I have gonfigured NordVPN on mikrotik following this link: https://support.nordvpn.com/Connectivit ... ordVPN.htm
The issue is though the "under VPN " network devices are able to get some communication (ie I am able to send whatsapp messages form them for example), the browing is not possible.
It looks like a firewall issue to me but I canot say exactely. The tunnel connection is established but if i make my ocmputer under vpn devices i cannot browse the internet.
Any idea why?
Attached my config:
Code: Select all
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=100
add interface=bridge name=GUEST_VLAN vlan-id=10
add interface=ether1 mtu=1492 name=vlan-IAM vlan-id=881
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-IAM name=PPPoE
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface lte apn
add apn=www.xxx name="apn"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=pt82.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=BASE_VLAN name=defconf
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether3 pvid=100
add bridge=bridge comment=defconf interface=ether5 pvid=100
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=ether2,ether5,bridge vlan-ids=10
add bridge=bridge tagged=ether2,bridge untagged=ether5,ether3 vlan-ids=100
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=PPPo list=WAN
add interface=GUEST_VLAN list=VLAN
add interface=ether4-access list=BASE
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=VyprVPN list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=BASE_VLAN network=\
192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.5.1/24 interface=ether4-access network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=ddd.sn.mynetname.net list=MyWANIP
add address=192.168.0.90-192.168.0.99 list=local
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN Port 53 tcp" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN Port 53 UDP" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop Input"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface=BASE_VLAN out-interface=\
GUEST_VLAN
add action=accept chain=forward comment="VLAN Internet Access Only" \
connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow forwarded ports" \
connection-nat-state=dstnat
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
NordVPN username=
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
0.0.0.0/0 template=yes
/ip route
add check-gateway=ping distance=1 gateway=PPPoE
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE