I can see a minute amount of traffic captured (18 packets)
That's normal, as the rule only matches on the first packet of each connection, because only the first one not only matches the
src-address and
dst-address but also has no
connection-mark assigned yet.
and only when the jail is restarted, but none of the subsequent traffic (pings, traceroutes, etc) seems to get captured.
This is the part that suggests what to look for, see below.
While pinging google, the sniffer captured the following:
This clearly shows the source address is correct.
So the answer is here:
/ip address
add address=192.168.133.2/24 interface=ether2 network=192.168.133.0
...
/ip route
add distance=1 gateway=192.168.133.1
In another words, the Mikrotik is a default gateway for the jail, but Mikrotik's own default gateway is in the same subnet like the jail's IP address. So when the Mikrotik forwards a packet from the jail, it finds out that it has to forward it out the same interface through which it has received it, so it sends an ICMP message "a better router than is available for this destination in the same subnet" to the jail, which accepts that message and starts sending subsequent packets towards that destination directly to the 192.168.133.1. You can see those packets in the capture because the Mikrotik acts as a bridge for these packets, but since it does not route them any more, it applies no IP processing at all on them.
So there are two ways to deal with this:
- to split the networks, i.e. to use a dedicated subnet as the WAN one of the Mikrotik
- to implement policy routing for the traffic from that jail, which will use another gateway for this traffic, preventing this from happening.
The latter one can also act as a prevention of traffic leakage through the normal path if the tunnel is down (sometimes called a "killswitch").
To implement this, you would add a bridge interface with no member ports:
/interface bridge add name=br-blackhole protocol-mode=none
Next, you would add a default route via that interface into a distinct routing table:
/ip route add routing-mark=via-NordVPN gateway=br-blackhole
And last, you would add the following mangle rule after (below) the
action=mark-connection one:
connection-mark=via-NordVPN in-interface=bridge action=mark-routing routing-mark=via-NordVPN
One more thing that is wrong is that the Mikrotik's own IP address (192.168.133.2) is attached to
ether2 rather than to the acual IP interface, which is
bridge. This wrong setup seems to be allowed to permit some migration scenarios, but it causes some weird effects. It is definitely not related to your issue, but nevertheless worth fixing.