Community discussions

MikroTik App
 
hunte88
just joined
Topic Author
Posts: 14
Joined: Mon Dec 26, 2022 8:42 pm

NordVPN client ipsec mikrotik

Sun Jan 01, 2023 12:29 am

Hi all, happy new year to all.

I have configured my routerbord for have nordvpn client with ipsec. I used the steps in this guide https://www.youtube.com/watch?v=Q_eJwJAV29Q&t=194s
For me not work, but i don't know if is a problem of vpn or my settings.
When i add the last two firewall rules, my devices of lan can't navigate on internet (the comunication between device in lan work fine).

Exist a mode for test the vpn or testing the settings of vpn are correct ?

Thanks a lot.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 10:57 am

Referring to tutorials (i.e. how it should be done) is useless. Post the export of your configuration (how it is actually done) when it doesn't work. Open a command line window (using the [New Terminal] button in Winbox or [Terminal] in WebFig, type /export hide-sensitive file=somename, press Enter. Then download the file somename.rsc, remove the serial number, obfuscate eventual public addresses and usernames for external services and post the result between [code] and [/code] tags.
 
hunte88
just joined
Topic Author
Posts: 14
Joined: Mon Dec 26, 2022 8:42 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 3:09 pm

Hi, thanks for the support.
This is the configuration while not work the vpn or better, the clients on my LAN not can navigate to internet.
# jan/01/2023 13:43:33 by RouterOS 6.49.7
# software id = xxxxxxxxxxxxxx
#
# model = 951G-2HnD
# serial number = xxxxxxxxx
/interface bridge
add fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
    no_country_set disabled=no frequency-mode=manual-txpower mode=ap-bridge \
    ssid=MikroTik station-roaming=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add enc-algorithm=aes-256,3des name=NordVPN
/ip ipsec peer
add address=it156.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no \
    interface=bridge1 lease-script=":local recipient \"raffaele.bacolini@yahoo\
    .com\"\r\
    \n/ip dhcp-server lease\r\
    \n:if (\$leaseBound = 1) do={\r\
    \n:do {\r\
    \n:tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC: \$le\
    aseActMAC]\" body=\"The following MAC address [\$leaseActMAC] received an \
    IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName] and nom\
    edevice is [\$\"lease-hostname\"]\"\r\
    \n:log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
    \n/tool fetch url=\"https://api.telegram.org/xxxxxxxxxxxxxxxxxxxxxxxxxx_sgj9LxHzA/sendMessage\?chat_id=xxxxxxx&text=DHCP Address Ale\
    rt [MAC: \$leaseActMAC] body=The following MAC address [\$leaseActMAC] rec\
    eived an IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName\
    ] and nomedevice is [\$\"lease-hostname\"]\"\r\
    \n} on-error={:log error \"Failed to send alert email to \$recipient\"}}" \
    lease-time=3d name=dhcp1
/queue simple
add disabled=yes max-limit=0/3M name=pc-fede target=192.168.0.109/32
add max-limit=1k/1k name=iphonem target=192.168.0.235/32
add max-limit=0/2M name=pc-hp-fede target=192.168.0.6/32
add max-limit=10k/64k name=Amazon target=192.168.0.233/32
add max-limit=1k/1k name=sconosciuto target=192.168.0.193/32
add max-limit=1k/1k name=BEPPE-PC target=192.168.0.162/32
add disabled=yes max-limit=200k/4M name=Pc-mostro target=192.168.0.3/32
add disabled=yes max-limit=64k/2M name=note8 target=192.168.0.4/32
add max-limit=1k/1k name="Galaxy S20 Sira" target=192.168.0.114/32
add max-limit=1k/1k name="Galaxy A5 Sira" target=192.168.0.115/32
add max-limit=1k/1k name="Galaxy S20 Sira3" target=192.168.1.110/32
add disabled=yes max-limit=10k/10k name="lenovo wifi" target=192.168.0.24/32
add max-limit=1k/1k name=sconosciuto1 target=192.168.0.127/32
add max-limit=1k/1k name=sconosciuto2 target=192.168.0.128/32
add disabled=yes max-limit=10k/2M name="pc mamma" target=192.168.0.2/32
add disabled=yes max-limit=20k/2M name="smartphone fede" target=\
    192.168.0.8/32
/system logging action
set 3 remote=0.0.0.1
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server alert
add alert-timeout=5s interface=bridge1 on-alert=":log info \"Found rogue DHCP \
    server at \$[/system clock get date] \$[/system clock get time] on interfa\
    ce bridge1]\"\r\
    \n#Email\r\
    \n/tool e-mail send to=\"raffaele.bacolini@yahoo.com\" subject=\"Found rog\
    ue DHCP server at \$[/system clock get date] \$[/system clock get time] on\
    \_interface bridge1\"\r\
    \n#Telegram\r\
    \n/tool fetch url=\"https://api.telegram.org/xxxxxxxxxxxxxxxxxx/sendMessage\?chat_id=xxxxxxxxxxxxxx&text=Found rogue DHCP\
    \_server at \$[/system clock get date] \$[/system clock get time] on inter\
    face bridge1\"" valid-server=xxxxxxxxxxxxxx
/ip dhcp-server lease
add address=192.168.0.10 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.11 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.21 comment="Cavo LAN" mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.16 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.25 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.17 client-id=xxxxxxxxxxxxxx comment="Cavo LAN" \
    mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.27 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.242 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.18 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.22 client-id=xxxxxxxxxxxxxx comment="Cavo LAN" \
    mac-address=xxxxxxxxxxxxxx server=dhcp1 use-src-mac=yes
add address=192.168.0.234 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.220 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.221 client-id=xxxxxxxxxxxxxx comment=\
    "arduino client casa" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.235 always-broadcast=yes client-id=xxxxxxxxxxxxxx \
    mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.217 client-id=xxxxxxxxxxxxxx mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.216 client-id=xxxxxxxxxxxxxx mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.215 client-id=xxxxxxxxxxxxxx mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.202 always-broadcast=yes client-id=xxxxxxxxxxxxxx \
    mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.233 client-id=xxxxxxxxxxxxxx mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.8 always-broadcast=yes client-id=xxxxxxxxxxxxxx \
    comment="xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.193 client-id=xxxxxxxxxxxxxx comment=sconosciuto \
    mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.3 comment="xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.121 comment=broadlink mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.120 comment=broadlink mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.4 comment="xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.5 client-id=xxxxxxxxxxxxxx comment=\
    "Ipad di Raffaele" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.115 client-id=xxxxxxxxxxxxxx comment=\
    "Cellulare Sira 2" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.114 client-id=xxxxxxxxxxxxxx comment=\
    "Cellulare Sira1" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.123 comment=xxxxxxxxxxxxxx mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.117 comment=xxxxxxxxxxxxxx mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.118 comment=xxxxxxxxxxxxxx mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.124 comment=xxxxxxxxxxxxxx mac-address=xxxxxxxxxxxxxx \
    server=dhcp1
add address=192.168.0.28 client-id=xxxxxxxxxxxxxx comment=\
    "Windows Server 2019" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.119 comment="xxxxxxxxxxxxxx" mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.122 comment="xxxxxxxxxxxxxx" mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.9 client-id=xxxxxxxxxxxxxx comment="xxxxxxxxxxxxxx" \
    mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.110 client-id=xxxxxxxxxxxxxx comment=\
    "Cellulare Sira3" mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.12 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=xxxxxxxxxxxxxx server=\
    dhcp1
add address=192.168.0.2 client-id=xxxxxxxxxxxxxx comment="pc mamma" \
    mac-address=xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.102 client-id=xxxxxxxxxxxxxx comment=\
    "xxxxxxxxxxxxxx" mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.100 comment="xxxxxxxxxxxxxx" mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
add address=192.168.0.111 comment="xxxxxxxxxxxxxx" mac-address=\
    xxxxxxxxxxxxxx server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.0.1
/ip firewall address-list
add address=192.168.0.0/24 list=local
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=192.168.0.239 port=\
    80,443,53 protocol=tcp
add action=drop chain=forward disabled=yes dst-address=192.168.0.245 port=\
    80,443,53 protocol=tcp
add action=drop chain=forward comment=215 dst-address=192.168.0.215 log=yes \
    port=80,443 protocol=tcp
add action=drop chain=forward comment=235 dst-address=192.168.0.235 log=yes \
    port=80,443 protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    disabled=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \
    dst-port=22 log=yes protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new disabled=yes \
    dst-port=22 log=yes protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 log=yes protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 log=yes protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=yes \
    dst-port=22 log=yes protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" disabled=yes \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" disabled=yes \
    dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input comment=\
    "DOS con il SYN flood protect" connection-limit=32,32 disabled=yes \
    protocol=tcp
add action=tarpit chain=input connection-limit=3,32 disabled=yes protocol=tcp \
    src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
    new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new disabled=yes log=yes \
    protocol=tcp tcp-flags=syn
add action=drop chain=input disabled=yes src-address=192.168.0.30
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=8000 in-interface=\
    ether1 log=yes protocol=tcp to-addresses=192.168.1.21 to-ports=8000
add action=dst-nat chain=dstnat dst-port=2240 in-interface=ether1 log=yes \
    protocol=tcp to-addresses=192.168.0.21 to-ports=554
add action=dst-nat chain=dstnat comment=hikvision20 dst-port=2222 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.20 \
    to-ports=8000
add action=dst-nat chain=dstnat comment=hikvision14 dst-port=2224 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.14 \
    to-ports=8000
add action=dst-nat chain=dstnat comment=hikvision12 dst-port=2225 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.12 to-ports=8000
add action=dst-nat chain=dstnat comment=hikvision13 dst-port=2226 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.13 \
    to-ports=8000
add action=dst-nat chain=dstnat comment=hikvision16 dst-port=2227 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.16 to-ports=8000
add action=dst-nat chain=dstnat comment=hikvision21 dst-port=2228 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.21 \
    to-ports=8000
add action=dst-nat chain=dstnat comment=hikvision17-ptz dst-port=2230 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.17 \
    to-ports=8000
add action=dst-nat chain=dstnat comment=hikvision15 dst-port=2231 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.15 \
    to-ports=2229
add action=dst-nat chain=dstnat comment=hikvision19 dst-port=2229 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.19 \
    to-ports=8000
add action=dst-nat chain=dstnat comment=hikvision11 dst-port=8002 \
    in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.1.11 \
    to-ports=8000
add action=dst-nat chain=dstnat comment=emule_tcp_pc_mostro dst-port=14313 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.3 to-ports=14313
add action=dst-nat chain=dstnat comment=emule_udp_pc_mostro dst-port=27693 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.3 to-ports=27693
add action=dst-nat chain=dstnat comment=NAS-web-server dst-port=10090 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.115 to-ports=\
    10090
add action=dst-nat chain=dstnat dst-port=8090 in-interface=ether1 protocol=\
    udp to-addresses=192.168.1.115 to-ports=8090
add action=dst-nat chain=dstnat dst-port=8090 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.1.115 to-ports=8090
add action=dst-nat chain=dstnat disabled=yes dst-port=8590 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.0.3 to-ports=8090
add action=dst-nat chain=dstnat comment=emule_virtuale dst-port=14314 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.12 to-ports=14314
add action=dst-nat chain=dstnat comment="emule virtual" dst-port=27694 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.12 to-ports=27694
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=xxxxxxxxxxxxxx
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.0.234
/ip service
set telnet address="192.168.0.4/32,192.168.0.5/32,192.168.0.21/32,192.168.0.23\
    /32,192.168.0.24/32"
set ftp address="192.168.0.4/32,192.168.0.5/32,192.168.0.21/32,192.168.0.23/32\
    ,192.168.0.24/32"
set ssh address="192.168.0.4/32,192.168.0.5/32,192.168.0.21/32,192.168.0.23/32\
    ,192.168.0.24/32,192.168.0.3/32"
set winbox address="192.168.0.0/32,192.168.2.0/32,192.168.1.0/32,192.168.0.12/\
    32,192.168.0.3/32"
/system clock
set time-zone-name=Europe/Rome
/system clock manual
set dst-end="oct/17/2025 00:00:00" dst-start="oct/17/2017 00:00:00" \
    time-zone=+02:00
/system leds
set 0 interface=wlan1
/system logging
add disabled=yes prefix=VPN topics=ipsec
/system package update
set channel=testing
/system scheduler
add interval=4h name=reset_ipcloud on-event=reset_ipcloud policy=write \
    start-date=sep/19/2016 start-time=22:52:24
add interval=1m name=script_cpu on-event=cpu_superamento_limite policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/28/2020 start-time=23:35:22
add disabled=yes interval=5s name=schedule1 on-event=script_check policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/29/2022 start-time=02:22:56
add disabled=yes interval=5s name=newschedule on-event=check_script policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/29/2022 start-time=02:40:59
add disabled=yes interval=5s name=schedule2 on-event=script1 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/29/2022 start-time=03:09:32
add disabled=yes interval=5s name=schedule3 on-event=script2 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/29/2022 start-time=03:23:10
/system script
add dont-require-permissions=no name=reset_ipcloud owner=admin policy=write \
    source="/ip cloud force-update"
add dont-require-permissions=no name=cpu_superamento_limite owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="\
