Community discussions

MikroTik App
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Route all traffic for a specific IP via NordVPN IKEv2

Sun Sep 04, 2022 2:34 am

Came here hoping to get some advice on what I am doing wrong with my firewall setup...

Equipment:
- Telekom router (Static 192.168.1.1) - Router, WiFi AP
- Mikrotik hEX (Static 192.168.1.2) - Bridge mode, DHCP Server, NordVPN IPSec VPN client
- FreeNAS Box with a couple of jails running various jails (Static DHCP records 192.168.1.3-8)

What I would like to happen is to have the jail at 192.168.1.5 to route all internet via the NordVPN IKEv2 connection. All other devices connecting to the network should continue connecting to the internet directly.

I have followed the NordVPN guide to set up the VPN client and the connection seems to be established, but I am still not able to get the jail to route via the VPN using connection marks and a mangle rule.

Is this somehow achievable?

Do I need to run the hEX as a router (I had the FreeNAS box double-nat'ed and wanted to move away from this setup). Unfortunately I am unable to use the hEX as my only router, due to some magic that Telekom has where there is no username or password for the connection
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Sun Sep 04, 2022 10:17 am

but I am still not able to get the jail to route via the VPN using connection marks and a mangle rule.
Post the export of the current setup, there must be a minor mistake in it. See my automatic signature below regarding how to remove sensitive information without breaking consistence of the configuration.
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Sun Sep 04, 2022 5:37 pm

but I am still not able to get the jail to route via the VPN using connection marks and a mangle rule.
Post the export of the current setup, there must be a minor mistake in it. See my automatic signature below regarding how to remove sensitive information without breaking consistence of the configuration.
Here is my config:
# sep/04/2022 16:27:56 by RouterOS 6.47.10
# software id = CYHD-B3DB
#
# model = RB750Gr3
# serial number = 
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=via-NordVPN name=NordVPN responder=no src-address-list=\
    local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ua52.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.133.3-192.168.133.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1h name=\
    dhcp1
/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=ether1 ip-protocol=udp \
    mac-protocol=ip
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.133.2/24 interface=ether2 network=192.168.133.0
/ip dhcp-server lease
add address=192.168.133.8 client-id=1:bc:ae:c5:8a:d2:22 mac-address=\
    BC:AE:C5:8A:D2:22 server=dhcp1
add address=192.168.133.4 client-id=1:bc:ae:c5:30:63:78 mac-address=\
    BC:AE:C5:30:63:78 server=dhcp1
add address=192.168.133.7 client-id=1:bc:ae:c5:c1:df:cb mac-address=\
    BC:AE:C5:C1:DF:CB server=dhcp1
add address=192.168.133.6 client-id=1:bc:ae:c5:a5:a4:7f mac-address=\
    BC:AE:C5:A5:A4:7F server=dhcp1
add address=192.168.133.5 client-id=1:be:ae:c5:3:aa:47 mac-address=\
    BE:AE:C5:03:AA:47 server=dhcp1
add address=192.168.133.3 client-id=1:bc:ae:c5:76:f2:e2 mac-address=\
    BC:AE:C5:76:F2:E2 server=dhcp1
/ip dhcp-server network
add address=192.168.133.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.133.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=192.168.133.0/24 list=local
add address=192.168.133.5 list=via-VPN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=192.168.133.5 new-connection-mark=via-NordVPN passthrough=yes
add action=mark-connection chain=output connection-mark=no-mark dst-address=\
    192.168.133.5 new-connection-mark=via-NordVPN passthrough=yes
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=<>
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=192.168.133.1
Last edited by pantera on Sun Sep 04, 2022 7:11 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Sun Sep 04, 2022 6:28 pm

OK, so you've misunderstood a couple of things.

The connection-mark and src-address-list on the /ip ipsec mode-config row are used to dynamically create an action=src-nat rule in /ip firewall nat once the IPsec session is established. The rule causes all connections whose initial packet matches these match conditions to get src-nated to the address obtained via the mode-config, so that it would match to the IPsec policy. So packets whose source address before NAT matches the src-address-list, and whose connection-mark matches the connection-mark value of the rule.

Your mangle rule assigning the connection-mark value, action=mark-connection chain=prerouting connection-mark=no-mark dst-address=192.168.133.5 new-connection-mark=via-NordVPN passthrough=yes, matches on dst-address rather than src-address. So this rule only marks the connections of that jail as late as when handling the first response packets of these connections, which is too late.

So change dst-address to src-address in the mangle rule, and remove src-address-list from the mode-config row. If you want the .5 jail to be able to talk to local devices, you have to add a match condition to the mangle rule which will prevent if from matching on connections to LAN addresses, such as dst-address=!192.168.0.0/16.
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Sun Sep 04, 2022 10:30 pm

So change dst-address to src-address in the mangle rule, and remove src-address-list from the mode-config row. If you want the .5 jail to be able to talk to local devices, you have to add a match condition to the mangle rule which will prevent if from matching on connections to LAN addresses, such as dst-address=!192.168.0.0/16.
I have updated my mangle rule as follows:
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=!192.168.133.0/24 new-connection-mark=via-NordVPN \
    passthrough=yes src-address=192.168.133.5
My ModeConfig is now as follows:
/ip ipsec mode-config
add connection-mark=via-NordVPN name=NordVPN responder=no
running a traceroute from the .5 jail the first hop is still the Telekom router at 192.168.133.1
Last edited by pantera on Sun Sep 04, 2022 11:01 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Sun Sep 04, 2022 10:33 pm

What does /ip ipsec policy print detail and /ip firewall nat print chain=srcnat show when the tunnel is up?
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Sun Sep 04, 2022 10:57 pm

Thanks for helping me figure this out Sir
What does /ip ipsec policy print detail and /ip firewall nat print chain=srcnat show when the tunnel is up?
Results below:
/ip ipsec policy print detail
Flags: T - template, B - backup, 
X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all 
        proposal=default template=yes 

 1 T    group=NordVPN src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all 
        proposal=NordVPN template=yes 

 2   DA  peer=NordVPN tunnel=yes src-address=10.6.0.13/32 src-port=any 
        dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt 
        level=unique ipsec-protocols=esp sa-src-address=192.168.133.2 
        sa-dst-address=37.19.218.143 proposal=NordVPN ph2-count=1 
and
/ip firewall nat print chain=srcnat
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.6.0.13 
      connection-mark=via-NordVPN 
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Sun Sep 04, 2022 11:08 pm

What does /ip firewall mangle print stats show? When you stop a traceroute for a minute and then start it again and print the stats again, can you see the packet count to increase for the mangle rule?

If not, when running traceroute to x.x.x.x in the jail, make the command line window on the Mikrotik as wide as your screen allows and run /tool sniffer quick ip-address=x.x.x.x to see whether the source address is indeed 192.168.133.5.
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Mon Sep 05, 2022 12:01 am

What does /ip firewall mangle print stats show? When you stop a traceroute for a minute and then start it again and print the stats again, can you see the packet count to increase for the mangle rule?

If not, when running traceroute to x.x.x.x in the jail, make the command line window on the Mikrotik as wide as your screen allows and run /tool sniffer quick ip-address=x.x.x.x to see whether the source address is indeed 192.168.133.5.
I can see a minute amount of traffic captured (18 packets), and only when the jail is restarted, but none of the subsequent traffic (pings, traceroutes, etc) seems to get captured.

While pinging google, the sniffer captured the following:
 /tool sniffer quick ip-address=142.250.185.238  
INTERFACE     TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                        
ether5      11.124     41 <- BE:AE:C5:03:AA:47 0C:8E:29:8E:39:E4        192.168.133.5                      
ether2      11.125     42 -> BE:AE:C5:03:AA:47 0C:8E:29:8E:39:E4        192.168.133.5                      
ether2       11.14     43 <- 0C:8E:29:8E:39:E4 BE:AE:C5:03:AA:47        142.250.185.238                    
ether5       11.14     44 -> 0C:8E:29:8E:39:E4 BE:AE:C5:03:AA:47        142.250.185.238                    
ether5      12.145     45 <- BE:AE:C5:03:AA:47 0C:8E:29:8E:39:E4        192.168.133.5                      
ether2      12.145     46 -> BE:AE:C5:03:AA:47 0C:8E:29:8E:39:E4        192.168.133.5      
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Mon Sep 05, 2022 9:25 am

I can see a minute amount of traffic captured (18 packets)
That's normal, as the rule only matches on the first packet of each connection, because only the first one not only matches the src-address and dst-address but also has no connection-mark assigned yet.

and only when the jail is restarted, but none of the subsequent traffic (pings, traceroutes, etc) seems to get captured.
This is the part that suggests what to look for, see below.

While pinging google, the sniffer captured the following:
This clearly shows the source address is correct.


So the answer is here:
/ip address
add address=192.168.133.2/24 interface=ether2 network=192.168.133.0
...
/ip route
add distance=1 gateway=192.168.133.1


In another words, the Mikrotik is a default gateway for the jail, but Mikrotik's own default gateway is in the same subnet like the jail's IP address. So when the Mikrotik forwards a packet from the jail, it finds out that it has to forward it out the same interface through which it has received it, so it sends an ICMP message "a better router than is available for this destination in the same subnet" to the jail, which accepts that message and starts sending subsequent packets towards that destination directly to the 192.168.133.1. You can see those packets in the capture because the Mikrotik acts as a bridge for these packets, but since it does not route them any more, it applies no IP processing at all on them.

