I have 4 VLANS, 192.168.10.xx, 192.168.20.xx,192.168.30.xx. and 192.168.88.xx for the MikroTik Router
.10 VLAN used for my usual LAN devices, .20 is used for the wireless, .30 is used to tunnel VPN through to Mullvad VPN. ports on the switch correspond to these VLANS.
My problem is I have a Apple TV in the .30 subnet which is going to MullVad VPN which works great as I am able to use my IPTV services which is the reason I set this up because ISP blocks.
However I have a Synology NAS on the .10 subnet which has my movie library. Since Apple TV is going through the VPN I am unable to playback the videos located on the local LAN in the .10 subnet.
Not sure what would be the best way to keep the VPN in place but have the Apple TV also have LAN access to 192.168.10 subnet to stream the local movies.
Any ideas?
My config below:
Code: Select all
# sep/04/2022 15:25:22 by RouterOS 7.5
#
# model = RB750Gr3
/interface bridge
add name=local
/interface wireguard
add listen-port=6561 mtu=1420 name=mullvad-upstream
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether2 name="Internal (VLAN 10)" vlan-id=10
add interface=ether2 name="Wifi (VLAN 20)" vlan-id=20
add interface=ether2 name=mullvad vlan-id=30
/interface list
add name=listBridge
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.10.4-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.4-192.168.20.254
add name=dhcp_pool3 ranges=192.168.30.4-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local name=dhcp1
add address-pool=dhcp_pool1 interface="Internal (VLAN 10)" name=dhcp2
add address-pool=dhcp_pool2 interface="Wifi (VLAN 20)" name=dhcp3
add address-pool=dhcp_pool3 interface=mullvad name=dhcp4
/port
set 0 name=serial0
/routing table
add fib name=mullvad
add fib name=mullvad
/interface bridge port
add bridge=local interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
add interface=ether2 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key="BmV3wi7rcHuU9Kv9K3v7XEdcUwkb5ufWVoRBu9k0XQ0="
add allowed-address=192.168.100.3/32 interface=wireguard1 public-key="BgFGVTDedLMCRJDyyoSkMmWOjyy7OdDNVH9ok7XMUSw="
add allowed-address=192.168.100.4/32 interface=wireguard1 public-key="IzwGDI5XRMbq6VGYCq2Nlk0ARS1XSC10Z3WjBD3JgXI="
add allowed-address=0.0.0.0/0,::/0 endpoint-address=185.195.232.66 endpoint-port=51820 interface=mullvad-upstream public-key=\
"VZwE8hrpNzg6SMwn9LtEqonXzSWd5dkFk62PrNWFW3Y="
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=192.168.10.1/24 interface="Internal (VLAN 10)" network=192.168.10.0
add address=192.168.20.1/24 interface="Wifi (VLAN 20)" network=192.168.20.0
add address=192.168.30.1/24 interface=mullvad network=192.168.30.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.66.197.130 interface=mullvad-upstream network=10.124.1.16
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.10.252 client-id=1:0:11:32:15:fe:bd mac-address=00:11:32:15:FE:BD server=dhcp2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.88.1,8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.88.1,8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.88.1,8.8.8.8 gateway=192.168.30.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=accept chain=forward connection-mark=under_nordvpn
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=\
new in-interface=ether1
add action=accept chain=input protocol=udp
add action=accept chain=forward protocol=udp
add action=accept chain=input protocol=igmp
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=mullvad new-routing-mark=mullvad
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1 protocol=tcp to-addresses=192.168.10.252 to-ports=25
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat in-interface=ether1 port=3389 protocol=tcp to-addresses=192.168.88.254
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface=mullvad-upstream
/ip route
add dst-address=0.0.0.0/0 gateway=10.124.1.16 routing-table=mullvad
/ipv6 route
add dst-address=::/0 gateway=fc00:bbbb:bbbb:bb01::1%mullvad routing-table=mullvad
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.10.0/24,192.168.20.0/24,192.168.30.0/24
/ipv6 address
add address=fc00:bbbb:bbbb:bb01::3:c581 interface=*B
/ipv6 firewall filter
# no interface
add action=drop chain=input in-interface=*B
# no interface
add action=drop chain=forward connection-state=new in-interface=*B
/ipv6 firewall mangle
# in/out-interface matcher not possible when interface (ether2) is slave - use master instead (local)
add action=mark-routing chain=prerouting in-interface=ether2 new-routing-mark=mullvad passthrough=no
/ipv6 firewall nat
# no interface
add action=masquerade chain=srcnat out-interface=*B
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=ether1 upstream=yes
add interface=ether2
/routing rule
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
add action=lookup-only-in-table routing-mark=mullvad table=mullvad
/system clock
set time-zone-name=Europe/London
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge