Community discussions

MikroTik App
 
charifch
newbie
Topic Author
Posts: 36
Joined: Sat Dec 11, 2021 4:27 pm

Nord VPN DNS problem

Mon May 23, 2022 11:50 pm

Hi Guys,
I have gonfigured NordVPN on mikrotik following this link: https://support.nordvpn.com/Connectivit ... ordVPN.htm
The issue is though the "under VPN " network devices are able to get some communication (ie I am able to send whatsapp messages form them for example), the browing is not possible.
It looks like a firewall issue to me but I canot say exactely. The tunnel connection is established but if i make my ocmputer under vpn devices i cannot browse the internet.
Any idea why?
Attached my config:
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=100
add interface=bridge name=GUEST_VLAN vlan-id=10
add interface=ether1 mtu=1492 name=vlan-IAM vlan-id=881
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-IAM name=PPPoE
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface lte apn
add apn=www.xxx name="apn"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=pt82.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.254
add name=GUEST_POOL ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=BASE_VLAN name=defconf
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether3 pvid=100
add bridge=bridge comment=defconf interface=ether5 pvid=100
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=ether2,ether5,bridge vlan-ids=10
add bridge=bridge tagged=ether2,bridge untagged=ether5,ether3 vlan-ids=100
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=PPPo list=WAN
add interface=GUEST_VLAN list=VLAN
add interface=ether4-access list=BASE
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=VyprVPN list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=BASE_VLAN network=\
    192.168.0.0
add address=192.168.10.1/24 interface=GUEST_VLAN network=192.168.10.0
add address=192.168.5.1/24 interface=ether4-access network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=ddd.sn.mynetname.net list=MyWANIP
add address=192.168.0.90-192.168.0.99 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN Port 53 tcp" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN Port 53 UDP" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="Drop Input"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface=BASE_VLAN out-interface=\
    GUEST_VLAN
add action=accept chain=forward comment="VLAN Internet Access Only" \
    connection-state="" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow forwarded ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add check-gateway=ping distance=1 gateway=PPPoE
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Nord VPN DNS problem

Tue May 24, 2022 6:47 pm

(1) What is ether5 connected to you as its setup as a hybrid port which is usually on the rarer side ( normally voip phone to computer or stewpid ubiquiti AP).

(2) Syntax error/omission:
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-IAM name=PPPoE
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=PPPo? list=WAN ----------------------->> missing the E

(3) Are you sure this is legal........
add interface=VyprVPN list=WAN ???

(4) You can remove the LAN interface as its not used anywhere in your config (replaced by VLAN interface).

(5) You may consider reducing this from ALL access to the router to only services the admin needs to get to......
winbox, ssh etc............. PLUS reduce the BASE VLAN if many users to just the devices the admin will use by source-address list.
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE SRC-ADDRESS=?? dst-port=?? protocol=

(6) DID you add this route manually, if so its not required and is a duplicate because you have the PPoE client settings automatically providing your route.
/ip route
add check-gateway=ping distance=1 gateway=PPPoE
??
---------------------------------
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-IAM name=PPPoE


(7) Set this to none, MAC is not encrypted, only the winbox mac server is protected.
/tool mac-server
set allowed-interface-list=NONE


In summary not a VPN expert but I do see you have reserved 9 or so local base vlan IPs for ipsec and I suppose going out the VPN tunnel.
What is confusing to me is you attached the VPN to the WAN interface, and not sure if that is the way to go.
Further, i see no indication of how you are IP routing those users, nor see any firewall rules for them..........

Who is online

Users browsing this forum: Majestic-12 [Bot], mszru, shadarim and 47 guests