Community discussions

MikroTik App
 
User avatar
malabar
just joined
Topic Author
Posts: 9
Joined: Sat Apr 01, 2023 10:56 pm
Location: Barcelona

Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Mon Apr 03, 2023 12:30 pm

Dears,

first message in this forum, so I introduce myself. I currently have one hAP AC2 as router (running ROS 7.8), behind a fiber ONT in Spain.
I've sucessfully setup Surfshark Wireguard VPN, and now looking to implement a kill switch (if VPN connection is lost, VPN traffic is blackholed). I only have one device in my LAN going through the VPN, rest is non-VPN.

I've already gone through viewtopic.php?p=915137&hilit=kill+switc ... rd#p915137... but I'm not getting it.
See my configuration bellow for Mangle - NAT, as well as routing - rules - tables.

I guess I'm missing something with rules?

Mangle
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
Surfshark_blackhole passthrough=yes src-address-list=Under_VPN

add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=\
WG-Surfshark passthrough=yes protocol=tcp tcp-flags=syn

add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3 \
passthrough=yes

add action=set-priority chain=postrouting new-priority=1 out-interface=\
pppoe-out1

NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat comment=masquerade-ovpn src-address=\
192.168.76.0/24

add action=masquerade chain=srcnat comment="default configuration" \
out-interface-list=Vlan2&3

add action=masquerade chain=srcnat comment=masq-surfshark out-interface=\
WG-Surfshark

ROUTE
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG-Surfshark \
pref-src="" routing-table=Surfshark scope=30 suppress-hw-offload=no \
target-scope=10

TABLE
/routing table
add disabled=no fib name=Surfshark

RULES
/routing rule
add action=lookup-only-in-table disabled=no interface=bridge src-address=\
192.168.87.241/32 table=Surfshark

Thanks in advance for your support!

Regards,
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8  [SOLVED]

Tue Apr 04, 2023 1:58 pm

There is no requirement for a kill switch when using wireguard.
Wireguard does not leak.

It looks like you only have one IP address using surfshark wireguard.
If the surfshark connection is down, the router does not route traffic anywhere already.

Kill switch is not needed.
 
User avatar
malabar
just joined
Topic Author
Posts: 9
Joined: Sat Apr 01, 2023 10:56 pm
Location: Barcelona

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Apr 04, 2023 2:35 pm

Thanks @anav for your answer, much appreciated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Apr 04, 2023 5:40 pm

De Nada, Go Barca!! jajajajaja
 
dgalizi
just joined
Posts: 1
Joined: Tue May 30, 2023 6:31 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Thu Jun 01, 2023 1:17 am

There is no requirement for a kill switch when using wireguard.
Wireguard does not leak.

It looks like you only have one IP address using surfshark wireguard.
If the surfshark connection is down, the router does not route traffic anywhere already.

Kill switch is not needed.
Hello Anav. THank you for the answer!!!
Is it safe to use wireguard without any kind of "protection"?
What about the DNS query and package leak?
I'm routing all the traffic to the tunnel, if for some reason the connection is down...

Thanks in advance!!
Dan
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Aug 08, 2023 12:59 pm

...I've sucessfully setup Surfshark Wireguard VPN...
Could you please post your settings? I'm trying to migrate from IKEv2 to WireGuard, but I can't manage it :(

Thank You so much
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Aug 08, 2023 3:01 pm

@dgalizi.

I am more familiar with using routing rules...........
in this case lets say I have three subnets........ 192.168.0.0/24, 192.168.30.0/24, 192.168.50.0/24
and assume there is some need for intervlan traffic, shared printer even......

Then I would do
add fib table=use-WG
add dst-address=0.0.0.0/0 gateway=wg-interface-name table=use-WG


Routing rules
add dst-address=192.168.0.0/18 action=lookup-only-in-table table=main comment="keeps local traffic possible"
add src-address=192.168.0.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.30.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.50.0/24 action=look-up-only-in-table table=use-WG


The function of action means, if there is no connection, DO NOT LOOK for an alternate.
If we had used solely 'lookup' then the router is instructed, if there is no connection at the designated table, to see if their is an available route on the main table.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Aug 08, 2023 6:56 pm

I am more familiar with using routing rules...........
in this case lets say I have three subnets........ 192.168.0.0/24, 192.168.30.0/24, 192.168.50.0/24
and assume there is some need for intervlan traffic, shared printer even......

Then I would do
add fib table=use-WG
add dst-address=0.0.0.0/0 gateway=wg-interface-name table=use-WG


Routing rules
add dst-address=192.168.0.0/18 action=lookup-only-in-table table=main comment="keeps local traffic possible"
add src-address=192.168.0.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.30.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.50.0/24 action=look-up-only-in-table table=use-WG


The function of action means, if there is no connection, DO NOT LOOK for an alternate.
If we had used solely 'lookup' then the router is instructed, if there is no connection at the designated table, to see if their is an available route on the main table.

I think I need this solution too, my question: in this case I need to disable mangle right?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Aug 08, 2023 7:56 pm

Well I would have to see the context of the entire config, why are you mangling now?
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Wed Aug 09, 2023 3:51 pm

Well I would have to see the context of the entire config, why are you mangling now?
Here is my config:
# RouterOS 7.10.2
# model = RB5009UG+S+

/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-surfshark

/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20

/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN

/interface wifiwave2 channel
add disabled=no frequency=2300-7300 name=5GHz width=20/40/80mhz
add disabled=no frequency=2300-7300 name=2GHz width=20/40mhz

/interface wifiwave2 datapath
add bridge=LAN-BRIDGE disabled=no name=GUEST vlan-id=30

/interface wifiwave2 security
add authentication-types=wpa3-psk disabled=no name=WPA3 wps=disable
add authentication-types=wpa2-psk disabled=no name=WPA2 wps=disable
add authentication-types=wpa2-psk disabled=no name=GUEST wps=disable

/interface wifiwave2 configuration
add country="United States" disabled=no name=HOME-5GHz security=WPA3 ssid=\
    HOME-5GHz
add country="United States" disabled=no name=HOME-2GHz security=WPA2 ssid=\
    HOME-2GHz
add country="United States" datapath=GUEST disabled=no name=GUEST security=\
    GUEST ssid=GUEST

/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3

/routing table
add disabled=no fib name=surfshark

/interface bridge port
add bridge=LAN-BRIDGE interface=sfp-sfpplus1
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8

/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30

/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN

/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=none

/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=HOME-5GHz \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=HOME-2GHz \
    slave-configurations=GUEST supported-bands=2ghz-n

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=us-chi.prod.surfshark.com \
    endpoint-port=51820 interface=wireguard-surfshark public-key=\
    "DpMfulanF/MVHmt3AX4dqLqcyE0dpPqYBjDlWMaUI00="

/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0
add address=10.14.0.2/16 interface=wireguard-surfshark network=10.14.0.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server lease
add address=192.168.1.2 client-id=1:48:a9:8a:8b:48:ef comment=AX-AP mac-address=\
    48:A9:8A:8B:48:EF server=dhcp1
add address=192.168.30.11 client-id=1:0:c:29:f8:91:1b comment=TEST-CLIENT \
    mac-address=00:0C:29:F8:91:1B server=dhcp3


/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=162.252.172.57 gateway=192.168.30.1

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=192.168.30.11 list=GUEST-DEVICE1

/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
    in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="ALLOW GUEST VLAN TO WIRESHARK ACCESS" \
    connection-state=new in-interface-list=VLAN out-interface=\
    wireguard-surfshark
add action=drop chain=forward comment=DROP

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=surfshark \
    passthrough=no src-address-list=GUEST-DEVICE1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard-surfshark

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-surfshark \
    routing-table=surfshark suppress-hw-offload=no
So I use mangle for force traffic into WG tunnel, but If wireguard interface become disabled, it switches to ISP internet, so it isn't a leak or this scenario only possible if I disable the wireguard interface manually?
Additional problem: I cannot add subnet (only specific machines ie: 192.168.30.11)

Thank You so much
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Fri Aug 11, 2023 5:19 pm

@anav

Is my config that bad? :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Fri Aug 11, 2023 5:26 pm

Hahah, no I just have a life LOL.
I am not qualified to comment on any config that contains Non wifi settings in wifi settings,,,, aka datapath, capsman etc........
I prefer the simpleton approach with wifi settings that just deal in wifi.

If datapath and capsman meant no changes to the current bridge/vlan construct as decscribd by pcunite, then my tune would be different.
The only reason I ever fathomed to use capsman is that one needs to isolate wifi users from landline users in the same subnet, which is rare.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sat Aug 12, 2023 11:25 am

Hahah, no I just have a life LOL.
...
I prefer the simpleton approach with wifi settings that just deal in wifi.

...
The only reason I ever fathomed to use capsman is that one needs to isolate wifi users from landline users in the same subnet, which is rare.

Ok then I won't show your comment to my wife, it would ruin my excuses :D :D :D

But if you need to manage 20+ AP-s how you do that without capsman?

Ok I turned off wifi settings, so here is my basic setup:
# RouterOS 7.10.2
# model = RB5009UG+S+

/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-surfshark

/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20

/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN

/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3

/routing table
add disabled=no fib name=surfshark

/interface bridge port
add bridge=LAN-BRIDGE interface=sfp-sfpplus1
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8

/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30

/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=us-chi.prod.surfshark.com \
    endpoint-port=51820 interface=wireguard-surfshark public-key=\
    "DpMfulanF/MVHmt3AX4dqLqcyE0dpPqYBjDlWMaUI00="

/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0
add address=10.14.0.2/16 interface=wireguard-surfshark network=10.14.0.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server lease
add address=192.168.30.11 client-id=1:0:c:29:f8:91:1b comment=TEST-CLIENT \
    mac-address=00:0C:29:F8:91:1B server=dhcp3

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=162.252.172.57 gateway=192.168.30.1

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=192.168.30.11 list=GUEST-DEVICE1

/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
    in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="ALLOW GUEST VLAN TO WIRESHARK ACCESS" \
    connection-state=new in-interface-list=VLAN out-interface=\
    wireguard-surfshark
add action=drop chain=forward comment=DROP

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=surfshark \
    passthrough=no src-address-list=GUEST-DEVICE1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard-surfshark

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-surfshark \
    routing-table=surfshark suppress-hw-offload=no
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sat Aug 12, 2023 3:07 pm

If I had to manage 20, one by one LOL. It takes me at most 5 minutes to setup a capac,
Its pretty much set and forget. Its not like one is going to be changing anything frequently.
One typically has 2-3-4 WIFI LANs and thats it.
THe DCHP and all else is handled by the router.
THe only reason to touch the capac is to upgrade the software.
Also, I highly doubt 20 capacs would be configured the same,,,, maybe in some fiction book.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sat Sep 09, 2023 2:59 pm


Then I would do
add fib table=use-WG
add dst-address=0.0.0.0/0 gateway=wg-interface-name table=use-WG


Routing rules
add dst-address=192.168.0.0/18 action=lookup-only-in-table table=main comment="keeps local traffic possible"
add src-address=192.168.0.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.30.0/24 action=look-up-only-in-table table=use-WG
add src-address=192.168.50.0/24 action=look-up-only-in-table table=use-WG


The function of action means, if there is no connection, DO NOT LOOK for an alternate.
If we had used solely 'lookup' then the router is instructed, if there is no connection at the designated table, to see if their is an available route on the main table.
@anav

If we use this method is communication between vlans will be possible? In this case the traffic from 192.168.30.0/24 to 192.168.50.0/24 will forced to wireguard right?
Isn't mangle is better in this case?

Thank You
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sat Sep 09, 2023 5:14 pm

If you look carefully at the first routing rule........ what does it say?

Any traffic heading for a local subnet shall be routed using the main table aka it will flow!!
Then after that traffic has been taken care of, the rules deal with wireguard traffic.

So no need for mangling and local traffic will be respected.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sun Sep 10, 2023 12:28 am

If you look carefully at the first routing rule........ what does it say?

Any traffic heading for a local subnet shall be routed using the main table aka it will flow!!
Then after that traffic has been taken care of, the rules deal with wireguard traffic.

So no need for mangling and local traffic will be respected.
Ok, in this case something is wrong at me :(
(I have that rule but cross traffic not working, I keep trying then I come back if I can't solve it)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sun Sep 10, 2023 3:29 am

Do you have a forward chain rule allowing access to server??
Typically if you have vlans you need a rule.


add chain=forward action=accept in-interface-list=VLAN dst-address=server_IP

You could narrow this down to just one subnet to the server or a list of allowed LANIPs to the server.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sun Sep 10, 2023 4:21 pm

Do you have a forward chain rule allowing access to server??
Typically if you have vlans you need a rule.


add chain=forward action=accept in-interface-list=VLAN dst-address=server_IP

You could narrow this down to just one subnet to the server or a list of allowed LANIPs to the server.
Ok I give up :(

If I add these rules its works perfect (ping and can reach from 192.168.9.0/24 the 192.168.10.2), without it stops working:
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 src-address=192.168.9.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 src-address=192.168.10.0/24 table=main
Here are my settings:
/interface bridge
add name=BRIDGE-LAN vlan-filtering=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=ISP user=username533

/interface wireguard
add listen-port=51820 mtu=1420 name=WG-NORDVPN

/interface vlan
add interface=BRIDGE-LAN name=VLAN-LAN_VPN vlan-id=9
add interface=BRIDGE-LAN name=VLAN-TESTvlan-id=10
add interface=BRIDGE-LAN name=VLAN-GUEST vlan-id=100

