Community discussions

MikroTik App
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

MTU troubles using IKEv2 providers like NordVPN [work around]

Tue Dec 03, 2019 3:27 pm

This topic is about ICMP 3/4 packets returned to the client.
You can test that by pressing or click the preview button when writing a posting in this forum.
No preview, or it takes a long time (more than a few seconds) then you are suffering from this and then follow the instructions underneath


I am using IPSEC for a long time and first a mix of L2TP/IPSEC and later IKEv2. Had problems with the MTU on L2TP/IPSEC and hoped that was over when I replaced it with IKEv2. IKEv2 was much nicer to use and much faster. However I had still a small problem with the MTU when using a speedtest.net page and later I noticed that the Mikrotik forum offered a much faster to detect the problem.

Using Wireshark and the following line in Mangle I could detect the ICMP 3/4 packets getting lost in the RouterOS and so not arrive at the client telling it to lower the MTU.
add action=sniff-tzsp chain=postrouting icmp-options=3:4 log=yes log-prefix=post-ICMP protocol=icmp sniff-target=192.168.21.177 sniff-target-port=37008

I used this step for step optimized MSS line to reduced the MTU to a fixed value which dynamically could not be found:
add action=change-mss chain=forward disabled=yes ipsec-policy=in,ipsec log-prefix=MSS new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn
The code is disabled because Sindy found a much better way using a work around for this problem.

Sindy and I spend a good part of a weekend discussing this and ending up with a work around that ended my quest on this strange behavior. When the ICPM 3/4 packets get lost in RouterOS the data sent to Wireshark gets Network type: unknown 0x0000 what is very strange but an other support ticket.
The thread from that weekend: viewtopic.php?f=2&t=153414&p=760818&hil ... ge#p760818
About the ICMP 3/4 packets not being sent to the client is still a support ticket with Mikrotik and despite several suggestion by them it is still not resolved so I have to keep using the work around.

So what is happening. When using IKEv2 in this case all traffice is going through a tunnel between RouterOS and the VPN provider. RouterOS handles everything so most of the traffic is outside of view of the user. The MTU is determined and used except when the client is 'uploading' traffic then the MTU is not changed resulting in no upstream traffic or RouterOS switch to the emergency MTU of 576/536 resulting in a very low transfer rate but at least there is a traffic flowing upstream.

Sindy brilliant work around is, to use IPSEC policy and create a static policy handling the packets instead of the dynamically generated ones and the position in the policy list does not matter:
/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 place-before=1
place-before=1 and move *ffffff destination=1 added on 17-4-2020

Replace dst-address=192.168.88.0/24 with your own local network address range.
The default template will be moved to the top of the list if it was not already there. The second line should above (action=none) should be below default and above any added IKEv2 provider lines.

The explaination by Sindy.
Anyway, there should be a remedy - a static IPsec policy action=none src-address=0.0.0.0/0 dst-address=the.client's.subnet placed before the policy template which is used to build the dynamic policy with the responder-provided IP address as src-address. This action=none policy will shadow the dynamically generated one so even though the ICMP code 3 type 4 packet will likely get src-nated by the dynamic src-nat rule, it will not reach the dynamic policy (which would divert it into the tunnel) so it will make it to the client. The client won't care about the source address as it has no relevance for it, so it should adjust the size of the re-sent TCP packet and all the subsequent ones accordingly.
This solved my long standing problem. with that work around and many many thank to Sindy for suggesting this!

O, how to test in the Mikrotik forum? That is not too difficult and if you are writing now a reply or editing an previous post you can press the Preview button and when you have the sniffer line active and Wireshark running you will see those unknown packet pop-up in Wireshark. Then is your IKEv2 and maybe IPSEC connection falling back to emergency MTU.
Last edited by msatter on Sat Dec 26, 2020 11:41 am, edited 15 times in total.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 749
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Tue Jan 14, 2020 11:09 pm

You should remove the extra disabled=yes from your code.

I can confirm this workaround works. Any news from Mikrotik about fixing this?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Tue Jan 14, 2020 11:56 pm

Thanks and the disable=yes is removed.

I don't know. Support did not confirmed this workaround or commented on it. The ticket is still open and you never know what 2020 is going to bring. ;-)
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
ranpha
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Mon Jan 09, 2012 3:16 am

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Sun Mar 22, 2020 3:24 pm

add action=none dst-address=168.192.88.0/24 src-address=0.0.0.0/0
Does this works with all IKEv2 VPN providers, or did I have to change the dst-address values?
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Sun Mar 22, 2020 4:39 pm

Yes you have to adapt to your own address range. I have taken the default range set for Mikrotik routers.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
nemoonpc
just joined
Posts: 8
Joined: Thu Jan 23, 2020 6:27 am
Location: Kuala Lumpur, Malaysia

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 9:05 am

Hi, I also have similar problems but it still doesn't work when I added this policy.
add action=none dst-address=168.192.88.0/24 src-address=0.0.0.0/0
my ipsec configs
# apr/17/2020 14:00:09 by RouterOS 6.46.5
# software id = KFRD-V8Q1
#
# model = RBD52G-5HacD2HnD
# serial number = x
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=sg463.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN \
    username=username
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0
maybe there are something wrong with my config?
currently running RBD52G-5HacD2HnD-TC (hAP ac²)
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 10:23 am

I have to think about that and my first answer was not correct if you address range is 192.168.0.1-192.168.0.255

Update: I can't place the first line:
/ip ipsec policy
set 0 disabled=yes
My template is also a bit different:
/ip ipsec policy
add group=NordVPN proposal=NordVPN template=yes
On copy-paste did something went wrong?

/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN


The in bold text is only possible in/ip ipsec group.
Last edited by msatter on Fri Apr 17, 2020 10:45 am, edited 1 time in total.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
nemoonpc
just joined
Posts: 8
Joined: Thu Jan 23, 2020 6:27 am
Location: Kuala Lumpur, Malaysia

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 10:41 am

I have to think about that and my first answer was not correct if you address range is 192.168.0.1-192.168.0.255

Update: I can't place the first line:
/ip ipsec policy
set 0 disabled=yes
the first one is disabled by itself
Image
currently running RBD52G-5HacD2HnD-TC (hAP ac²)
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 10:47 am

It's simple - the policy you've added must be placed before (above) the template from which the IKEv2 connection creates the actual policy for the connection.

The order of policies matters the same way like the order of firewall rules does - the packet is matched to all of them starting from the topmost one towards the last one until the first match.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 10:54 am

I have updated my first response to you.

Enable the line with X*T and remove line with T . The one with the * is the default line.

::/0 is the same as 0.0.0.0/0 and covers also IPv6 if that is available.

If you do test hit the preview button in this forum when writing a posting and if it is shown then ICMP is working.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 11:03 am

It's simple - the policy you've added must be placed before (above) the template from which the IKEv2 connection creates the actual policy for the connection.

The order of policies matters the same way like the order of firewall rules does - the packet is matched to all of them starting from the topmost one towards the last one until the first match.
Thanks Cindy. On a reconnect it would automatically get to the top of the list if I am correct. If added manually then a place-before=0 would do.

Update: removed the place-before=0
Last edited by msatter on Fri Apr 17, 2020 12:47 pm, edited 1 time in total.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
nemoonpc
just joined
Posts: 8
Joined: Thu Jan 23, 2020 6:27 am
Location: Kuala Lumpur, Malaysia

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 11:11 am

Thanks for your responses,

Currently updated the suggested configs
# apr/17/2020 16:05:02 by RouterOS 6.46.5
# software id = KFRD-V8Q1
#
# model = RBD52G-5HacD2HnD
# serial number = *
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=sg197.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=\
    NordVPN policy-template-group=NordVPN username=*
/ip ipsec policy
add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0
set 1 group=NordVPN
but still,
My devices does get the VPN ip and are able to ping websites but cannot browse the internet.
maybe the MTU has to be changed to make it work? My pppoe MTU is 1480.
currently running RBD52G-5HacD2HnD-TC (hAP ac²)
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 11:19 am

The MTU on the PPPoE is no problem and are you sure the VPN is up again? I see now a set 1 group=NordVPN
add group=NordVPN proposal=NordVPN template=yes
or
set 1 group=NordVPN proposal=NordVPN template=yes
Check if your proposal is the same as I wrote or replace it with your own proposal.