    :global datum [/system clock get date];\r\
    \n:global time [/system clock get time];\r\
    \n:local maxsamples 5\r\
    \n:global cpuarray\r\
    \n:set cpuarray ([/system resource get cpu-load] , [:pick \$cpuarray 0 (\$\
    maxsamples - 1)])\r\
    \n:local arraytot 0\r\
    \n:foreach o in=\$cpuarray do={:set arraytot (\$arraytot + \$o)};\r\
    \n:local arraysize [:len \$cpuarray]\r\
    \n:local avgcpuload (\$arraytot / \$arraysize)\r\
    \n:log info (\"CPU Load Captures:\")\r\
    \n:log info \$cpuarray\r\
    \n:log info (\"Array Total: \$arraytot\")\r\
    \n:log info (\"Array size: \$arraysize of \$maxsamples\")\r\
    \n:global highavgcpuload\r\
    \n:if ([:len \$highavgcpuload] = 0 || \$highavgcpuload < \$avgcpuload) do=\
    {:set highavgcpuload \$avgcpuload}\r\
    \n:log info (\"CPU Load - Avg: \$avgcpuload High: \$highavgcpuload\")\r\
    \n:if (\$avgcpuload >= 95) do={/tool e-mail send to=\"xxxxxxxxxxxxxx@gm\
    ail.com\" subject=[/system identity get name] from=\"xxxxxxxxxxxxxx@gma\
    il.com\" body=([/system identity get name] ,\"\r\
    \n    At \$time the CPU Load on this router was running at 95%\")\r\
    \n};"
add dont-require-permissions=yes name=script_check owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global emailTo \"xxxxxxxxxxxxxx@xxxx.com\"\r\
    \n:global emailFrom \"xxxxxxxxxxxxxx@xxxx.com\"\r\
    \n:global smtpServer \"xxxxxxxxxxxxxx\"\r\
    \n:local currentTime [/system clock get time]\r\
    \n:local newDeviceMac \"00:00:00:00:00:00\"\r\
    \n:local newDeviceName \"Unknown\"\r\
    \n:log info \"Checking for new devices on the network\"\r\
    \n:foreach i in=[/ip arp find] do={\r\
    \n:local deviceMac [/ip arp get \$i mac-address]\r\
    \n:local deviceLastSeen [/ip arp get \$i last-seen]\r\
    \n:if (deviceLastSeen > \$currentTime - 1m) do={\r\
    \n:if ([/ip arp get \$i address] != \$newDeviceMac) do={\r\
    \n:set newDeviceMac \$deviceMac\r\
    \n:set newDeviceName [/ip arp get \$i address]\r\
    \n/tool e-mail send to=\$emailTo subject=\"New device connected\" body=\"A\
    \_new device with MAC address \$newDeviceMac and IP address \$newDeviceNam\
    e has connected to the network at \$currentTime.\" from=\$emailFrom server\
    =\$smtpServer\r\
    \n:log info \"Sent email notification for new device with MAC \$newDeviceM\
    ac and IP \$newDeviceName\"\r\
    \n}\r\
    \n}\r\
    \n}"
add dont-require-permissions=yes name=check_script owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    log info \"myLeaseScript Started. \$leaseBound-\$leaseServerName-\$leaseAc\
    tMAC-\$leaseActIP\"\r\
    \n:if (\$leaseBound=1)do={\r\
    \n/log info \"DHCPLIST: \$leaseActIP - \$leaseActMAC\"\r\
    \n/tool e-mail send to=\"xxxxxxxxxxxxxx\" subject=\"DHCPLIST\
    \" body=\"\$leaseActIP - \$leaseActMAC\"\r\
    \n}\r\
    \n/log info \"myLeaseScript Ended\""
add dont-require-permissions=yes name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    if (\$leaseBound =1) do={\r\
    \n# Variables\r\
    \n:local Time [/system clock get time];\r\
    \n:local Date [/system clock get date];\r\
    \n:local Comment [/ip dhcp-server lease get value-name=comment number=[/ip\
    \_dhcp-server lease find address=\$leaseActIP]]\r\
    \n:local DeviceName [/system identity get name];\r\
    \n:if (\$Comment = \93\94) do={\r\
    \n# START Send Email Module\r\
    \n:local SendTo \93xxxxxxxxxxxxxx@xxxxxxxxxxxxxx\94;\r\
    \n:local Subject \93\\F0\\9F\\9F\\A2 INFO: \$DeviceName [\$Date \$Time] Ne\
    w DHCP client\94;\r\
    \n:local MessageText \93Name: \$\94lease-hostname\94, Comment: \$Comment, \
    Interface: \$leaseServerName IP: \$leaseActIP MAC: \$leaseActMAC\94;\r\