/interface list
add name=WAN
add name=VLAN

/ip pool
add name=POOL-LAN ranges=192.168.1.2-192.168.1.254
add name=POOL-LAN_VPN ranges=192.168.9.2-192.168.9.254
add name=POOL-TEST ranges=192.168.10.2-192.168.10.254
add name=POOL-GUEST ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=POOL-LAN interface=BRIDGE-LAN name=DHCP-LAN
add address-pool=POOL-LAN_VPN interface=VLAN-LAN_VPN name=DHCP-LAN_VPN
add address-pool=POOL-TEST interface=VLAN-TEST name=DHCP-TEST
add address-pool=POOL-GUEST interface=VLAN-GUEST name=DHCP-GUEST

/routing table
add disabled=no fib name=NORDVPN

/interface bridge port
add bridge=BRIDGE-LAN interface=sfp-sfpplus1
add bridge=BRIDGE-LAN interface=ether2
add bridge=BRIDGE-LAN interface=ether3 pvid=9
add bridge=BRIDGE-LAN interface=ether4 pvid=10
add bridge=BRIDGE-LAN interface=ether5
add bridge=BRIDGE-LAN interface=ether6
add bridge=BRIDGE-LAN interface=ether7 pvid=30
add bridge=BRIDGE-LAN interface=ether8

/interface bridge vlan
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=9
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2 vlan-ids=10
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN vlan-ids=20
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether6 vlan-ids=30
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=100

/interface list member
add interface=ISPlist=WAN
add interface=VLAN-LAN_VPN list=VLAN
add interface=VLAN-TEST list=VLAN
add interface=VLAN-TEST_SECURE list=VLAN
add interface=VLAN-GUEST list=VLAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=217.138.192.35 endpoint-port=51820 interface=WG-NORDVPN public-key="ksadnck34wrbwfjh34b"

/ip address
add address=192.168.1.1/24 interface=sfp-sfpplus1 network=192.168.1.0
add address=192.168.10.1/24 interface=VLAN-TEST network=192.168.10.0
add address=192.168.9.1/24 interface=VLAN-LAN_VPN network=192.168.9.0
add address=192.168.100.1/24 interface=VLAN-GUEST network=192.168.100.0
add address=10.5.0.2/24 interface=WG-NORDVPN network=10.5.0.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.9.0/24 dns-server=192.168.9.1 gateway=192.168.9.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1

/ip dns
set allow-remote-requests=yes servers=103.86.96.100

/ip firewall filter
add action=drop chain=input comment="BLOCK WAN SIDE DNS REQUEST" dst-port=53 in-interface=ISP protocol=tcp
add action=accept chain=input comment="ALLOW LAN ACCESS ROUTER SERVICES" src-address=192.168.1.0/24
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=input comment="ALLOW VLANS ACCESS ROUTER SERVICES" in-interface-list=VLAN
add action=drop chain=input comment="DROP ANYTHING ELSE" disabled=yes
add action=accept chain=forward comment="ALLOW LAN TRAFFIC TO EVERYWHERE" src-address=192.168.1.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO LAN" dst-address=192.168.1.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO LAN_VPN" dst-address=192.168.10.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=forward comment="ALLOW VLANS NORDVPN ACCESS" connection-state=new in-interface-list=VLAN out-interface=WG-NORDVPN
add action=drop chain=forward comment="DROP ANYTHING ELSE" disabled=yes

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat comment=NAT-ISP out-interface=ISP
add action=masquerade chain=srcnat comment=NAT-VPN out-interface=WG-NORDVPN

/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=WG-NORDVPN pref-src="" routing-table=NORDVPN scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table comment="KEEPS LOCAL TRAFFIC POSSIBLE" disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment="REDIRECT VLAN-LAN_VPN TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.9.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-TEST TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.10.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-GUEST TRAFFIC TO NORDVPN" disabled=no src-address=192.168.100.0/24 table=NORDVPN

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sun Sep 10, 2023 5:55 pm

No need to give up lets follow the logic.

The two rules you state are required to ensure that the subnets going out wireguard get routed FIRST to any other local subnets, for both traffic originating to other local subnets or returning traffic to the other local subnets. ALL GOOD!! you are on the right track.

I just simplified matters as you have multiple subnets. ALso you dont need to add source address to these rules....

A subnet mask /18 goes from 192.168.1.0 - 192.168.64.254 so that covers all your subnets except 192.168.100.0 but that is your guest one and assuming there is no traffic for guest except out internet etc...