Update: as Cindy pointed out my earlier advise to remove this line was wrong. My excuses for that.
Last edited by msatter on Fri Apr 17, 2020 11:32 am, edited 3 times in total.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 11:19 am

Thanks Cindy. On a reconnect it would automatically get to the top of the list if I am correct. If added manually then a place-before=0 would do.
No. The dynamically created policy is always created right below the template from which it was created, so disconnection and reconnection change nothing about the position of the dynamically created policy relatively to the "don't steal traffic towards LAN" one.

Also, to remove the template with policy-group=NordVPN may not have been the best recommendation, as the removed template refers to a proposal named NordVPN which may differ from the one to which the default template refers.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 11:31 am

I have my template on the group=default. To have it positioned then, then the *T on should be on position 0. When adding it should land on the correct spot underneath *T.

Indeed removing the template and in my the posting above I have addressed that.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 11:40 am

maybe the MTU has to be changed to make it work? My pppoe MTU is 1480.
The whole purpose of the added policy with action=none is to allow MSS be automatically adjusted to MTU using the normal mechanisms in case where it is already your Mikrotik, which knows that it would have to fragment the packets, that sends ICMP notifications about this back to the sender, which is the LAN PC. The sender then adjusts the MSS to the reported path MTU and re-sends an accordingly smaller part of the buffer in the packet. The action=none policy prevents packet sent by the Mikrotik itself to LAN subnet from being stolen by IPsec and sent down the tunnel instead.

If the path MTU auto-discovery mechanism is broken somewhere furher down the path from the sender to the destination, this rule won't help and you'll have to use an action=change-mss rule in /ip firewall mangle to assign a static value of new-mss, to overcome that mid-path issue.

If you cannot open any remote site, chances are high that your config is still wrong, and in that case post a complete configuration of the router (see my automatic signature right below for a hint on how to anonymize it and remove any authentication information).

If you can open some sites and cannot open others, the configuration at Mikrotik side is fine and it's the mid-path problem.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 11:54 am

Thanks Cindy and I have tried now for each of my VPN provides a dedicated line instead of the one default one.

First I see (print detail) the template, then the DA lines and underneath those the T line for ICMP. This after restarting the VPN connections.

I don't think a dedicated template is needed to have the ICMP going the correct direction and one default one should be sufficient.

So much still to learn. :-)

You are right Sindy having the line underneath the dynamic lines broke the ICMP and I could not save this posting nor preview it. Having a ICMP on default fixed that so it seems that an ICMP line on default is sufficient as long it is almost on the top. So the place-before=0 is possible and to not push the *T (template) of its position a place-before=1 is sufficient.

My current settings (adapted to the one of nemoonpc) :
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add action=none comment="Fragmented (ICMP 3/4) sent to clients. 192.168.21.0/24 10.10.10.0/24" dst-address=192.168.0.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=[REDACTED] proposal=[REDACTED] src-address=0.0.0.0/0 template=yes
Last edited by msatter on Fri Apr 17, 2020 12:28 pm, edited 3 times in total.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
nemoonpc
just joined
Posts: 8
Joined: Thu Jan 23, 2020 6:27 am
Location: Kuala Lumpur, Malaysia

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 12:19 pm

maybe the MTU has to be changed to make it work? My pppoe MTU is 1480.
The whole purpose of the added policy with action=none is to allow MSS be automatically adjusted to MTU using the normal mechanisms in case where it is already your Mikrotik, which knows that it would have to fragment the packets, that sends ICMP notifications about this back to the sender, which is the LAN PC. The sender then adjusts the MSS to the reported path MTU and re-sends an accordingly smaller part of the buffer in the packet. The action=none policy prevents packet sent by the Mikrotik itself to LAN subnet from being stolen by IPsec and sent down the tunnel instead.