    \n:local FileName \93\94;\r\
    \n:local SendEmail [:parse [/system script get SendEmailFunction source]];\
    \r\
    \n\$SendEmail SendTo=\$SendTo TextMail=\$MessageText Subject=\$Subject Fil\
    eName=\$FileName;\r\
    \n# END Send Email Module\r\
    \n}\r\
    \n}"
add dont-require-permissions=yes name=script2 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local recipient \"xxxxxxxxxxxxxx\"\r\
    \n/ip dhcp-server lease\r\
    \n:if (\$leaseBound = 1 && [ get [ find where mac-address=\$leaseActMAC ] \
    dynamic ] = true) do={ :do {\r\
    \n:tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC: \$le\
    aseActMAC]\" body=\"The following MAC address [\$leaseActMAC] received an \
    IP address [\$leaseActIP] from the DHCP Server [\$leaseServerName]\"\r\
    \n:log info \"Sent DHCP alert for MAC \$leaseActMAC\"} on-error={:log erro\
    r \"Failed to send alert email to \$recipient\"}"
/tool e-mail
set address=xxxxxxxxxxxxxx from=xxxxxxxxxxxxxx port=587 \
    start-tls=yes user=xxxxxxxxxxxxxx
/tool netwatch
add disabled=yes down-script=host_192_168_0_235_offline host=192.168.0.235 \
    interval=5m up-script=host_192_168_0_235_online
add disabled=yes down-script=host_192_168_0_245_offline host=192.168.0.245 \
    interval=5m up-script=host_192_168_0_245_online
add disabled=yes down-script=host_192_168_0_6_offline host=192.168.0.6 \
    interval=5m up-script=host_192_168_0_6_online
add disabled=yes down-script=pc_192_168_0_215_offline host=192.168.0.215 \
    interval=5m up-script=pc_192_168_0_215_online
add disabled=yes down-script=host_192_168_0_22_offline host=192.168.0.22 \
    interval=5m up-script=host_192_168_0_22_online
add disabled=yes down-script=host_192_168_0_17_offline host=192.168.0.17 \
    interval=5m up-script=host_192_168_0_17_online
add disabled=yes down-script=host_192_168_0_3_offline host=192.168.0.3 \
    interval=5m up-script=host_192_168_0_3_online
add disabled=yes down-script=host_192_168_0_24_offline host=192.198.0.24 \
    interval=5m up-script=host_192_168_0_24_online
add disabled=yes down-script=host_192_168_0_4_offline host=192.168.0.4 \
    interval=5m timeout=3s500ms up-script=host_192_168_0_4_online
add disabled=yes down-script=":log error \"192_168_0_12_is_offline\"\r\
    \n/tool e-mail send to=\"xxxxxxxxxxxxxx\" subject=\"192_168_0\
    _12_is_offline \$[/system clock get time]\"\r\
    \n" host=192.168.0.12 interval=5m up-script=":log error \"192_168_0_12_is_\
    online\"\r\
    \n/tool e-mail send to=\"xxxxxxxxxxxxxx\" subject=\"192_168_0\
    _12_is_online on \$[/system clock get time]\"\r\
    \n"
add disabled=yes down-script=":log error \"192_168_0_8_is_offline\"\r\
    \n/tool e-mail send to=\"xxxxxxxxxxxxxx\" subject=\"192_168_0\
    _8_is_offline \$[/system clock get time]\"\r\
    \n" host=192.168.0.8 interval=5m up-script=":log error \"192_168_0_8_is_on\
    line\"\r\
    \n/tool e-mail send to=\"xxxxxxxxxxxxxxm\" subject=\"192_168_0\
    _8_is_online on \$[/system clock get time]\"\r\
    \n"
add comment=telegram disabled=yes down-script=":log info \"send message to you\
    r phone\"\r\
    \n/tool fetch url=\"https://api.telegram.org/xxxxxxxxxxxxxx/sendMessage\?chat_id=xxxxxxxxxxxxxx&text=Il dispositivo 1\
    92.168.0.12 risulta essere offline\"" host=192.168.0.12 interval=5s \
    up-script=":log info \"send message to your phone\"\r\
    \n/tool fetch url=\"https://api.telegram.org/xxxxxxxxxxxxxx/sendMessage\?chat_id=xxxxxxxxxxxxxx&text=Il dispositivo 1\
    92.168.0.12 risulta essere online\""
The support of nordvpn cannot to help me.
Thanks a lot for you help and Happy New Year.
Last edited by BartoszP on Sun Jan 01, 2023 6:01 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 3:36 pm