If you want to include the ability to contact the guest pool etc, then either lower the guest pool to 192.168.64.0 or below or change the rule to /17

In your case its easier as you only want to cover 192.168.1 to 192.168.10 and thus simply use..
add dst-address=192.168.1.0/20 which covers 192.168.1.1 to 192.168.17.254

SO YES,
either OR are good
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 table=main
OR
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/20 table=main

++++++++++++++++++++++++++++++++++++++++++++++++

Now that we have clarity, the other part of my previous response is that we still need to ensure fireall rules allow traffic to flow between subnets or devices.
Firewall rule dont route just give permission for traffic flows......

You seem to have that, but your firewall rules are sparse and wonky in their order so will look at that later today
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sun Sep 10, 2023 10:29 pm

SO YES,
either OR are good
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 table=main
OR
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/20 table=main
This is what I don't get it, I set first rule to 192.168.0.0/16 which covers from 192.168.0.1 to 192.168.255.254 (yes you sure I don't want to include GUEST VLAN, but now I'm just testing, I'll set CIDR to narrower later), so why this roule is not enough?

add action=lookup-only-in-table disabled=no dst-address=192.168.0.0/16 table=main

Why only works with these rules when the first rule contains these subnets?

add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 table=main
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sun Sep 10, 2023 10:46 pm

Good question makes no sense to me either, in any case stick with what works.......its only one extra rule.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sun Sep 10, 2023 11:41 pm

Good question makes no sense to me either, in any case stick with what works.......its only one extra rule.
This is two extra rules and what if I have 10+ VLANS and I need cross traffic between several VLAN, it means 10+ rules (ok this example not so real, but in theoretically could be a problem) or this is the case where mangle marking is better?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sun Sep 10, 2023 11:53 pm

I avoid mangling if I can.

Did you try
add lookup-in-table only dst-address=192.168.1.0/20 table=main ??

Should also work.

+++++++++++++++++++++++++++++++++++++++++++++++

Okay I figured out something.........
The problem we are fixing is fixed.

YOur two rule have nothing to do with going out wireguard.
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 src-address=192.168.9.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 src-address=192.168.10.0/24 table=main


You are saying any traffic from subnet .9.0/24 to subnet 10.0/24 should go through table main OKAY great.
You are saying any traffic from subnet .10.0/24 to subnet .9.0/24 should go through table main OKAY great.
BUT BOTH THOSE SUBNETS are not going out wireguard so you dont need any routing rules for them.
In fact the router already has nice routes for them created automatically.

This leads me to believe there is something else blocking this traffic.
your config has many holes for example forgetting to define vlans 30 and 20 ??
your bridge settings are wrong too.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Mon Sep 11, 2023 10:53 pm

I avoid mangling if I can.
Because CPU using or fasttrack disabling?
Did you try
add lookup-in-table only dst-address=192.168.1.0/20 table=main ??

Should also work.
Yes I tried, nothing changed :(
This leads me to believe there is something else blocking this traffic.
your config has many holes for example forgetting to define vlans 30 and 20 ??
your bridge settings are wrong too.
Now I'm deleted any orphan settings but the same, also I did the last resort of noobs, I restarted too :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Mon Sep 11, 2023 11:20 pm

Post full config
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Sep 12, 2023 10:11 am

Post full config
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)

Here are my latest settings:

/interface bridge
add name=BRIDGE-LAN vlan-filtering=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=ISP user=username532

/interface wireguard
add listen-port=51820 mtu=1420 name=WG-NORDVPN

/interface vlan
add interface=BRIDGE-LAN name=VLAN-LAN_VPN vlan-id=9
add interface=BRIDGE-LAN name=VLAN-DEVICES vlan-id=10
add interface=BRIDGE-LAN name=VLAN-NO_INTERNET vlan-id=20
add interface=BRIDGE-LAN name=VLAN-TEST vlan-id=30
add interface=BRIDGE-LAN name=VLAN-GUEST vlan-id=100

/interface list
add name=WAN
add name=VLAN

/ip pool
add name=POOL-LAN ranges=192.168.3.2-192.168.3.254
add name=POOL-LAN_VPN ranges=192.168.9.2-192.168.9.254
add name=POOL-DEVICES ranges=192.168.10.2-192.168.10.254
add name=POOL-NO_INTERNET ranges=192.168.20.2-192.168.20.254
add name=POOL-TEST ranges=192.168.30.2-192.168.30.254
add name=POOL-GUEST ranges=192.168.100.2-192.168.100.254

/ip dhcp-server
add address-pool=POOL-LAN interface=BRIDGE-LAN name=DHCP-LAN
add address-pool=POOL-LAN_VPN interface=VLAN-LAN_VPN name=DHCP-LAN_VPN
add address-pool=POOL-DEVICES interface=VLAN-DEVICES name=DHCP-DEVICES
add address-pool=POOL-NO_INTERNET interface=VLAN-NO_INTERNET name=DHCP-NO_INTERNET
add address-pool=POOL-TEST interface=VLAN-TEST name=DHCP-TEST
add address-pool=POOL-GUEST interface=VLAN-GUEST name=DHCP-GUEST

/routing table
add disabled=no fib name=NORDVPN

/interface bridge port
add bridge=BRIDGE-LAN interface=sfp-sfpplus1
add bridge=BRIDGE-LAN interface=ether2
add bridge=BRIDGE-LAN interface=ether3 pvid=9
add bridge=BRIDGE-LAN interface=ether4 pvid=10
add bridge=BRIDGE-LAN interface=ether5
add bridge=BRIDGE-LAN interface=ether6
add bridge=BRIDGE-LAN interface=ether7 pvid=30
add bridge=BRIDGE-LAN interface=ether8

/interface bridge vlan
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=9
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2 vlan-ids=10
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN vlan-ids=20
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether6 vlan-ids=30
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=100

/interface list member
add interface=ISP list=WAN
add interface=VLAN-LAN_VPN list=VLAN
add interface=VLAN-DEVICES list=VLAN
add interface=VLAN-NO_INTERNET list=VLAN
add interface=VLAN-TEST list=VLAN
add interface=VLAN-GUEST list=VLAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=123.45.67.89 endpoint-port=51820 interface=WG-NORDVPN public-key="1a2b3c4d5e6f6g7h8i9j"

/ip address
add address=192.168.3.1/24 interface=sfp-sfpplus1 network=192.168.3.0
add address=192.168.30.1/24 interface=VLAN-TEST network=192.168.30.0
add address=192.168.10.1/24 interface=VLAN-DEVICES network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN-NO_INTERNET network=192.168.20.0
add address=192.168.9.1/24 interface=VLAN-LAN_VPN network=192.168.9.0
add address=192.168.100.1/24 interface=VLAN-GUEST network=192.168.100.0
add address=10.5.0.2/24 interface=WG-NORDVPN network=10.5.0.0

/ip cloud
set ddns-enabled=yes

/ip dns
set allow-remote-requests=yes servers=103.86.96.100

/ip firewall filter
add action=drop chain=input comment="BLOCK WAN SIDE DNS REQUEST" dst-port=53 in-interface=ISP protocol=tcp
add action=accept chain=input comment="ALLOW LAN ACCESS ROUTER SERVICES" src-address=192.168.3.0/24
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=input comment="ALLOW VLANS ACCESS ROUTER SERVICES" in-interface-list=VLAN
add action=drop chain=input comment="DROP ANYTHING ELSE"
add action=accept chain=forward dst-address=192.168.10.2 in-interface-list=VLAN
add action=accept chain=forward comment="ALLOW LAN TRAFFIC TO EVERYWHERE" src-address=192.168.3.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO LAN" dst-address=192.168.3.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO DEVICES" dst-address=192.168.10.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM LAN_VPN TO TEST" dst-address=192.168.30.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="ALLOW TRAFFIC FROM DEVICES TO LAN_VPN" dst-address=192.168.9.0/24 src-address=192.168.10.0/24
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED CONNECTIONS" connection-state=established,related
add action=accept chain=forward comment="ALLOW VLANS NORDVPN ACCESS" connection-state=new in-interface-list=VLAN out-interface=WG-NORDVPN
add action=drop chain=forward comment="DROP ANYTHING ELSE"

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat comment=NAT-ISP out-interface=ISP
add action=masquerade chain=srcnat comment=NAT-VPN out-interface=WG-NORDVPN

/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=WG-NORDVPN pref-src="" routing-table=NORDVPN scope=30 suppress-hw-offload=no target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/routing rule
add action=lookup-only-in-table comment="KEEPS LOCAL TRAFFIC POSSIBLE" disabled=no dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.3.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.9.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.10.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.30.0/24 table=main
add action=lookup-only-in-table comment="REDIRECT VLAN-LAN_VPN TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.9.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-DEVICES TRAFFIC VIA NORDVPN" disabled=no src-address=192.168.10.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-TEST TRAFFIC TO NORDVPN" disabled=no src-address=192.168.30.0/24 table=NORDVPN
add action=lookup-only-in-table comment="REDIRECT VLAN-GUEST TRAFFIC TO NORDVPN" disabled=no src-address=192.168.100.0/24 table=NORDVPN

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Sep 12, 2023 2:23 pm

(1) Your sffplus setup is hosed and is the core of your issues. Why do you NOT make it a vlan?
You can elect to not do so, but then why do you have it on the bridge........ MAkes no sense........

