Hello Anav. THank you for the answer!!!There is no requirement for a kill switch when using wireguard.
Wireguard does not leak.
It looks like you only have one IP address using surfshark wireguard.
If the surfshark connection is down, the router does not route traffic anywhere already.
Kill switch is not needed.
Could you please post your settings? I'm trying to migrate from IKEv2 to WireGuard, but I can't manage it...I've sucessfully setup Surfshark Wireguard VPN...
I am more familiar with using routing rules...........
in this case lets say I have three subnets........ 192.168.0.0/24, 192.168.30.0/24, 192.168.50.0/24
and assume there is some need for intervlan traffic, shared printer even......
Then I would do
add fib table=use-WG
add dst-address=0.0.0.0/0 gateway=wg-interface-name table=use-WG
Routing rules
add dst-address=192.168.0.0/18 action=lookup-only-in-table table=main comment="keeps local traffic possible"
add src-address=192.168.0.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.30.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.50.0/24 action=look-up-only-in-table table=use-WG
The function of action means, if there is no connection, DO NOT LOOK for an alternate.
If we had used solely 'lookup' then the router is instructed, if there is no connection at the designated table, to see if their is an available route on the main table.
Here is my config:Well I would have to see the context of the entire config, why are you mangling now?
# RouterOS 7.10.2
# model = RB5009UG+S+
/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-surfshark
/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN
/interface wifiwave2 channel
add disabled=no frequency=2300-7300 name=5GHz width=20/40/80mhz
add disabled=no frequency=2300-7300 name=2GHz width=20/40mhz
/interface wifiwave2 datapath
add bridge=LAN-BRIDGE disabled=no name=GUEST vlan-id=30
/interface wifiwave2 security
add authentication-types=wpa3-psk disabled=no name=WPA3 wps=disable
add authentication-types=wpa2-psk disabled=no name=WPA2 wps=disable
add authentication-types=wpa2-psk disabled=no name=GUEST wps=disable
/interface wifiwave2 configuration
add country="United States" disabled=no name=HOME-5GHz security=WPA3 ssid=\
HOME-5GHz
add country="United States" disabled=no name=HOME-2GHz security=WPA2 ssid=\
HOME-2GHz
add country="United States" datapath=GUEST disabled=no name=GUEST security=\
GUEST ssid=GUEST
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3
/routing table
add disabled=no fib name=surfshark
/interface bridge port
add bridge=LAN-BRIDGE interface=sfp-sfpplus1
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8
/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=HOME-5GHz \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=HOME-2GHz \
slave-configurations=GUEST supported-bands=2ghz-n
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=us-chi.prod.surfshark.com \
endpoint-port=51820 interface=wireguard-surfshark public-key=\
"DpMfulanF/MVHmt3AX4dqLqcyE0dpPqYBjDlWMaUI00="
/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0
add address=10.14.0.2/16 interface=wireguard-surfshark network=10.14.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 client-id=1:48:a9:8a:8b:48:ef comment=AX-AP mac-address=\
48:A9:8A:8B:48:EF server=dhcp1
add address=192.168.30.11 client-id=1:0:c:29:f8:91:1b comment=TEST-CLIENT \
mac-address=00:0C:29:F8:91:1B server=dhcp3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=162.252.172.57 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.30.11 list=GUEST-DEVICE1
/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="ALLOW GUEST VLAN TO WIRESHARK ACCESS" \
connection-state=new in-interface-list=VLAN out-interface=\
wireguard-surfshark
add action=drop chain=forward comment=DROP
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=surfshark \
passthrough=no src-address-list=GUEST-DEVICE1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard-surfshark
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-surfshark \
routing-table=surfshark suppress-hw-offload=no
Hahah, no I just have a life LOL.
...
I prefer the simpleton approach with wifi settings that just deal in wifi.
...
The only reason I ever fathomed to use capsman is that one needs to isolate wifi users from landline users in the same subnet, which is rare.
# RouterOS 7.10.2
# model = RB5009UG+S+
/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-surfshark
/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3
/routing table
add disabled=no fib name=surfshark
/interface bridge port
add bridge=LAN-BRIDGE interface=sfp-sfpplus1
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8
/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=us-chi.prod.surfshark.com \
endpoint-port=51820 interface=wireguard-surfshark public-key=\
"DpMfulanF/MVHmt3AX4dqLqcyE0dpPqYBjDlWMaUI00="
/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0
add address=10.14.0.2/16 interface=wireguard-surfshark network=10.14.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.30.11 client-id=1:0:c:29:f8:91:1b comment=TEST-CLIENT \
mac-address=00:0C:29:F8:91:1B server=dhcp3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=162.252.172.57 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.30.11 list=GUEST-DEVICE1
/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="ALLOW GUEST VLAN TO WIRESHARK ACCESS" \
connection-state=new in-interface-list=VLAN out-interface=\
wireguard-surfshark
add action=drop chain=forward comment=DROP
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=surfshark \
passthrough=no src-address-list=GUEST-DEVICE1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard-surfshark
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-surfshark \
routing-table=surfshark suppress-hw-offload=no
@anav
Then I would do
add fib table=use-WG
add dst-address=0.0.0.0/0 gateway=wg-interface-name table=use-WG
Routing rules
add dst-address=192.168.0.0/18 action=lookup-only-in-table table=main comment="keeps local traffic possible"
add src-address=192.168.0.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.30.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.50.0/24 action=look-up-only-in-table table=use-WG
The function of action means, if there is no connection, DO NOT LOOK for an alternate.
If we had used solely 'lookup' then the router is instructed, if there is no connection at the designated table, to see if their is an available route on the main table.
Ok, in this case something is wrong at meIf you look carefully at the first routing rule........ what does it say?
Any traffic heading for a local subnet shall be routed using the main table aka it will flow!!
Then after that traffic has been taken care of, the rules deal with wireguard traffic.
So no need for mangling and local traffic will be respected.
Ok I give upDo you have a forward chain rule allowing access to server??
Typically if you have vlans you need a rule.
add chain=forward action=accept in-interface-list=VLAN dst-address=server_IP
You could narrow this down to just one subnet to the server or a list of allowed LANIPs to the server.
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 src-address=192.168.9.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 src-address=192.168.10.0/24 table=main
/interface bridge
add name=BRIDGE-LAN vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=ISP user=username533
/interface wireguard
add listen-port=51820 mtu=1420 name=WG-NORDVPN
/interface vlan
add interface=BRIDGE-LAN name=VLAN-LAN_VPN vlan-id=9
add interface=BRIDGE-LAN name=VLAN-TESTvlan-id=10
add interface=BRIDGE-LAN name=VLAN-GUEST vlan-id=100
/interface list
add name=WAN
add name=VLAN
/ip pool
add name=POOL-LAN ranges=192.168.1.2-192.168.1.254
add name=POOL-LAN_VPN ranges=192.168.9.2-192.168.9.254
add name=POOL-TEST ranges=192.168.10.2-192.168.10.254
add name=POOL-GUEST ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=POOL-LAN interface=BRIDGE-LAN name=DHCP-LAN
add address-pool=POOL-LAN_VPN interface=VLAN-LAN_VPN name=DHCP-LAN_VPN
add address-pool=POOL-TEST interface=VLAN-TEST name=DHCP-TEST
add address-pool=POOL-GUEST interface=VLAN-GUEST name=DHCP-GUEST
/routing table
add disabled=no fib name=NORDVPN
/interface bridge port
add bridge=BRIDGE-LAN interface=sfp-sfpplus1
add bridge=BRIDGE-LAN interface=ether2
add bridge=BRIDGE-LAN interface=ether3 pvid=9
add bridge=BRIDGE-LAN interface=ether4 pvid=10
add bridge=BRIDGE-LAN interface=ether5
add bridge=BRIDGE-LAN interface=ether6