So there are two ways to deal with this:
  • to split the networks, i.e. to use a dedicated subnet as the WAN one of the Mikrotik
  • to implement policy routing for the traffic from that jail, which will use another gateway for this traffic, preventing this from happening.
The latter one can also act as a prevention of traffic leakage through the normal path if the tunnel is down (sometimes called a "killswitch").

To implement this, you would add a bridge interface with no member ports:
/interface bridge add name=br-blackhole protocol-mode=none
Next, you would add a default route via that interface into a distinct routing table:
/ip route add routing-mark=via-NordVPN gateway=br-blackhole
And last, you would add the following mangle rule after (below) the action=mark-connection one:
connection-mark=via-NordVPN in-interface=bridge action=mark-routing routing-mark=via-NordVPN

One more thing that is wrong is that the Mikrotik's own IP address (192.168.133.2) is attached to ether2 rather than to the acual IP interface, which is bridge. This wrong setup seems to be allowed to permit some migration scenarios, but it causes some weird effects. It is definitely not related to your issue, but nevertheless worth fixing.
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Tue Sep 06, 2022 2:38 am

I decided to go with the policy based approach you described, as I would really prefer to keep the devices on the same subnet.
[*]to implement policy routing for the traffic from that jail, which will use another gateway for this traffic, preventing this from happening.[/list]
The latter one can also act as a prevention of traffic leakage through the normal path if the tunnel is down (sometimes called a "killswitch").
I seem to have followed the instructions quite closely, but still not having any luck. The jail still has access to the internet (tested by manually disabling the ipsec tunnel) and traceroute still shows the first hop as
192.168.133.1
Relevant configs that have been updated.
/interface bridge
add name=br-blackhole protocol-mode=none
add name=bridge1

/ip route
add distance=1 gateway=br-blackhole routing-mark=via-NordVPN
add distance=1 gateway=192.168.133.1

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=!192.168.133.0/24 new-connection-mark=via-NordVPN \
    passthrough=yes src-address=192.168.133.5
add action=mark-routing chain=prerouting connection-mark=via-NordVPN \
    in-interface=bridge1 new-routing-mark=via-NordVPN passthrough=yes

/ip address
add address=192.168.133.2/24 interface=bridge1 network=192.168.133.0
I also looked at the firewall stats, and this is still behaving exactly the same as it was before, except now the mark routing rule also showing traffic. Each time the jail connects to the network, there are 4 packets captured.
ip firewall mangle print stats
Flags: X - disabled, I - invalid, D - dynamic 
 #    CHAIN                                         ACTION                            BYTES         PACKETS
 0    prerouting                                    mark-connection                   1 230               8
 1    prerouting                                    mark-routing                      1 230               8
 
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Tue Sep 06, 2022 9:19 am

How does the routing table of the jail itself look like?
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Tue Sep 06, 2022 1:05 pm

How does the routing table of the jail itself look like?
https://imgur.com/a/kJ7F6FL

The gateway still seems to be specified as 192.168.133.1 - The Telekom router.

Should I have the Mikrotik (192.168.133.2) specified as the gateway?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Tue Sep 06, 2022 7:44 pm

Should I have the Mikrotik (192.168.133.2) specified as the gateway?
Of course.
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Tue Sep 06, 2022 11:11 pm

Should I have the Mikrotik (192.168.133.2) specified as the gateway?
Of course.
Ok now that I have updated the Mikrotik settings and set it to act as a router in Quickset as well as updating the DHCP to issue leases with 192.168.133.2 as the gateway, there is definitely more activity on the mangle rules.

Unfortunately, I now have no access to the outside world from the 192.168.133.5 jail. The gateway is correctly set via DHCP to 192.168.133.2, and all other device on the network are working fine. Clearly the black hole is working, but I am missing some config to direct the traffic through the tunnel :shrug:
# sep/06/2022 22:07:22 by RouterOS 6.47.10
# software id = 
#
# model = RB750Gr3
# serial number = 
/interface bridge
add name=br-blackhole protocol-mode=none
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add connection-mark=via-NordVPN name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ua52.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.133.3-192.168.133.254
add name=dhcp ranges=192.168.133.3-192.168.133.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1h name=\
    dhcp1
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.133.2/24 interface=ether2 network=192.168.133.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.133.8 client-id=1:MAC-ADDRESS mac-address=\
    MAC-ADDRESS server=dhcp1
add address=192.168.133.4 client-id=1:MAC-ADDRESS mac-address=\
    MAC-ADDRESS server=dhcp1
add address=192.168.133.5 client-id=1:be:ae:c5:3:aa:47 mac-address=\
    MAC-ADDRESS server=dhcp1
add address=192.168.133.3 client-id=1:MAC-ADDRESS mac-address=\
    MAC-ADDRESS server=dhcp1
add address=192.168.133.6 client-id=1:MAC-ADDRESS mac-address=\
    MAC-ADDRESS server=dhcp1
add address=192.168.133.7 client-id=1:MAC-ADDRESS mac-address=\
    MAC-ADDRESS server=dhcp1
/ip dhcp-server network
add address=192.168.133.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.133.2 \
    netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=192.168.133.0/24 list=local
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=!192.168.133.0/24 \
    new-connection-mark=via-NordVPN passthrough=yes src-address=192.168.133.5
add action=mark-routing chain=prerouting connection-mark=via-NordVPN \
    in-interface=bridge1 new-routing-mark=via-NordVPN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=br-blackhole routing-mark=via-NordVPN
add distance=1 gateway=192.168.133.1
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2  [SOLVED]

Wed Sep 07, 2022 12:12 am

I have updated the Mikrotik settings and set it to act as a router in Quickset as well as updating the DHCP to issue leases with 192.168.133.2 as the gateway, there is definitely more activity on the mangle rules.
Once you change even a single bit in the configuration using any other tool than Quickset, never use Quickset again.

Clearly the black hole is working, but I am missing some config to direct the traffic through the tunnel :shrug:
Sorry, my mistake, your configuration is indeed unusual :) The jail -> internet direction is fine, the mistake is in the internet -> jail direction. The action=mark-routing rule assigns the routing-mark also to the internet->jail packets, which is wrong. Normally, the way to avoid this is to set in-interface=bridge1, but that fails in your case because the in-interface of the internet->jail packets is also bridge1. So remove this match condition from that rule, and instead of it, use dst-address=!192.168.133.0/24 like in the action=mark-connection rule instead:

action=mark-routing chain=prerouting connection-mark=via-NordVPN dst-address=!192.168.133.0/24 new-routing-mark=via-NordVPN passthrough=yes
 
pantera
just joined
Topic Author
Posts: 9
Joined: Sun Feb 04, 2018 2:08 pm

Re: Route all traffic for a specific IP via NordVPN IKEv2

Sat Sep 10, 2022 5:46 pm

Thanks for all the assistance @sindy, I finally have everything working the way I intended. Could not have done it without you.

For anyone else in a similar situation, I am posting my final working config.
# sep/10/2022 16:43:04 by RouterOS 6.47.10
# software id = 
#
# model = RB750Gr3
# serial number = 
/interface bridge
add name=br-blackhole protocol-mode=none
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add connection-mark=via-NordVPN name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ie144.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.133.3-192.168.133.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=1h name=\
    dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.133.2/24 interface=bridge1 network=192.168.133.0
/ip dhcp-server lease
add address=192.168.133.3 client-id=1:<MAC-ADDR> mac-address=\
    <MAC-ADDR> server=dhcp1
add address=192.168.133.8 client-id=1:<MAC-ADDR> mac-address=\
    <MAC-ADDR> server=dhcp1
add address=192.168.133.4 client-id=1:<MAC-ADDR> mac-address=\
    <MAC-ADDR> server=dhcp1
add address=192.168.133.5 client-id=1:be:ae:c5:3:aa:47 mac-address=\
    <MAC-ADDR> server=dhcp1
add address=192.168.133.6 client-id=1:<MAC-ADDR> mac-address=\
    <MAC-ADDR> server=dhcp1
add address=192.168.133.7 client-id=1:<MAC-ADDR> mac-address=\
    <MAC-ADDR> server=dhcp1
add address=192.168.133.18 client-id=1:<MAC-ADDR> mac-address=\
    <MAC-ADDR> server=dhcp1
/ip dhcp-server network
add address=192.168.133.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.133.2
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address=!192.168.133.0/24 new-connection-mark=via-NordVPN \
    passthrough=yes src-address=192.168.133.5
add action=mark-routing chain=prerouting connection-mark=via-NordVPN \
    dst-address=!192.168.133.0/24 new-routing-mark=via-NordVPN passthrough=\
    yes src-address=192.168.133.5
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=<MY USERNAME>
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=br-blackhole routing-mark=via-NordVPN
add distance=1 gateway=192.168.133.1

Who is online

Users browsing this forum: Bing [Bot], JohnTRIVOLTA, patrikg and 84 guests