So either make 192.168.3.0/24 another vlan on the bridge or
remove this line.
/interface bridge port
add bridge=BRIDGE-LAN interface=sfp-sfpplus1


(2) Personal preference to make /interface bridge vlan settings clearer so they match bridge ports and are shown on the config export!
Also when doing this it became clear that you forgot to tag a port for vlan id 20??

/interface bridge vlan
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 untagged=ether3 vlan-ids=9
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2 untagged=ether4 vlan-ids=10
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,??????? vlan-ids=20
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether6 untagged=ether7 vlan-ids=30
add bridge=BRIDGE-LAN tagged=BRIDGE-LAN,ether2,ether6 vlan-ids=100


(3) MISSING persistent keep alive on MT peer settings for nordvpn

(4) The route for NORDVPN does not require distance setting of 5, default of 1 is fine.

(5) DID NORDVPN give you any other information like DNS address ????
(6) Why did you choose DNS server 103.86.96.100 ?

(7) Looking at firewall rules I am puzzled as the logic is missing.
I understand allowing all to a specific server OKAY
I understand allowing all from 192.168.3.0 vlan to all other vlans - I assume you are on that vlan and thus as admin want access to all vlans.
(See option 2 in firewall rules below for better way to do this)
WHAT I DONT UNDERSTAND is allow all of vlan9 to 192.168.3 IF FULL access goes both ways, then ONLY HAVE ONE SUBNET ???
WHAT I DONT UNDERSTAND is allow all of vlan9 to vlan 10 and all of vlan10 to vlan9 , WHY NOT JUST HAVE ONE SUBNET ???


(8) Firewall rules NEED WORK should look like.
/ip firewall address-list
add address=admin-IP1 list=Admin comment="admin desktop"
add address=admin-IP2 list=Admin comment="admin laptop"
add address=admin-IP2 list=Admin comment="admin smartphone"
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address-list=Admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
{forward chain
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="server traffic" in-interface-list=VLAN dst-address=192.168.10.2
add action=accept chain=forward comment="admin-access" src-address-list=Admin out-interface-list=VLAN
add action=accept chain=forward comment="internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard traffic" in-interface-list=VLAN out-interface=WG-NORDVPN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Sep 12, 2023 5:24 pm

(1) Your sffplus setup is hosed and is the core of your issues. Why do you NOT make it a vlan?
You can elect to not do so, but then why do you have it on the bridge........ MAkes no sense........

So either make 192.168.3.0/24 another vlan on the bridge or
remove this line.
/interface bridge port
add bridge=BRIDGE-LAN interface=sfp-sfpplus1
I wanted to create a network outside from VLANS if I mess something and I lock out myself accidentally, but I doubt that specific interface causes the problem. Why would it? It just an iterface or am I missing something?
I tried to delete it and nothing changed, still not works without extra route rules.

(2) Personal preference to make /interface bridge vlan settings clearer so they match bridge ports and are shown on the config export!
Also when doing this it became clear that you forgot to tag a port for vlan id 20??
VLAN20 is not in use yet so this is why I didn't set, at this point I stucked with routing issue.
(3) MISSING persistent keep alive on MT peer settings for nordvpn
Should I set and why? I read the spec but I thought I need to leave unset.

(4) The route for NORDVPN does not require distance setting of 5, default of 1 is fine.
You right, I set back to 1, that was only a previous setting when I tried several routing "type".

(5) DID NORDVPN give you any other information like DNS address ????
(6) Why did you choose DNS server 103.86.96.100 ?
These setting is from NordVPN, I didn't wanted my ISP's nor google.
If everything is ok with routing and testing, I think I'll set quad9 DoH.

(7) Looking at firewall rules I am puzzled as the logic is missing.
(See option 2 in firewall rules below for better way to do this)
I'll do as you adviced.

WHAT I DONT UNDERSTAND is allow all of vlan9 to 192.168.3 IF FULL access goes both ways, then ONLY HAVE ONE SUBNET ???
WHAT I DONT UNDERSTAND is allow all of vlan9 to vlan 10 and all of vlan10 to vlan9 , WHY NOT JUST HAVE ONE SUBNET ???
Because I'm just testing why it doesn't working, and I didn't leased my IPs thats why I gave full access, at the end of my learning curve I'll set static IPs and I allow access between specific devices only not whole subnets.