Before digging any deeper, disable the rule action=fasttrack-connection chain=forward connection-state=established,related in /ip firewall filter and try the connection again.
 
hunte88
just joined
Topic Author
Posts: 14
Joined: Mon Dec 26, 2022 8:42 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 5:54 pm

Hi, thanks, with your suggestion seem that work.

Is normal that the site https://www.speedtest.net not work with vpn ?

The fast track rule was for speed internet, my connection starlink with fasttrack arrive to 200 mb of download. Whitout fasttrack the download is limited to 100 mb. Do you have any solution for whis problem of speed ?
Last edited by BartoszP on Sun Jan 01, 2023 6:01 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart, save network traffic
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 6:10 pm

Do you have any solution for whis problem of speed ?
Yes, replace the 951G by something that supports IPsec in hardware and has a decent CPU. You can make the fasttrack rule selectively ignore traffic that becomes IPsec payload (which is what the default firewall rules do), but your configuration suggests that you want to send everything via the VPN - if so, making the fasttrack selective would not help because bare IPsec (as used by NordVPN) and fasttracking are mutually exclusive.

In my opinion, hAP ac2 is still the best value for money.
 
hunte88
just joined
Topic Author
Posts: 14
Joined: Mon Dec 26, 2022 8:42 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 6:23 pm

Thanks a lot. I have bought hAP ac³. In the next days i change it with this.

I have other problem now. To first routerboard 951 is connected a second 951 that have a hybrid configuration. This second Routerboard have two bridge, one for lan 1 (of the first RB) and for lan 2 for manage with her dhcp some ipcamera and switch of ipcamere.

Before enable VPN on first Routerboard, the ipcameras and device of lan 2 can navigate on internet and from lan 1 i can connect to admin panel of second routerboard and admin panel of ipcamera.
After enable VPN i can't ping device of LAN 2.

Do you have any idea of why and have a solution for this problem ?

Can you configure the same VPN on the second RB951 for resolve the problem ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 7:00 pm

After enable VPN i can't ping device of LAN 2.
Can you show me the output of /ip firewall nat print where dynamic ?

Can you configure the same VPN on the second RB951 for resolve the problem ?
Of course you can configure the same VPN if you have another NordVPN account or if you can connect twice under the same one, but I cannot see how that should help with the issue.
 
hunte88
just joined
Topic Author
Posts: 14
Joined: Mon Dec 26, 2022 8:42 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 7:05 pm

Can you show me the output of /ip firewall nat print where dynamic
[admin@MikroTik] > /ip firewall nat print where dynamic
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.6.0.6 src-address-list=local dst-address-list=!local
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 7:27 pm

OK, so this rule added when the VPN comes up doesn't care about out-interface and thus it src-nats any connections from addresses matching the address list local to addresses not matching it, and after the src-nat operation, the packets start matching the IPsec policy so they get redirected to the IPSec tunnel.

Since you don't use the address list local for anything else, change the address from 192.168.1.0/24 to 192.168.0.0/16 and you should be fine. If you want the devices from 192.168.1.0/24 to use the normal WAN (without NordVPN), this will not be enough and you'll have to use connection marking instead.
 
hunte88
just joined
Topic Author
Posts: 14
Joined: Mon Dec 26, 2022 8:42 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 9:16 pm

thanks for the support.
I resolved with new rules in address list of firewall. I add a rule for every class ip and now i can connect with other device of lan 2.

I have other problem. How i can use the vpn for see the ipcamera from internet ?

I suppose i must open nat rules for vpn, but how i can do this ?

Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 9:30 pm

I have other problem. How i can use the vpn for see the ipcamera from internet ?
If you have in mind this NordVPN tunnel, I would suppose it is not possible unless you can agree with NordVPN to dedicate one of their public IP addresses for you. The src-nat rule shows they have assigned you a private address, and I don't think there is a 1:1 NAT at their end.

Your existing dst-nat rules suggest that you do have a public IP on your Mikrotik; since the NAT rules are only checked for initial packet of each connection, connections to the cameras this way should still work the "old" way.
 
hunte88
just joined
Topic Author
Posts: 14
Joined: Mon Dec 26, 2022 8:42 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 9:43 pm

Thanks.
I thought that with vpn i can use the ip cloud of mikrotik. There is not possibility of use it for connect to ipcamera from external ?

The old rules not work with vpn active.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NordVPN client ipsec mikrotik

Sun Jan 01, 2023 10:32 pm

Thanks.
I thought that with vpn i can use the ip cloud of mikrotik. There is not possibility of use it for connect to ipcamera from external ?
The "ip cloud" is a just a DNS server - it resolves the fqdn of your router to the public IP from which it has received the update message. But it cannot affect how the requests arriving to that public IP will be handled. Check the options NordVPN gives you - maybe they do have some product like that.

The old rules not work with vpn active.
Are you connecting to the xxxx.sn.mynetname.net fqdn or to the public IP of the WAN? I mean, if you connect to the fqdn and the "ip cloud" DNS has already been updated, the requests go to the NordVPN public IP and thus they do not reach your router.

Who is online

Users browsing this forum: cmmike, mtkvvv, PBondurant, valeb and 37 guests