Do you mean this?If its wireguard VPN,,, piece of cake.
I tested the Wireguard config and it seems to configure, but I see no evidence of a VPN connection anywhere. I followed the Proton guide as closely as I could.I get the family up in arms bit!!
Will look at your config tomorrow..... late here was out tonight.
They did, excuses. It didn't cross my mind to post it.Okay I will assume proton vpn setup gave you some information. Have to guess because info not supplied.
The point being? If they gave you /32, you should use /32, you won't gain anything by using something else.In that case I would simply use 10.2.0.2/24 for IP address on the router. Address as /30 is very limiting.
You know because you have all the answers! LOL.The point being? If they gave you /32, you should use /32, you won't gain anything by using something else.In that case I would simply use 10.2.0.2/24 for IP address on the router. Address as /30 is very limiting.
I asked this question, what to add confuses me. Can you help clarify this?As for the rest, you didnt change the allowed addresses as noted you still have two entries....
OK, I understand now, 1 or many. I will do my best with a new version of the config and post it, thank you for the help. I am going to leave out the firewall as you suggested and focus on getting the connection established correctly.As I wrote it, you can replace 1.1.1.1,9.9.9.9. with 8.8.8.8 for example.
Just a decent external DNS service with remote requests being allowed.
I believe I addressed the issues you mentioned in total minus the MTUs. Here is the updated configuration, I hope I got it, I combed thru it like 4 times.(1) you need to remove incomplete entries.
/interface list
add name=WAN
add name=LAN
add
add name=fVPN
(2) There is only one bridge you can remove the second one...
/interface bridge
add name=bridge1
add name=bridge2
As for the rest, you didnt change the allowed addresses as noted you still have two entries....
you didnt add persistent keep alive.
you didnt change allowed dns servers..... Which is for the router, not for wireguard and I explained that already (as you noted you changed dns in the right spot) but you also kept the wrong one argg.
you added the fastrack rule at the end of the forward chain instead of as the first rule. On top of that you included the second rule, which was only meant to show WHERE to place the first rule so you have one rule out of place and the other is a duplicate.
You are stll mangling.............
Routing rule disabled.
Not much more to add at this point.
UR killen me.
WHY OH WHY do you keep putting 128.0.0.0. in allowed-addresses for the peer setting.??
Remove it!
WHY OH WHY do you keep failing to add persistent-keep-alive on same settings??
Why is ether10 singled out for an interface list? In other words I dont understand its purpose?
Its on the bridge already.
You need to ENABLE this rule.
/routing rule
add action=lookup disabled=yes src-address=10.1.0.0/16 table=protonvpn_wg
Yes, to the extent I expect right nowLooks good but does it work LOL
(1) Before enabling the routing rule that you pointed out, can you ping from a PC normally, like a common site such as www.cbc.ca or 1.1.1.1 for example.
(2) ON a browser type whatsmyIP............ should get local wanip
Now enable the routing rule and try the two same steps......
+++++++++++++++++++++++++++++
If no luck,
(3) Change MTU setting on your wireguard interface from 1420 to 1500 and then try those steps?
If no luck return that MTU on the wireguard interface settings back to 1420 and go to next step.
(4) TRY this change.............
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=protonwg01 passthrough=yes protocol=tcp tcp-flags=syn
(5) If no luck try this variant.
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=protonwg01 protocol=tcp tcp-flags=syn tcp-mss=1381-65535 passthrough=yes
(6) finally if no joy...... the one you had......
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 out-interface=protonwg01 protocol=tcp tcp-flags=syn tcp-mss=!0-1375 passthrough=yes
* name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024
Ok the output of config is as follows, so it looks disabled:(1) YES get rid of old remnants, proposals etc, at least for testing, I have no clue, in general, but specifically how such things may screw up a config LOL
(2) I would DEFINITELY remove the rule below too, and then retry my suggested set of steps..]
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
So I understand, should I have seen the whole network connected over the VPN?Next step may be to call Proton and see what they see at their end........... You can tell them the proton link shows as being UP at your end.
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet private-key=<your_private_key>
/ip address
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<Endpoint_IP> endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key=<your_public_key>
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route
add disabled=no dst-address=<Endpoint_IP>/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
/ip dns
set servers=10.2.0.1
/ip dhcp-client
set 0 use-peer-dns=no
I will look at your config later but lets look at the PROTON suggestions......
interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet private-key=<your_private_key> OKAY
Note: I am assuming they have you the private you need to put on the interface, confirm if correct!!
Note: I am assuming they gave you their public Key to put in your peer settings for their end.
Noted/ip address
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0 OKAY
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<Endpoint_IP> endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key=<your_public_key> OKAY
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24 Optional
You dont need to state the src-address, I suppose no harm if done, but not required.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
WRONG.
You only need one IP route and that needs to follow MT rules.
add distance=1 dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=usePROTON
Noted... I will post a new config in a bit/ip route
add disabled=no dst-address=<Endpoint_IP>/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
NO REMOVE not required.
/ip dns
set servers=10.2.0.1
NO we set the DNS servers on the dhcp server settings but we can modify somewhat in the real config.
/ip dhcp-client
set 0 use-peer-dns=no
NO, they have no business with your IP DHCP client settings!!!
# feb/24/2023 16:18:41 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
/interface list
add name=WAN
add name=LAN
add name=fVPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=protonvpn_wg
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether10 list=fVPN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address= endpoint-port=\
51820 interface=wireguard-inet persistent-keepalive=25s public-key=\
""
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/24 interface=*14 network=10.2.0.0
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
add add-default-route=no interface=bridge1 script=":log info (\"dhcp detect re\
lease\")\r\
\n:for e from=0 to=40 do={\r\
\n/ip dhcp-client release (\$e)\r\
\n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=bridge1 on-alert=rogue-dhcp valid-server=\
18:F04
/ip dhcp-server lease
add address=10.1.1.15 mac-address=94:7 server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.2.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
add address=10.1.0.0/16 disabled=yes list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN \
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
# no interface
add action=change-mss chain=forward comment=\
"Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu \
out-interface=*14 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1380 out-interface=\
*14 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=change-mss chain=forward disabled=yes new-mss=1360 out-interface=\
*14 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
# no interface
add action=masquerade chain=srcnat out-interface=*14
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=\
192.168.88.0/24
/ip ipsec policy
set 0 disabled=yes
/ip route
add comment="ProtonVPN Wireguard default route" disabled=yes distance=1 \
dst-address=0.0.0.0/0 gateway=*14 pref-src="" routing-table=protonvpn_wg \
scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup disabled=no src-address=10.1.0.0/16 table=protonvpn_wg
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
/system script
add dont-require-permissions=no name=rogue-dhcp owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":log warning message=\"Rogue DHCP server detected!\""
It looks like a lost reference, removing it has no effect.I dont understand *14 ??????
I'm going to do that and report back. Look, you've been more than patient, please don't feel obliged to help me further. I chose this path, cudda botta netgear or something like that. If you want to see it finally work, I will stick it thru but I would understand if it were reversed. I am 20 years a retired software engineer, so I have stood over many of your shoulders without bothering to learn itThat is not right the *14 was in several places in your config, mangle rules, sourcenat rule.
Very bizarre I am tempted to recommend a complete reset...................
I would like to see why proton is so difficult.......... or if I have an error in my thinking so its good to wrestle to the ground.....