add bridge=BRIDGE-LAN interface=ether7 pvid=30
add bridge=BRIDGE-LAN interface=ether8
/interface bridge vlan
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=9
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2 vlan-ids=10
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN vlan-ids=20
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether6 vlan-ids=30
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=100
/interface list member
add interface=ISPlist=WAN
add interface=VLAN-LAN_VPN list=VLAN
add interface=VLAN-TEST list=VLAN
add interface=VLAN-TEST_SECURE list=VLAN
add interface=VLAN-GUEST list=VLAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=217.138.192.35 endpoint-port=51820 interface=WG-NORDVPN public-key="ksadnck34wrbwfjh34b"
/ip address
add address=192.168.1.1/24 interface=sfp-sfpplus1 network=192.168.1.0
add address=192.168.10.1/24 interface=VLAN-TEST network=192.168.10.0
add address=192.168.9.1/24 interface=VLAN-LAN_VPN network=192.168.9.0
add address=192.168.100.1/24 interface=VLAN-GUEST network=192.168.100.0
add address=10.5.0.2/24 interface=WG-NORDVPN network=10.5.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.9.0/24 dns-server=192.168.9.1 gateway=192.168.9.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=103.86.96.100
/ip firewall filter
add action=drop chain=input comment="BLOCK WAN SIDE DNS REQUEST" dst-port=53 in-interface=ISP protocol=tcp
add action=accept chain=input comment="ALLOW LAN ACCESS ROUTER SERVICES" src-address=192.168.1.0/24
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=input comment="ALLOW VLANS ACCESS ROUTER SERVICES" in-interface-list=VLAN
add action=drop chain=input comment="DROP ANYTHING ELSE" disabled=yes
add action=accept chain=forward comment="ALLOW LAN TRAFFIC TO EVERYWHERE" src-address=192.168.1.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO LAN" dst-address=192.168.1.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO LAN_VPN" dst-address=192.168.10.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=forward comment="ALLOW VLANS NORDVPN ACCESS" connection-state=new in-interface-list=VLAN out-interface=WG-NORDVPN
add action=drop chain=forward comment="DROP ANYTHING ELSE" disabled=yes
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT-ISP out-interface=ISP
add action=masquerade chain=srcnat comment=NAT-VPN out-interface=WG-NORDVPN
/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=WG-NORDVPN pref-src="" routing-table=NORDVPN scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table comment="KEEPS LOCAL TRAFFIC POSSIBLE" disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment="REDIRECT VLAN-LAN_VPN TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.9.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-TEST TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.10.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-GUEST TRAFFIC TO NORDVPN" disabled=no src-address=192.168.100.0/24 table=NORDVPN
This is what I don't get it, I set first rule to 192.168.0.0/16 which covers from 192.168.0.1 to 192.168.255.254 (yes you sure I don't want to include GUEST VLAN, but now I'm just testing, I'll set CIDR to narrower later), so why this roule is not enough?SO YES,
either OR are good
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 table=main
OR
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/20 table=main
This is two extra rules and what if I have 10+ VLANS and I need cross traffic between several VLAN, it means 10+ rules (ok this example not so real, but in theoretically could be a problem) or this is the case where mangle marking is better?Good question makes no sense to me either, in any case stick with what works.......its only one extra rule.
Because CPU using or fasttrack disabling?I avoid mangling if I can.
Yes I tried, nothing changedDid you try
add lookup-in-table only dst-address=192.168.1.0/20 table=main ??
Should also work.
Now I'm deleted any orphan settings but the same, also I did the last resort of noobs, I restarted tooThis leads me to believe there is something else blocking this traffic.
your config has many holes for example forgetting to define vlans 30 and 20 ??
your bridge settings are wrong too.
Post full config
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
/interface bridge
add name=BRIDGE-LAN vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=ISP user=username532
/interface wireguard
add listen-port=51820 mtu=1420 name=WG-NORDVPN
/interface vlan
add interface=BRIDGE-LAN name=VLAN-LAN_VPN vlan-id=9
add interface=BRIDGE-LAN name=VLAN-DEVICES vlan-id=10
add interface=BRIDGE-LAN name=VLAN-NO_INTERNET vlan-id=20
add interface=BRIDGE-LAN name=VLAN-TEST vlan-id=30
add interface=BRIDGE-LAN name=VLAN-GUEST vlan-id=100
/interface list
add name=WAN
add name=VLAN
/ip pool
add name=POOL-LAN ranges=192.168.3.2-192.168.3.254
add name=POOL-LAN_VPN ranges=192.168.9.2-192.168.9.254
add name=POOL-DEVICES ranges=192.168.10.2-192.168.10.254
add name=POOL-NO_INTERNET ranges=192.168.20.2-192.168.20.254
add name=POOL-TEST ranges=192.168.30.2-192.168.30.254
add name=POOL-GUEST ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=POOL-LAN interface=BRIDGE-LAN name=DHCP-LAN
add address-pool=POOL-LAN_VPN interface=VLAN-LAN_VPN name=DHCP-LAN_VPN
add address-pool=POOL-DEVICES interface=VLAN-DEVICES name=DHCP-DEVICES
add address-pool=POOL-NO_INTERNET interface=VLAN-NO_INTERNET name=DHCP-NO_INTERNET
add address-pool=POOL-TEST interface=VLAN-TEST name=DHCP-TEST
add address-pool=POOL-GUEST interface=VLAN-GUEST name=DHCP-GUEST
/routing table
add disabled=no fib name=NORDVPN
/interface bridge port
add bridge=BRIDGE-LAN interface=sfp-sfpplus1
add bridge=BRIDGE-LAN interface=ether2
add bridge=BRIDGE-LAN interface=ether3 pvid=9
add bridge=BRIDGE-LAN interface=ether4 pvid=10
add bridge=BRIDGE-LAN interface=ether5
add bridge=BRIDGE-LAN interface=ether6
add bridge=BRIDGE-LAN interface=ether7 pvid=30
add bridge=BRIDGE-LAN interface=ether8
/interface bridge vlan
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=9
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2 vlan-ids=10
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN vlan-ids=20
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether6 vlan-ids=30
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=100
/interface list member
add interface=ISP list=WAN
add interface=VLAN-LAN_VPN list=VLAN
add interface=VLAN-DEVICES list=VLAN
add interface=VLAN-NO_INTERNET list=VLAN
add interface=VLAN-TEST list=VLAN
add interface=VLAN-GUEST list=VLAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=123.45.67.89 endpoint-port=51820 interface=WG-NORDVPN public-key="1a2b3c4d5e6f6g7h8i9j"
/ip address
add address=192.168.3.1/24 interface=sfp-sfpplus1 network=192.168.3.0
add address=192.168.30.1/24 interface=VLAN-TEST network=192.168.30.0
add address=192.168.10.1/24 interface=VLAN-DEVICES network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN-NO_INTERNET network=192.168.20.0
add address=192.168.9.1/24 interface=VLAN-LAN_VPN network=192.168.9.0
add address=192.168.100.1/24 interface=VLAN-GUEST network=192.168.100.0
add address=10.5.0.2/24 interface=WG-NORDVPN network=10.5.0.0
/ip cloud
set ddns-enabled=yes
/ip dns
set allow-remote-requests=yes servers=103.86.96.100
/ip firewall filter
add action=drop chain=input comment="BLOCK WAN SIDE DNS REQUEST" dst-port=53 in-interface=ISP protocol=tcp
add action=accept chain=input comment="ALLOW LAN ACCESS ROUTER SERVICES" src-address=192.168.3.0/24
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=input comment="ALLOW VLANS ACCESS ROUTER SERVICES" in-interface-list=VLAN
add action=drop chain=input comment="DROP ANYTHING ELSE"
add action=accept chain=forward dst-address=192.168.10.2 in-interface-list=VLAN
add action=accept chain=forward comment="ALLOW LAN TRAFFIC TO EVERYWHERE" src-address=192.168.3.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO LAN" dst-address=192.168.3.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO DEVICES" dst-address=192.168.10.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO TEST" dst-address=192.168.30.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM DEVICES TO LAN_VPN" dst-address=192.168.9.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=forward comment="ALLOW VLANS NORDVPN ACCESS" connection-state=new in-interface-list=VLAN out-interface=WG-NORDVPN
add action=drop chain=forward comment="DROP ANYTHING ELSE"
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT-ISP out-interface=ISP
add action=masquerade chain=srcnat comment=NAT-VPN out-interface=WG-NORDVPN
/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=WG-NORDVPN pref-src="" routing-table=NORDVPN scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table comment="KEEPS LOCAL TRAFFIC POSSIBLE" disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.3.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.30.0/24 table=main
add action=lookup-only-in-table comment="REDIRECT VLAN-LAN_VPN TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.9.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-DEVICES TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.10.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-TEST TRAFFIC TO NORDVPN" disabled=no src-address=192.168.30.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-GUEST TRAFFIC TO NORDVPN" disabled=no src-address=192.168.100.0/24 table=NORDVPN
I wanted to create a network outside from VLANS if I mess something and I lock out myself accidentally, but I doubt that specific interface causes the problem. Why would it? It just an iterface or am I missing something?(1) Your sffplus setup is hosed and is the core of your issues. Why do you NOT make it a vlan?
You can elect to not do so, but then why do you have it on the bridge........ MAkes no sense........
So either make 192.168.3.0/24 another vlan on the bridge or
remove this line.
/interface bridge port
add bridge=BRIDGE-LAN interface=sfp-sfpplus1
VLAN20 is not in use yet so this is why I didn't set, at this point I stucked with routing issue.(2) Personal preference to make /interface bridge vlan settings clearer so they match bridge ports and are shown on the config export!
Also when doing this it became clear that you forgot to tag a port for vlan id 20??
Should I set and why? I read the spec but I thought I need to leave unset.(3) MISSING persistent keep alive on MT peer settings for nordvpn
You right, I set back to 1, that was only a previous setting when I tried several routing "type".(4) The route for NORDVPN does not require distance setting of 5, default of 1 is fine.
These setting is from NordVPN, I didn't wanted my ISP's nor google.(5) DID NORDVPN give you any other information like DNS address ????
(6) Why did you choose DNS server 103.86.96.100 ?
I'll do as you adviced.(7) Looking at firewall rules I am puzzled as the logic is missing.
(See option 2 in firewall rules below for better way to do this)
Because I'm just testing why it doesn't working, and I didn't leased my IPs thats why I gave full access, at the end of my learning curve I'll set static IPs and I allow access between specific devices only not whole subnets.WHAT I DONT UNDERSTAND is allow all of vlan9 to 192.168.3 IF FULL access goes both ways, then ONLY HAVE ONE SUBNET ???
WHAT I DONT UNDERSTAND is allow all of vlan9 to vlan 10 and all of vlan10 to vlan9 , WHY NOT JUST HAVE ONE SUBNET ???
Ok I see what is wrong my rules thank you for simplifying.(8) Firewall rules NEED WORK should look like.
Why this is needed and what number is adviced? I can't find proper explanation on internet.(1) Yes, you need persistent keep alive at the client which is MT
Ok but here is the router is the client (Mikrotik is connected to NordVPN) so moves nowhere, so this keep alive is needed when the clients connected to the router's wireguard server?(1) Thats how wireguard works, the client keeps the connection live............. also if the client changes location, think moving from wifi coffee shop to the street and to cellular coverage,, it keeps your connection going......
LOL? So in your experience that, your enterprise routers going to coffee shop? If my question was LOL, what is this ROLF?Yes, that is the wireguard protocol, the router is the client and has a part to play in communicating over the tunnel. The protocol doesnt know what devices are being used LOL.
Can you help me to setup my MikroTik Router with WireGuard?The point being the protocol is agnostic with respect to which device its being used on. It doesnt care if its an android phone or MT router.