Community discussions

MikroTik App
  4. RouterOS
  5. General

VLAN and ProtonVPN IPsec

Post Reply
 
ashoka
just joined
Topic Author
Posts: 9
Joined: Wed Nov 04, 2020 11:08 pm

VLAN and ProtonVPN IPsec

Thu Dec 03, 2020 11:03 pm

Hi!
I switched from pfSense to ROS some days ago and I am still learning a lot. Thus, the problem I have probably is something evident for most of you.
I am trying to assign one of my VLAN to an IPSec tunnel in ProtonVPN and a killswitch to avoid traffic leaking. These have been my resources:
viewtopic.php?t=143620
viewtopic.php?t=158227&sid=602382638fcd ... c1fafa894#
https://support.nordvpn.com/Connectivit ... ordVPN.htm
viewtopic.php?t=150222
viewtopic.php?f=23&t=169273

Mi router is a hAP ac2 and 4 VLAN have been defined there (BASE/management, VPN/protonVPN, CLRNET/normal and IoT). Three of the router's ports are trunks and the fifth one is an access port assigned to the management VLAN. As far as I know, the VLANs are working as expected. The IPSec tunnel is correctly established (I get an active peer and 2 SAs) but the traffic in the VPN VLAN is not redirected through ProtonVPN; if I activate the killswitch in the firewall mangle, all the traffic in that VLAN stops. I guess something terribly wrong in in the firewall rules.

Here is my config:
Code: Select all
# dec/03/2020 21:48:43 by RouterOS 6.47.7
# software id = 4D0D-UL7C
#
# model = RBD52G-5HacD2HnD
# serial number = -----
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
add name=vpn_blackhole protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=10
add interface=BR1 name=VL20_VPN vlan-id=20
add interface=BR1 name=VL30_CLRNET vlan-id=30
add interface=BR1 name=VL40_IOT vlan-id=40
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add connection-mark=ProtonVPN name=ProtonVPN responder=no src-address-list=\
    vpn use-responder-dns=no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=nl.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
    ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
    pfs-group=none
/ip pool
add name=VL20_POOL ranges=10.0.20.100-10.0.20.200
add name=VL30_POOL ranges=10.0.30.100-10.0.30.200
add name=VL40_POOL ranges=10.0.40.100-10.0.40.200
add name=BASE_POOL ranges=192.168.10.100-192.168.10.200
/ip dhcp-server
add address-pool=VL20_POOL disabled=no interface=VL20_VPN name=VL20_DHCP
add address-pool=VL30_POOL disabled=no interface=VL30_CLRNET name=VL30_DHCP
add address-pool=VL40_POOL disabled=no interface=VL40_IOT name=VL40_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether4
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=10
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 untagged=ether5 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=40
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=VL20_VPN list=VLAN
add interface=VL30_CLRNET list=VLAN
add interface=VL40_IOT list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.10.1/24 interface=BASE_VLAN network=192.168.10.0
add address=10.0.20.1/24 interface=VL20_VPN network=10.0.20.0
add address=10.0.30.1/24 interface=VL30_CLRNET network=10.0.30.0
add address=10.0.40.1/24 interface=VL40_IOT network=10.0.40.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.30.203 client-id=**:**:**:**:**:** comment=\
    "Synology DS218+" mac-address=**:**:**:**:**:** server=VL30_DHCP
add address=10.0.30.200 comment="Supermicro X8SIL" mac-address=\
    **:**:**:**:**:** server=VL30_DHCP
add address=10.0.30.201 comment="IPMI in Supermicro X8SIL" mac-address=\
    **:**:**:**:**:** server=VL30_DHCP
add address=192.168.10.5 client-id=**:**:**:**:**:** comment=UAP-AC-LR \
    mac-address=**:**:**:**:**:** server=BASE_DHCP
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=192.168.10.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.10.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=192.168.10.1 gateway=10.0.40.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=10.0.30.203 name=jupiter.lan
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=192.168.10.0/24 comment="Allowed MGMT net" list=support
add address=10.0.20.0/24 list=vpn
/ip firewall filter
add action=accept chain=input comment="Allow established & related" \
    connection-state=established,related
add action=drop chain=input comment="Drop invalid on input" connection-state=\
    invalid log=yes log-prefix=!input_invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Accept DNS request from LAN" dst-port=\
    53 in-interface=!ether1 protocol=udp
add action=accept chain=input comment=\
    "Allow BASE_VLAN full access to the device (Winbox and SSH)" \
    in-interface=BASE_VLAN
add action=drop chain=input comment="Drop input" log=yes log-prefix=\
    !input_dropall
add action=accept chain=forward comment="Exclude VPN traffic from fasttrack" \
    src-address-list=vpn
add action=fasttrack-connection chain=forward comment=\
    "Fast Track established & related forward" connection-state=\
    established,related
add action=accept chain=forward comment="Allow established & related forward" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid on forward" \
    connection-state=invalid log=yes log-prefix=!forward_dropinvalid
add action=accept chain=forward comment="Accept Unifi TCP ports" \
    connection-state=established,related,new dst-address=10.0.30.203 \
    dst-port=8080,8443,8880,8843,6789 protocol=tcp src-address-list=support
add action=accept chain=forward comment="Accept Unifi UDP ports" \
    connection-state=established,related,new dst-address=10.0.30.203 \
    dst-port=10001,3478 protocol=udp src-address-list=support
add action=accept chain=forward comment=\
    "VLAN internet access only, NOT each other" connection-state=new \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=bogons
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop all forward" log=yes log-prefix=\
    !forward_drop_all
/ip firewall mangle
add action=mark-routing chain=prerouting comment="VPN killswitch" \
    new-routing-mark=to_vpn passthrough=yes src-address-list=vpn
add action=change-mss chain=forward comment=\
    "VPN - Reduce MSS (should be about 1200 to 1400)" disabled=yes new-mss=\
    1360 passthrough=yes protocol=tcp src-address-list=vpn tcp-flags=syn \
    tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=ProtonVPN peer=ProtonVPN policy-template-group=\
    ProtonVPN username=<username>
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=vpn_blackhole routing-mark=to_vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Router
/system logging
add topics=ipsec,!packet
/system ntp client
set enabled=yes primary-ntp=178.79.145.244 secondary-ntp=131.188.3.222
/system ntp server
set broadcast=yes enabled=yes
/tool bandwidth-server
set enabled=no

Thank you very much!
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN and ProtonVPN IPsec

Fri Dec 04, 2020 12:14 am

You have mode config with both connection-mark=ProtonVPN and src-address-list=vpn. I never tested it, but I assume that packets would need both the right source address and connection mark. But you have no connection marks. Remove connection-mark=ProtonVPN and it will probably work.

Btw, your "Exclude VPN traffic from fasttrack" rule allows access from 10.0.20.0/24 to anywhere and following "VLAN internet access only, NOT each other" has no effect on this traffic. You can add src-address-list=!vpn to fasttrack rule instead.
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN and ProtonVPN IPsec

Fri Dec 04, 2020 12:30 am

You can add src-address-list=!vpn to fasttrack rule instead.
It wouldn't be enough. Packets with destination address in the VPN subnet would still match the action=fasttrack-connection rule. There is no way to modify the fasttrack-connection rule alone to avoid fasttracking what you don't want to be fasttracked, you always need at least one more rule.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: VLAN and ProtonVPN IPsec

Fri Dec 04, 2020 12:45 am

Ooops, you're right about src-address-list=!vpn not being enough. But together with dst-address-list=!vpn it should do the trick. Or not? I'd say yes, but I have to think twice before I disagree with you. :)
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: VLAN and ProtonVPN IPsec

Fri Dec 04, 2020 12:58 am

It is too late for me (I do remember we share the time zone, but not the activity time 🙂 ) You are right, "only packets whose neither source nor destination is on the VPN address list" sounds sufficient. I even realize why I've made that mistake, you cannot express "ipsec-policy=in,ipsec or ipsec-policy=out,ipsec" in a single rule.
Top
 
ashoka
just joined
Topic Author
Posts: 9
Joined: Wed Nov 04, 2020 11:08 pm

Re: VLAN and ProtonVPN IPsec

Fri Dec 04, 2020 10:44 am

You have mode config with both connection-mark=ProtonVPN and src-address-list=vpn. I never tested it, but I assume that packets would need both the right source address and connection mark. But you have no connection marks. Remove connection-mark=ProtonVPN and it will probably work.

Thank you! I could connect through the VPN tunnel. At least, the IP is in the Netherlands, as expected. Nevertheless, it is getting my global system DNS and I cannot access to some sites properly (probably MSS issues). I guess I will have to edit something more. Since a couple of versions ago, there is the variable use-reponder-dns in the IPSec mode-config; but if I activate it, I get a dynamic DNS in the whole router that I want to avoid. I've seen some other posts with this issue and it seems that the only way to deal with that is editing the firewall. Please correct me if I am wrong.

Btw, your "Exclude VPN traffic from fasttrack" rule allows access from 10.0.20.0/24 to anywhere and following "VLAN internet access only, NOT each other" has no effect on this traffic. You can add src-address-list=!vpn to fasttrack rule instead.
...
It is too late for me (I do remember we share the time zone, but not the activity time 🙂 ) You are right, "only packets whose neither source nor destination is on the VPN address list" sounds sufficient. I even realize why I've made that mistake, you cannot express "ipsec-policy=in,ipsec or ipsec-policy=out,ipsec" in a single rule.

Yes... my firewall rules are far from perfect. I am still learning how to do it properly without breaking my current configuration. I have to test your suggestions

Thank you again
Top
Post Reply

Who is online

Users browsing this forum: eworm, GoogleOther [Bot], haung05, NxtGen [Bot], Rohllik28, VMX and 83 guests
  4. RouterOS
  5. General