(8) Firewall rules NEED WORK should look like.
Ok I see what is wrong my rules thank you for simplifying.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Sep 12, 2023 6:27 pm

(1) Yes, you need persistent keep alive at the client which is MT

(2) Okay understood about getting locked out....but the concept is wrong, the problem is not vlans but the BRIDGE.......... Nothing wrong with dedicating a port to this effect but it then SHOULD NOT BE A PORT ON THE BRIDGE!!!
what I do is take an unused port and simply give it an IP address nothing else, and then I can always log into the port by setting the ipv4 settings on my laptop and am in.

Let me know which way you want to go.
a. separate port for emergency access but not a LAN, and add another subnet/vlan to the bridge as your normal LAN subnet.
b. separate port for LAN usage BUT not on bridge.

Then we can massage config appropriately.

(3) WHERE ARE YOUR /ip dchp-server network config settings????
Assuming that you failed to provided them vice missing, boooo

Try this: For all subnets going out Wireguard.
/ip dhcp-server network
add address=192.168.X.X/24 dns-server=103.86.96.100 gateway=192.168.X.1


For rest of config use:
add address=192.168.xx.y/24 dns-server=192.168.xx.1 gateway=192.168.xx.1

//ip dns
set allow-remote-requests=yes servers=9.9.9.9



Are there any vlans or subnets going out local WAN ever?? fall back position if wireguard not available etc.....
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Thu Sep 14, 2023 10:47 am

(1) Yes, you need persistent keep alive at the client which is MT
Why this is needed and what number is adviced? I can't find proper explanation on internet.

Why should I remove an interface from a BRIDGE if the bridge has VLAN filtering? (I'm so hard hard-headed because it's just a testing enviroment so this is not a real network so I want to learn from these mistakes)
By the way, I completely reconfigured the firewall with your adviced filter rules and the existing ones and I think is working now, I,m testing so if I'm right, I'll paste here the whole config.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Thu Sep 14, 2023 3:51 pm

(1) Thats how wireguard works, the client keeps the connection live............. also if the client changes location, think moving from wifi coffee shop to the street and to cellular coverage,, it keeps your connection going......
If you want to really understand it.........then read this --> https://www.wireguard.com/protocol/

(2) Normally there is no reason to remove and interface from the bridge, unless you want for some reason to have that port do something different from the rest of the subnets/vlans using the bridge.
For example what I call off bridge access. The ability to config the device or reach the device in an emergency due to something went funky on the bridge settings. Its a safer configuration location so to speak.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Fri Sep 15, 2023 12:07 pm

(1) Thats how wireguard works, the client keeps the connection live............. also if the client changes location, think moving from wifi coffee shop to the street and to cellular coverage,, it keeps your connection going......
Ok but here is the router is the client (Mikrotik is connected to NordVPN) so moves nowhere, so this keep alive is needed when the clients connected to the router's wireguard server?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Fri Sep 15, 2023 12:30 pm

Yes, that is the wireguard protocol, the router is the client and has a part to play in communicating over the tunnel. The protocol doesnt know what devices are being used LOL.
 
userarrayuser
just joined
Posts: 21
Joined: Sun Jul 23, 2023 4:42 pm

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sat Sep 16, 2023 12:17 am

Yes, that is the wireguard protocol, the router is the client and has a part to play in communicating over the tunnel. The protocol doesnt know what devices are being used LOL.
LOL? So in your experience that, your enterprise routers going to coffee shop? If my question was LOL, what is this ROLF? :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Sat Sep 16, 2023 1:02 am

The point being the protocol is agnostic with respect to which device its being used on. It doesnt care if its an android phone or MT router.
 
killerrche
just joined
Posts: 2
Joined: Sat Sep 02, 2017 2:18 am

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Jan 23, 2024 12:36 am

The point being the protocol is agnostic with respect to which device its being used on. It doesnt care if its an android phone or MT router.
Can you help me to setup my MikroTik Router with WireGuard?
I search a lot, but I cannot find any instructions.
I don't have knowlege about RouterOS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8

Tue Jan 23, 2024 5:49 am

Start your own thread, provide network diagram, list the user requirements ( what user and devices you ahve and what traffic they need) and provide your current config
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)

Who is online

Users browsing this forum: Majestic-12 [Bot], nuwang13, Rhydu and 62 guests