Here is a working setup. please comment on shortcomings/optimizations/embedded questions.
Route all internet traffic through a VPN server
Enter the following in the command line (hitting enter after each line):
/ip firewall address-list add address=192.168.88.0/24 list=under_protonvpn
Above line Not used. instead created an interface list called
ProtonVPNInternet and added the VLAN(VLAN1) that needs to be part of it. create an address list called
LAN_NETWORK and place different VLAN(typically these are part of LAN interface list) network address inside it. did not use dst-type!=local(
let me know Pros/Cons)
/ip firewall mangle add action=mark-connection chain=prerouting
dst-address-list!=LAN_NETWORK in-interface-list=ProtonVPNInternet new-connection-mark=under_protonvpn passthrough=yes
5. Create WireGuard configurations
Enter the following in the command line (hitting enter after each line). Your WireGuard private key, endpoint port, and public key can be found by opening the configuration file you downloaded in step 2 with any text editor.
/interface/wireguard/add name=protonwg01 private-key="<your private key>" comment="ProtonVPN interface"
/interface/wireguard/peers/add endpoint-address=37.120.217.82 endpoint-port=51820 public-key="<your peer public key>" allowed-address=0.0.0.0/1,128.0.0.0/1 interface=protonwg01
changed allowed address to 0.0.0.0.Since routing table routes will decide where packet goes and no special representation needed to make all non local packets to go via wireguard
/interface/wireguard/peers/add endpoint-address=37.120.217.82 endpoint-port=51820 public-key="<your peer public key>"
allowed-address=0.0.0.0/0 interface=protonwg01
/ip/address/add address=10.2.0.2/30 interface=protonwg01
ip/dns/set servers=10.2.0.1 allow-remote-requests=yes
DNS step not done since if you already have DoH setup with nextDNS then there is no way to ask it to use 10.2.0.1 for DNS related to VLAN1 clients(attached to ProtonVPNInternet interface list) .
let me know if there is a way to do that
/routing/table/add name=protonvpn_wg fib
/ip/firewall/mangle/add chain=prerouting src-address-list=under_protonvpn action=mark-routing new-routing-mark=protonvpn_wg passthrough=yes
change to
/ip/firewall/mangle/add chain=prerouting
in-interface-list=ProtonVPNInternet connection-mark=under_protonvpn action=mark-routing new-routing-mark=protonvpn_wg passthrough=yes
/ip/route/add routing-table=protonvpn_wg dst-address=0.0.0.0/0 gateway=protonwg01 comment="ProtonVPN Wireguard default route"
7. Exclude VPN traffic from FastTrack (important!)
Start by listing all firewall rules:
/ip firewall filter print
Remove the two FastTrack rules (the default rule and dummy rule). To do this, enter the following command twice, using the numbers shown then you listed all the firewall rules.
/ip firewall filter remove <number>
i do not want to remove fasttrack all together (as only some VLANs go via VPN). is there a way to apply it to only for VPN connections where needed.
let me know how firewall rule needs to look like.