aug 01, 2019 2:59 pm
by sliwma
I forgot to change it, but ether4 wasn't used right there.
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4-TRUNK-MR3020
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G untagged=ether2,ether3 vlan-ids=10
Diagram attached. I want to route my traffic from VLAN10 via VPN, and wherever I check (access ports on hex or RG951G), it doesn't.

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Posted: Thu Aug 01, 2019 3:17 pm
by sindy
Now it is even more confusing. Please post the current config of both machines.

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Posted: Thu Aug 01, 2019 7:26 pm
by sliwma
Configured using: viewtopic.php?t=143620

hex S:
# aug/01/2019 18:21:07 by RouterOS 6.45.2
# software id = HJFI-YNP6
#
# model = RB760iGS
# serial number = 
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-livebox
set [ find default-name=ether4 ] name=ether4-TRUNK-MR3020
set [ find default-name=ether5 ] advertise=100M-full,1000M-full name=ether5-TRUNK-RB951G
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=MANAGEMENT vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=HOME
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ca458.nordvpn.com exchange-mode=ike2 name=NordVPN_CA458 profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=HOME ranges=192.168.5.100-192.168.5.254
add name=GUEST ranges=192.168.20.2-192.168.20.254
add name=MANAGEMENT ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=GUEST disabled=no interface=GUEST_VLAN name=GUEST
add address-pool=MANAGEMENT disabled=no interface=MANAGEMENT name=MANAGEMENT
add address-pool=HOME disabled=no interface=HOME_VLAN lease-time=12h name=HOME
/dude
set enabled=yes
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4-TRUNK-MR3020
add bridge=BR1 ingress-filtering=yes interface=ether5-TRUNK-RB951G
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G untagged=ether2,ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G vlan-ids=99
add bridge=BR1 tagged=BR1,ether4-TRUNK-MR3020,ether5-TRUNK-RB951G vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1-WAN-livebox list=WAN
add interface=MANAGEMENT list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=MANAGEMENT list=BASE
/ip address
add address=192.168.0.1/24 interface=MANAGEMENT network=192.168.0.0
add address=192.168.5.1/24 interface=HOME_VLAN network=192.168.5.0
add address=192.168.20.1/24 interface=GUEST_VLAN network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN-livebox use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.5.40 client-id=1:6c:88:14:9:f4:dc comment="" mac-address=6C:88:14:09:F4:DC server=HOME
add address=192.168.5.41 client-id=1:3c:a9:f4:35:9f:60 comment="" mac-address=3C:A9:F4:35:9F:60 server=HOME
add address=192.168.5.61 comment= mac-address=34:CE:00:8B:97:2E server=HOME
add address=192.168.5.60 comment= mac-address=34:CE:00:8C:FA:18 server=HOME
add address=192.168.5.30 client-id=1:3c:97:e:86:dd:4a comment="" mac-address=3C:97:0E:86:DD:4A server=HOME
add address=192.168.5.20 comment= mac-address=00:11:32:05:03:60 server=HOME
add address=192.168.5.10 comment= mac-address=1C:C1:DE:84:07:85 server=HOME
add address=192.168.5.11 comment= mac-address=04:B1:67:AD:57:EC server=HOME
add address=192.168.5.50 client-id=1:48:2c:a0:7d:8:6b comment="" mac-address=48:2C:A0:7D:08:6B server=HOME
add address=192.168.0.41 client-id=1:3c:a9:f4:35:9f:60 comment="" mac-address=3C:A9:F4:35:9F:60 server=MANAGEMENT
add address=192.168.5.246 comment= mac-address=34:CE:00:8B:55:CC server=HOME
add address=192.168.0.40 client-id=1:6c:88:14:9:f4:dc comment="" mac-address=6C:88:14:09:F4:DC server=MANAGEMENT
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1 ntp-server=192.168.5.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1 ntp-server=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.5.0 list=HOME
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid
add chain=forward comment="Allow established connections through router" connection-state=established
add chain=forward comment="Allow related connections through router" connection-state=related
add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="Drop all other connections through the router"
add action=accept chain=input comment="Allow everything from the LAN interface to the router" in-interface-list=VLAN
add chain=input comment="Allow established  connections to the router, these are OK because we aren't allowing new connections" connection-state=established
add chain=input comment="Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=related
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.0.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN_CA458 policy-template-group=NordVPN username=\
    sliwma@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=192.168.1.1
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB760iGS
/system ntp client
set enabled=yes primary-ntp=193.110.137.171 secondary-ntp=158.75.5.245
/system ntp server
set enabled=yes manycast=no multicast=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
RB951G-2HnD:
# aug/01/2019 18:22:13 by RouterOS 6.45.2
# software id = H0WX-WRI7
#
# model = 951G-2HnD
# serial number = 5D610578998E
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-TRUNK
/interface vlan
add interface=BR1 name=MANAGEMENT-VLAN vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=GUEST supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name= MANAGEMENT supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=HOME supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge name=wlan1-HOME security-profile=HOME ssid="Home 2G"
add disabled=no mac-address=E6:8D:8C:9C:A3:39 master-interface=wlan1-HOME name=wlan2-GUEST security-profile=GUEST ssid="Guest 2G" wps-mode=disabled
add disabled=no mac-address=E6:8D:8C:9C:A3:3A master-interface=wlan1-HOME name=wlan3-MANAGEMENT security-profile=MANAGEMENT ssid=Management wps-mode=disabled
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1-HOME pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2-GUEST pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan3-MANAGEMENT pvid=99
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1-TRUNK
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=ether1-TRUNK untagged=wlan1-HOME,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=BR1 tagged=ether1-TRUNK untagged=wlan2-GUEST vlan-ids=20
add bridge=BR1 tagged=ether1-TRUNK untagged=wlan3-MANAGEMENT vlan-ids=30
add bridge=BR1 tagged=BR1,ether1-TRUNK untagged=wlan3-MANAGEMENT vlan-ids=99
/interface list member
add interface=MANAGEMENT-VLAN list=BASE
/ip address
add address=192.168.0.2/24 interface=MANAGEMENT-VLAN network=192.168.0.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=192.168.0.1
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB951G-2HnD
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN  [SOLVED]

Posted: Thu Aug 01, 2019 8:23 pm
by sindy
On the 760,
/ip firewall address-list
add address=192.168.5.0 list=HOME

must say
/ip firewall address-list
add address=192.168.5.0/24 list=HOME

Re: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN

Posted: Fri Aug 02, 2019 12:02 am
by sliwma
It was so easy...
Thanks man, you're great, now everything works as it should!

And, after switching to hexS (with IPsec hardware support) speed via VPN tunnel is reaching my link's speed. Thank you again. :D