Community discussions

MikroTik App
 
MiiD0205
just joined
Topic Author
Posts: 1
Joined: Mon Feb 10, 2020 7:31 pm

ProtonVPN - Ping/route subnet

Sat Sep 17, 2022 10:55 pm

First post here, I hope that everything will be written logical, network beginner here. :)

So I successfully configured ProtonVPN-IPsec with Mikrotik. Router doesn’t have anything else special configured because it is my secondary router. Only DHCP, route to main router and IPsec. Diagram is attached.

Main router: 192.168.10.0/24
Secondary/ProtonVPN router: 192.168.100.0/24

As you see, Mikrotik is connected to main router in diffrent subnet. If I disconnect IPsec, routing between them and devices(PC1 in PC2) works normally, ping from 192.168.100.x to 19.168.10.x and the other way around. With IPsec enabled, it doesn’t go through. This is probably because all the traffic goes through tunnel to WAN.

Question: How to set up firewall (maybe some other solution?) to make LAN traffic to main subnet work when I enable IPsec/ProtonVPN?
Thanks,

Configuration:
/interface list
add name=WAN
add name=LAN


/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 \
    name=ProtonVPN
/ip ipsec peer
add address=node-us-67.protonvpn.net exchange-mode=ike2 name=ProtonVPN \
    profile=ProtonVPN send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridgeLocal name=dhcp1
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal interfaces=\
    wlan1,wlan2
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1 \
    netmask=24
/ip firewall address-list
add address=192.168.100.0/24 list=local
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=ProtonVPN password=\
    ******* peer=ProtonVPN policy-template-group=\
    ProtonVPN username=*******
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
    0.0.0.0/0 template=yes
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: BioMax, Fogga and 48 guests