/ip ipsec policy move *ffffff destination=0 add action=none dst-address=184.108.40.206/24 src-address=0.0.0.0/0 place-before=1
Sindy helped me on this one and I could not done it without Sindy's help I would not solved it. I don't understand why Mikrotik development is not picking up on this solution !OMG, it works now! Thank you so much!
I actualy saw earlier your linked topis and by advice there, I tryed to press "Preview" my written post, and it opens in very short time, so I had no doubt in MTU. Obviously, I did not done this throughly.
Thanks again, but beware; More questions are comming because I very much love RouterOS and my hEX S router :)
I'm starting to configuring more and more local network settings (of course, god bless backup :)))
Most often people forget to exclude the traffic which should go via IPsec VPN from fasttracking. So if you have a chain=forward action=fasttrack-connection ... rule in /ip firewall filter, disable it and test the speed using a new test connection. If it helps, and if you use the device also for normal access to internet, you may want to selectively exclude only the IPsec VPN traffic from fasttracking. If so, post your complete configuration export, minus sensitive data - see my automatic signature below for a mini-howto.I ... have set up the nordvpn as per the instructions on this and nordvpn web site ... but the upload is basically nothing.1 or less. Is there something silly I am doing?
I add static dns forward record and want the dns query via ipsec, the connection is marked, but in ipsec/active peers txbytes and rxbytes is all 0, it looks like the connection isn't go out via ipsec.The easiest way is to configure connection-mark=via-NordVPN in the /ip ipsec mode-config row you use for the NordVPN identity, and use mangle rules to assign that connection-mark to connections you want to use the VPN:
/ip firewall mangle
add chain=prerouting dst-address-list=VPN-destinations connection-mark=no-mark action=mark-connection new-connection-mark=via-NordVPN
add chain=output dst-address-list=VPN-destinations connection-mark=no-mark action=mark-connection new-connection-mark=via-NordVPN
The first rule handles packets from LAN, the second one handles packets sent by the router itself (such as DNS queries). Populate the address list VPN-destinations with the addresses and ranges you want to be routed via the VPN.
If you want to prevent traffic to those destinations from being sent out if the VPN is down, you'll need another step - translate the connection-mark to some routing-mark for outgoing traffic, and create a default route with that routing-mark with gateway set to br-blackhole, where br-blackhole is a bridge interface with no member ports:
/interface bridge add name=br-blackhole protocol-mode=none
/ip route add routing-mark=NordVPN-only gateway=br-blackhole
/ip firewall mangle add chain=prerouting in-interface-list=!WAN connection-mark=via-NordVPN action=mark-routing new-routing-mark=NordVPN-only
You have to decide what you want to do with DNS queries when/if the VPN is down.
/ip dns static add regexp=".*\\.google\\.com\$" forward-to=220.127.116.11 /ip firewall mangle add action=mark-connection chain=output dst-address=18.104.22.168 dst-address-type=!local \ new-connection-mark=VPN passthrough=no
Show the rest of the configuration. What you've posted looks fine (dst-address-type can be omitted but that only adds a few CPU cycles to the rule processing, it doesn't break functionality), so the issue must be elsewhere.the connection is marked, but in ipsec/active peers txbytes and rxbytes is all 0, it looks like the connection isn't go out via ipsec.