Community discussions

MikroTik App
 
sentracctv
just joined
Topic Author
Posts: 1
Joined: Thu Jun 04, 2020 5:15 am

Nordvpn IPsec Mikrotik Routing

Thu Jun 04, 2020 5:26 am

Dear Experts,

I have Nordvpn running on my Mikrotik and i wish to route some destination address to use this VPN not all the traffic. I cannot find a way to route some destination ip range to use this VPN. Is it possible to route some destination address or destination ip range to use this connection?

Thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 6311
Joined: Mon Dec 04, 2017 9:19 pm

Re: Nordvpn IPsec Mikrotik Routing

Sun Jun 07, 2020 11:06 pm

The easiest way is to configure connection-mark=via-NordVPN in the /ip ipsec mode-config row you use for the NordVPN identity, and use mangle rules to assign that connection-mark to connections you want to use the VPN:
/ip firewall mangle
add chain=prerouting dst-address-list=VPN-destinations connection-mark=no-mark action=mark-connection new-connection-mark=via-NordVPN
add chain=output dst-address-list=VPN-destinations connection-mark=no-mark action=mark-connection new-connection-mark=via-NordVPN


The first rule handles packets from LAN, the second one handles packets sent by the router itself (such as DNS queries). Populate the address list VPN-destinations with the addresses and ranges you want to be routed via the VPN.

If you want to prevent traffic to those destinations from being sent out if the VPN is down, you'll need another step - translate the connection-mark to some routing-mark for outgoing traffic, and create a default route with that routing-mark with gateway set to br-blackhole, where br-blackhole is a bridge interface with no member ports:

/interface bridge add name=br-blackhole protocol-mode=none

/ip route add routing-mark=NordVPN-only gateway=br-blackhole

/ip firewall mangle add chain=prerouting in-interface-list=!WAN connection-mark=via-NordVPN action=mark-routing new-routing-mark=NordVPN-only


You have to decide what you want to do with DNS queries when/if the VPN is down.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Zdravac
just joined
Posts: 3
Joined: Wed Sep 25, 2019 3:11 pm

Re: Nordvpn IPsec Mikrotik Routing

Sat Oct 24, 2020 11:15 am

Hello mikrotik experts & users!

I have a strange problem after configuring NordVPN IKEv2 IPsec tunnel.
I followed their instructios step by step, and it works. When I run speedtest, I see the server location correspondent to choosen NordVPN server location and I'm satisfyed with up/down speed.
It works ok with my laptop (Macbook Air), and Mac mini. It also work on my other windows laptop.

Here comes the problem;
Problem comes with Android devices Fire stick 4K and other Android TVbox (Tanix mx3 mini). For example, Fire stick says it cannot connect to Amazon server, or for example sometimes when it connects or for example on other Android TV box, Youtube app doesn't start a video (but I see live icons like it has internet connection.
When I run Analiti app, download speed shows ok, but upload can't even start test.
If i just disable Fire stick local adresses assignet to VPN tunnel in Firewall / Adresses list, everything works fine, so obviously it is kind of VPN tunnel problem.
But even stranger, I have IPTV app (TiVi Mate), on Fire stick and Android TV box, and this app runs perfectly through VPN, and Youtube app doesnt ???

I'm quite shure that I've configured VPN on mikrotik ok (it's explained in tutorial very well), and other than this tunnel, my mikrotik is practicly on default settings.

Have any of you similar problems with Fire stick and Nord VPN?
If I run NordVPN app on Fire stick, it rons without problems. So could it be in codecs or protocols issue?

PS
I'm a newbie, not network expert, I configured it step by step following tutorial. Mikrotik router is Mikrotik hEX S (RB760iGS)
If it will be needed, I can put config. here. Thank you for all kind friends who are willing to help!
 
msatter
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Nordvpn IPsec Mikrotik Routing

Sat Oct 24, 2020 3:27 pm

/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=168.192.88.0/24 src-address=0.0.0.0/0 place-before=1
Replace 168.192.88.0/24 by your own local network.

viewtopic.php?f=2&t=154449&p=763404#p763404
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
Zdravac
just joined
Posts: 3
Joined: Wed Sep 25, 2019 3:11 pm

Re: Nordvpn IPsec Mikrotik Routing

Sat Oct 24, 2020 3:59 pm

OMG, it works now! Thank you so much!

I actualy saw earlier your linked topis and by advice there, I tryed to press "Preview" my written post, and it opens in very short time, so I had no doubt in MTU. Obviously, I did not done this throughly.