If the path MTU auto-discovery mechanism is broken somewhere furher down the path from the sender to the destination, this rule won't help and you'll have to use an action=change-mss rule in /ip firewall mangle to assign a static value of new-mss, to overcome that mid-path issue.

If you cannot open any remote site, chances are high that your config is still wrong, and in that case post a complete configuration of the router (see my automatic signature right below for a hint on how to anonymize it and remove any authentication information).

If you can open some sites and cannot open others, the configuration at Mikrotik side is fine and it's the mid-path problem.
Currently still connection timed out for most websites.
I only assign 1 IP / device to the VPN tunnel ( address list in the firewall listed as local )
not sure if that would interfere with the ipsec policy with action=none
my router configs below:
# apr/17/2020 17:14:49 by RouterOS 6.46.5
# software id = KFRD-V8Q1
#
# model = RBD52G-5HacD2HnD
# serial number = *
/interface bridge
add admin-mac=74:4D:28:CB:14:22 auto-mac=no comment=defconf name=bridge
add name=unifi.iptv
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=malaysia distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-CB1426 wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=malaysia distance=\
    indoors frequency=auto installation=indoor mode=ap-bridge ssid="AMPHAC\C2\B2" wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
add interface=ether1 name=vlan600 vlan-id=600
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 name=pppoe-tmunifi service-name="TM UNIFI VDSL2" user=*
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=\
    MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=sg197.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.20-192.168.0.50
add name=hs-pool-1 ranges=10.5.50.2-10.5.50.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=\
    local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/dude
set data-directory=disk1
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=unifi.iptv interface=vlan600
add bridge=unifi.iptv interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-tmunifi list=WAN
/ip address
add address=192.168.0.250/24 comment=defconf interface=bridge network=192.168.0.0
add address=10.5.50.1/24 comment="hotspot network" interface=wlan1 network=10.5.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.1 client-id=1:9c:5c:8e:7b:c1:23 mac-address=9C:5C:8E:7B:C1:23 server=defconf
add address=192.168.0.10 client-id=1:10:62:eb:a3:e7:73 mac-address=10:62:EB:A3:E7:73 server=defconf
add address=192.168.0.5 client-id=1:c:98:38:d2:fc:63 mac-address=0C:98:38:D2:FC:63 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.250 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1111
/ip dns static
add address=192.168.0.250 comment=defconf name=router.lan
/ip firewall address-list
add address=*.sn.mynetname.net list=WAN-IP
add address=192.168.0.5 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="WINBOX REMOTE ACCESS" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="MC Server 25565" dst-address-list=WAN-IP dst-port=25565 protocol=tcp \
    to-addresses=192.168.0.1 to-ports=25565
add action=dst-nat chain=dstnat comment="MC Server 25566" dst-address-list=WAN-IP dst-port=25566 protocol=tcp \
    to-addresses=192.168.0.1 to-ports=25566
/ip firewall service-port
set ftp disabled=yes
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN \
    policy-template-group=NordVPN username=abc@abc.a
/ip ipsec policy
add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0
set 1 disabled=yes
add group=NordVPN proposal=NordVPN template=yes
/ipv6 address
add disabled=yes from-pool=pppoev6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-tmunifi pool-name=pppoev6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

currently running RBD52G-5HacD2HnD-TC (hAP ac²)
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 12:35 pm

You are using DOH and there also dynamic DNS servers from NordVPN active try it with DOH deactivated. Should not make a difference but better one captain on the ship.

Let me know if you find somthing and else just remove the current config and leave the defaults (also active) and do a new IPSEC NordVPN setup form the manuals/wiki.
Then add the ICMP in /ip pisec policy underneath the default *T (template) line and then start your NordVPN connection.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 12:56 pm

Then add the ICMP in /ip pisec policy underneath the default *T (template) line and then start your NordVPN connection.
Not underneath, above!!! The ICMP packets from Mikrotik itself to the LAN hosts must hit the action=drop policy before hitting the dynamically created one!!!

Currently still connection timed out for most websites.
most and all are a difference. If there are websites which work, it means that the problem with the rest is not at your Mikrotik.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 1:02 pm

Also, you have two LAN subnets, 192.168.0.0/24 for local devices and 10.5.50.0/24 for hotspot clients. So if it's the hotspot clients who experience this problem, you need a similar action=none policy also for that subnet.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 1:37 pm

Then add the ICMP in /ip pisec policy underneath the default *T (template) line and then start your NordVPN connection.
Not underneath, above!!! The ICMP packets from Mikrotik itself to the LAN hosts must hit the action=drop policy before hitting the dynamically created one!!
I wrote underneath the default and not underneath the NordVPN line(s) assuming ofcourse the default template (*T) is at position 0.
It is a manually created template so putting it at postion 0 is on the table again?

Edit: moving the default to position 0 can be done by the command:
move *ffffff destination=0
Last edited by msatter on Fri Apr 17, 2020 2:21 pm, edited 1 time in total.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri Apr 17, 2020 2:21 pm

Sorry, I've focused on the T as template and missed the "default". You are right that as long as the default template is not actually used (which I guess is always the case for NordVPN), the default template may stay at the top and the ICMP-saving one may be below it.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
nemoonpc
just joined
Posts: 8
Joined: Thu Jan 23, 2020 6:27 am
Location: Kuala Lumpur, Malaysia

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Sun Apr 19, 2020 3:34 pm

Hmmm strange, then I am able to browse ipleak but gets this.
Does the proposal for the action=none fragmented ICMP policy has to set to the vpn proposal or just leave it as default?
Image
currently running RBD52G-5HacD2HnD-TC (hAP ac²)
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Sun Apr 19, 2020 6:15 pm

Does the proposal for the action=none fragmented ICMP policy has to set to the vpn proposal or just leave it as default?
action=none doesn't need any proposal. The two issues the ipleak page indicates to you are unrelated to each other:
  • the WebRTC warning would be relevant if it showed the public IP of your WAN; as it shows a private IP on your LAN, it means that this IP leaks in the payload of the messages which the browser sends to the server. As these messages are most likely sent using https, there is no easy way how a VPN could modify their contents. Doing so would require a device performing a MITM attack based on generating a forged server certificate signed by a CA which your PC trusts, deciphering the messages, modifying them, and re-cipering them. So it is much easier and generally safer to run the PC on which you use the browser connectíng to WebRTC services on a private IP.
  • the DNS leakage happens if you access the actual server via VPN, but the DNS query used to resolve its domain name to an IP address is sent to a DNS server via your basic internet uplink, not via the VPN. If you are sure that you have configured the addresses of NordVPN's DNS servers in your PC's network configuration, you may want to use an action=dstnat rule in Mikrotik's firewall to redirect any DNS query coming from the PC to Mikrotik's own DNS server (if that one uses the NordVPN's servers) or directly to one of the NordVPN's DNS servers (the only scenario where this would make sense is if some application on the PC was ignoring the network configuration and using its own DNS servers, which is a behaviour the leakip page is unable to detect as it cannot request your browser to bypass normal DNS handling).
    If you have more than one network interface on the PC, it is possible that Windows on that PC are configured to send DNS queries via gateways asscociated to all network interfaces, bypassing regular routing rules. This used to be the default setting at certain time, maybe it still is. The purpose seems to be to get the response as fast as possible, assuming that the DNS may be better reachable via some other gateway than the one chosen by routing.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Sun Apr 19, 2020 7:03 pm

When I temember it well you use the DoH client in RouterOS to connect to Cloudflare. This DNS DoH traffic is not passing through the VPN because only your client IP 192.168.0.5 is using only the VPN.

The shortest way for now is to use the dynamic DNS server of NordVPN and disable DoH. This if you don't want to 'leak' DNS requests.
Your ISP can't look into your encrypted DNS requests and also not in your encrypted VPN connection. So the risks are minimal to none.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
nemoonpc
just joined
Posts: 8
Joined: Thu Jan 23, 2020 6:27 am
Location: Kuala Lumpur, Malaysia

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Sun Apr 19, 2020 9:37 pm

When I temember it well you use the DoH client in RouterOS to connect to Cloudflare. This DNS DoH traffic is not passing through the VPN because only your client IP 192.168.0.5 is using only the VPN.

The shortest way for now is to use the dynamic DNS server of NordVPN and disable DoH. This if you don't want to 'leak' DNS requests.
Your ISP can't look into your encrypted DNS requests and also not in your encrypted VPN connection. So the risks are minimal to none.
How do I disable DoH ? Currently I'm using 1.1.1.1 and disabled use peer dns on the ppooe connection. I don't see and DoH options in ROS, should I enable use peer dns (ppooe) and clear the custom dns ?
currently running RBD52G-5HacD2HnD-TC (hAP ac²)
 
tinus
just joined
Posts: 17
Joined: Thu Oct 27, 2005 9:01 pm

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Mon Apr 20, 2020 10:17 pm

Hi msatter,
I still have issue for NordVPN with IKEv2.
VPN connected, Ping and Traceroute no issue, but web browsing is still problem.
Disable fasttrack up-to use IPSEC policy and create a static policy handling the packets also not working.
Could you share your full config for NordVPN?
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Tue Apr 21, 2020 2:11 pm

I use the provided config by Mikrotik in the Wiki and I use connection-marking to selrct the traffic I want have handled by the VPN. Fasttracking and IPSEC is a no-no.

The policy has to be at the top in /ip ipsec policy table and the NordVPN lines underneath. To be sure the order is correct you could run: /ip ipsec policy print

The universal check is is when posting/editing in THIS forum to click or press the preview button and you will have your answer. No preview then your policy line to your local network does not work. If you get shown a preview then the policy line is working.

This ofcourse depends if you are visiting the forum.mikrotik.com through the VPN.

It is simple to check. sadly it seems not to be picked up or refered, to by anybody.
Mikrosoft...hahaha I wrote that instead of Mikrotik but that was my subconscious thinking the way Mikrotik is handling this problem. Frustrating it is. Support request went nowhere and I gave up.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
nemoonpc
just joined
Posts: 8
Joined: Thu Jan 23, 2020 6:27 am
Location: Kuala Lumpur, Malaysia

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Thu Apr 23, 2020 7:31 pm

update: I've added google dns to DNS tab, vpn dynamic servers does appear.
I also changed to Surfshark ikev2. The VPN still didn't work properly.
When I IPLeak test the connection for my device, ipv4 vpn ip is detected, but ISP ipv6 are also detected. The DNS detected are google dns, not the VPN dns. (ip leaked)
Then, I disabled ipv6 in the router, my device (vpn) could not get any internet anymore.

I also excluded ipsec from fasttrack and added mark connections in mangle
I doubt there are something to do with the DNS settings, or firewall, not sure.
and is there any ways that I can automatically disable ipv6 to the clients when using the VPN without actually disable IPv6 in the router?
# apr/24/2020 00:01:14 by RouterOS 6.46.5
# software id = KFRD-V8Q1
#
# model = RBD52G-5HacD2HnD
# serial number = **********
/interface bridge
add name=TMNETUNIFI.IPTV
add admin-mac=74:4D:28:CB:14:22 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=malaysia distance=\
    indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-CB1426 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=malaysia distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid="AMPHAC\C2\B2" wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
add interface=ether1 name=vlan600 vlan-id=600
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 name=pppoe-tmunifi service-name=TMNET_UNIFI_VDSL2 user=\
    ***********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=SSVPN responder=no src-address-list=vpnc
/ip ipsec policy group
add name=SSVPN
/ip ipsec profile
add name=SSVPN
/ip ipsec peer
add address=lv-rig.prod.surfshark.com disabled=yes exchange-mode=ike2 name=SSVPN profile=SSVPN
/ip ipsec proposal
add name=SSVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.20-192.168.0.60
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=DHCP
/interface bridge port
add bridge=TMNETUNIFI.IPTV comment="iptv bridge to Eth 2" interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=TMNETUNIFI.IPTV comment="vlan 600 bridge to iptv bridge" interface=vlan600
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-tmunifi list=WAN
/ip address
add address=192.168.0.250/24 comment=defconf interface=ether4 network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.251 client-id=1:10:62:eb:a3:e7:73 mac-address=10:62:EB:A3:E7:73 server=DHCP
add address=192.168.0.5 client-id=1:c:98:38:d2:fc:63 mac-address=0C:98:38:D2:FC:63 server=DHCP
add address=192.168.0.1 client-id=1:9c:5c:8e:7b:c1:23 mac-address=9C:5C:8E:7B:C1:23 server=DHCP
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.250 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
/ip dns static
add address=192.168.0.250 comment=defconf name=router.lan
/ip firewall address-list
add address=bef00a0a78c5.sn.mynetname.net list=WAN-IP
add address=192.168.0.5 list=vpnc
add address=192.168.0.1 disabled=yes list=vpnc
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="WINBOX REMOTE ACCESS" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    disabled=yes
add action=fasttrack-connection chain=forward comment="FastTrack w !ipsec" connection-mark=!ipsec connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="MC Server 25565" dst-address-list=WAN-IP dst-port=25565 protocol=tcp \
    to-addresses=192.168.0.1 to-ports=25565
add action=dst-nat chain=dstnat comment="MC Server 25566" dst-address-list=WAN-IP dst-port=25566 protocol=tcp \
    to-addresses=192.168.0.1 to-ports=25566
/ip ipsec identity
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict \
    mode-config=SSVPN peer=SSVPN policy-template-group=SSVPN username=***********
/ip ipsec policy
add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0
set 1 disabled=yes
add group=SSVPN proposal=SSVPN template=yes
/ipv6 address
add from-pool=pppoev6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-tmunifi pool-name=pppoev6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=AMPHAC2
/system ntp client
set enabled=yes primary-ntp=203.95.213.129 secondary-ntp=162.159.200.123 server-dns-names=""
/system scheduler
add interval=5m name=DynDNS on-event=DynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=DynDNS owner=amph policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser \"*************\"\r\
    \n:global ddnspass \"**************\"\r\
    \n:global theinterface \"pppoe-tmunifi\"\r\
    \n:global ddnshost \"***********\" \r\
    \n:global ipddns [:resolve \$ddnshost];\r\
    \n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\r\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
    \n   :log info (\"DynDNS: No ip address on \$theinterface .\")\r\
    \n} else={\r\
    \n   :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\
    \n      :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\
    \n    :set ipfresh [:pick \$ipfresh 0 \$i];\r\
    \n      } \r\
    \n}\r\
    \n \r\
    \n:if (\$ipddns != \$ipfresh) do={\r\
    \n    :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\
    \n    :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\
    \n   :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\
    \n   :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\
    \n   /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\r\
    \n         password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\
    \n    :delay 1\r\
    \n    :global str [/file find name=\"DynDNS.\$ddnshost\"];\r\
    \n    /file remove \$str\r\
    \n    :global ipddns \$ipfresh\r\
    \n  :log info \"DynDNS: IP updated to \$ipfresh!\"\r\
    \n    } else={\r\
    \n     :log info \"DynDNS: dont need changes\";\r\
    \n    }\r\
    \n} "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
currently running RBD52G-5HacD2HnD-TC (hAP ac²)
 
blackoutfolo
just joined
Posts: 5
Joined: Mon Apr 30, 2018 6:52 am

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Wed Apr 29, 2020 2:13 am

Hello,
I'am in the same situation: Devices does get the VPN ip and are able to ping websites but cannot browse the internet:


# apr/28/2020 10:35:35 by RouterOS 6.46.5
# software id = FQAZ-Y0T5
#
# model = RB760iGS
# serial number = **************
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.5.8.10-10.5.8.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
/ip address
add address=10.5.8.254/24 interface=ether3 network=10.5.8.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.5.8.0/24 dns-server=103.86.96.100,103.86.99.100 gateway=\
10.5.8.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.5.8.0/24 list=local
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN password=******* peer=NordVPN \
policy-template-group=NordVPN username=******@******
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
0.0.0.0/0 template=yes
/system clock
set time-zone-name=******/********
/system logging
add prefix=vpn topics=ipsec
add action=none dst-address=10.5.8.0/24 src-address=0.0.0.0/0 place-before=0

What can i do?
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Wed Apr 29, 2020 2:43 am

You are not in the same situation because this topic goes about not being to see the preview in this forum due to problems of ICMP 3/4 packets not being return to the client by the router.

Please open a own topic on this.

Update:

I had quick look and is your DNS resolving?

You can test that quickly by opening a terminal and type:

:put [resolve nu.nl];

It should show then a IP address:
......> :put [resolve nu.nl];
13.224.67.24
Second update:
/ip pool
add name=dhcp_pool0 ranges=10.5.8.10-10.5.8.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
/ip address
add address=10.5.8.254/24 interface=ether3 network=10.5.8.0
Seeing Ether3 but you screen shot says nordvpn-eth5.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits
 
blackoutfolo
just joined
Posts: 5
Joined: Mon Apr 30, 2018 6:52 am

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Fri May 01, 2020 9:33 am

Code: Select all
/ip pool
add name=dhcp_pool0 ranges=10.5.8.10-10.5.8.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
/ip address
add address=10.5.8.254/24 interface=ether3 network=10.5.8.0
Seeing Ether3 but you screen shot says nordvpn-eth5
Yeah i change router for another test. The screenshot is for first router but config is same.
i have 13.224.67.118 after the command :put [resolve nu.nl];
 
mike7
just joined
Posts: 1
Joined: Sun Oct 28, 2018 12:20 am

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Tue May 26, 2020 5:44 pm

The default template will be moved to the top of the list if it was not already there. The second line should above (action=none) should be below default and above any added IKEv2 provider lines.

The explaination by Sindy.
Anyway, there should be a remedy - a static IPsec policy action=none src-address=0.0.0.0/0 dst-address=the.client's.subnet placed before the policy template which is used to build the dynamic policy with the responder-provided IP address as src-address. This action=none policy will shadow the dynamically generated one so even though the ICMP code 3 type 4 packet will likely get src-nated by the dynamic src-nat rule, it will not reach the dynamic policy (which would divert it into the tunnel) so it will make it to the client. The client won't care about the source address as it has no relevance for it, so it should adjust the size of the re-sent TCP packet and all the subsequent ones accordingly.
This solved my long standing problem. with that work around and many many thank to Sindy for suggesting this!

Looks like in the next release Mikrotik will place dynamic policies in the top of the list or I misunderstand something?
From 6.47rc2 changelog:
*) ipsec - place dynamically created IPsec policies at the begining of the table;
 
User avatar
eworm
Forum Veteran
Forum Veteran
Posts: 749
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Tue May 26, 2020 10:50 pm

I did fear the same, but looks like everything still works as expected.
Not sure what this change is supposed to do.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2013
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: MTU troubles using IKEv2 providers like NordVPN [work around]

Tue May 26, 2020 10:55 pm

No worries. I am running 6.47RC and nothing has changed there. The Dynamic are still grouped under their own specific template.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet.

Running:
RouterOS 6.48 / Winbox 3.27 64bits

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], Google [Bot] and 210 guests