Thanks again, but beware; More questions are comming because I very much love RouterOS and my hEX S router :)
I'm starting to configuring more and more local network settings (of course, god bless backup :)))
 
msatter
Forum Guru
Forum Guru
Posts: 1981
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Nordvpn IPsec Mikrotik Routing

Sat Oct 24, 2020 5:06 pm

OMG, it works now! Thank you so much!

I actualy saw earlier your linked topis and by advice there, I tryed to press "Preview" my written post, and it opens in very short time, so I had no doubt in MTU. Obviously, I did not done this throughly.

Thanks again, but beware; More questions are comming because I very much love RouterOS and my hEX S router :)
I'm starting to configuring more and more local network settings (of course, god bless backup :)))
Sindy helped me on this one and I could not done it without Sindy's help I would not solved it. I don't understand why Mikrotik development is not picking up on this solution !
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.48beta58 / Winbox 3.27 64bits / MikroTik APP 1.3.15
 
picturepete
just joined
Posts: 4
Joined: Wed Nov 18, 2020 10:52 pm

Re: Nordvpn IPsec Mikrotik Routing

Wed Nov 18, 2020 11:01 pm

Hi

I have a hAP Lite and have set up the nordvpn as per the instructions on this and nordvpn web site, as a standard router the bandwidth reads as 56Mb down and 20Mb up, with the vpn in situ the dowload is about 17Mb which is OK but the upload is basically nothing.1 or less. Is there something silly I am doing?

Cheers Pete
 
sindy
Forum Guru
Forum Guru
Posts: 6311
Joined: Mon Dec 04, 2017 9:19 pm

Re: Nordvpn IPsec Mikrotik Routing

Thu Nov 19, 2020 8:05 pm

I ... have set up the nordvpn as per the instructions on this and nordvpn web site ... but the upload is basically nothing.1 or less. Is there something silly I am doing?
Most often people forget to exclude the traffic which should go via IPsec VPN from fasttracking. So if you have a chain=forward action=fasttrack-connection ... rule in /ip firewall filter, disable it and test the speed using a new test connection. If it helps, and if you use the device also for normal access to internet, you may want to selectively exclude only the IPsec VPN traffic from fasttracking. If so, post your complete configuration export, minus sensitive data - see my automatic signature below for a mini-howto.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
erkexzcx
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Mon Oct 07, 2019 11:42 pm

Re: Nordvpn IPsec Mikrotik Routing

Fri Nov 20, 2020 2:52 am

I wrote a mini guide here that covers fasttrack, MSS reduction and killswitch: viewtopic.php?f=23&t=169273
 
picturepete
just joined
Posts: 4
Joined: Wed Nov 18, 2020 10:52 pm

Re: Nordvpn IPsec Mikrotik Routing

Tue Nov 24, 2020 12:58 pm

Thanks, it was indeed the fastrack causing the problem, though runing a speedtest I get the top speed downloading but uploading seems to hang for a few seconds and then starts climbing upto about half the normal bandwidth, I also have a strange behaviour, when connected to NordVPN UK host BBC detects it as if I am not in the UK and blocks the UK contentet such as Iplayer. I am in the UK and just trying to set up a permanent VPN through the router.
 
erkexzcx
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Mon Oct 07, 2019 11:42 pm

Re: Nordvpn IPsec Mikrotik Routing

Tue Nov 24, 2020 1:15 pm

when connected to NordVPN UK host BBC detects it as if I am not in the UK and blocks the UK contentet such as Iplayer.
Make sure you are using NordVPN DNS provided by VPN server.
 
picturepete
just joined
Posts: 4
Joined: Wed Nov 18, 2020 10:52 pm

Re: Nordvpn IPsec Mikrotik Routing

Tue Nov 24, 2020 1:47 pm

Very strange, if I use the router address as dns server with the NordVPN then it shows the dns as in frankfurt, if I override the dns in the client settings it is all OK.I might add that the dynamic and fixed ip addresses are te NordVPN dns's
 
picturepete
just joined
Posts: 4
Joined: Wed Nov 18, 2020 10:52 pm

Re: Nordvpn IPsec Mikrotik Routing

Tue Nov 24, 2020 10:22 pm

So the problem with the BBC not recognising I'm in the UK is explained here by NordVPN

'We have contacted the technicians regarding this issue, and it seems that the DNS requests are not going through a VPN tunnel. Therefore, we can say that the connection is leaking.

Unfortunately, it seems that the issue is not related to the configuration nor to the VPN server or our infrastructure. As mentioned, your device fails to forward the DNS requests to the VPN tunnel. Lastly, we recommend upgrading or downgrading device firmware. If nothing works - contact the manufacturer's support.'

Who is online

Users browsing this forum: balkyny, Google [Bot], memelchenkov, mkx and 202 guests