Community discussions

MikroTik App
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 18, 2023 6:31 pm

I would like to configure ProtonVPN on my CCR2004 router. Does anyone have experience with this?

Second, how do I structure a bridge so that the VPN is active on the few port on that bridge?

My experience setting this up on Linux has been problematic to say the least so I want to eliminate that from the chain and put the VPN on the router directly. I have other machines that can use the VPN so I figure this is the most direct approach.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 18, 2023 9:15 pm

If its wireguard VPN,,, piece of cake.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 18, 2023 9:57 pm

Unfortunately, no.

I made some progress via, but it has errors. Fix ipsec adds with group=ProtonVPN, its misspelled and it breaks a few rules otherwise.

https://protonvpn.com/support/vpn-mikrotik-router/

This guide is rather poor for a scientific community.

I have the VPN for what I can see is installed, and all home internet works.

I targeted 1 PC as a test, and that PC connects via RDP, and I can ping 8888 in a terminal, but cannot resolve any addresses via browser.

This is the rule mentioning that PC I am testing:

/ip firewall address-list add address=10.1.1.240 list=under_protonvpn

I see no errors in the log. Can anyone think of why this PC, which looks to be getting influenced by the VPN now, cannot resolve any addresses? Why can't it see DNS?
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 18, 2023 10:03 pm

If its wireguard VPN,,, piece of cake.
Do you mean this?

https://protonvpn.com/support/wireguard ... k-routers/

From reading it, its more or less the same. I do see mention of DNS in it, though. I would hesitate to back out what I have already done unless there is a fundamental error I have made.

It has the same confusing part at the bottom. It does not explain this in a way I get: "Remove the two FastTrack rules (the default rule and dummy rule). To do this, enter the following command twice, using the numbers shown then you listed all the firewall rules. "

This person has the same issue.

viewtopic.php?t=184052

Also DNS issues. Its not clear how this static DNS mentioned was set. Anyone know?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 18, 2023 11:32 pm

Two suggestions to get help.

1. Network diagram to give accurate context.
2. /export config file=anynameyouwish ( minus router serial number and any public WANIP information )

Many use notepadd++ to open the export file and paste it here. Note, also use the code quotes black square with white square brackets on the same line with bold, Italica, underline etc..........
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sun Feb 19, 2023 1:41 am

Here is the config, but its after my best attempt at removing the protonvpn connection, I was starting to get hell from everyone at the house for hosing up the internet over and over all day. Any help getting past this would really be appreciated.

Boiled down, I have 2 problems:

Is this config clean and I can try again with the WireGuard version and see if it works?

Second problem is all of these examples are limiting IP addresses, this is not really what I care about. I want the VPN to only use port5, for example. From port5, I have a switch that directs only vpn traffic to the internet and back, and whatever is connected to port5 is automatically in the VPN grouping, is this wish flawed for some reason?

# feb/18/2023 17:33:41 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
add
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.1.1.15 mac-address=94:83:C4:20:B9:77 server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.2.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.1.2.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN \
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
/system clock
set time-zone-name=
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sun Feb 19, 2023 4:55 am

This post has a similar situation, Proton support got involved

viewtopic.php?t=187308#p981418

Here is the config discussed, but to try it:

/interface/wireguard/add listen-port=13231 mtu=1420 name=wireguard-inet private-key="***"
/ip/address/add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/interface/wireguard/peers/add allowed-address=0.0.0.0/0 endpoint-address=<YOUR ENDPOINT IP> endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key="***"
/ip/firewall/nat/add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
/ip/route/add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip/route/add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip/route/add disabled=no dst-address=<YOUR ENDPOINT IP>/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
/ip/dns/set servers=10.2.0.1
/ip/dhcp-client/set 0 use-peer-dns=no

I am not sure what the ether1 route being added is.

Can I define my own "ether1" as the port I want to be for VPN only? For example ethernet port 5 on the router, in which case I would define ether5 as an interface? And anything on that port will be vpn, so then the 0.0.0.0 for ether5. Or is ether1 in the context above defining the internet connection?
Last edited by poseo9wsw on Sun Feb 19, 2023 4:36 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sun Feb 19, 2023 5:50 am

I get the family up in arms bit!!
Will look at your config tomorrow..... late here was out tonight.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sun Feb 19, 2023 10:20 pm

I get the family up in arms bit!!
Will look at your config tomorrow..... late here was out tonight.
I tested the Wireguard config and it seems to configure, but I see no evidence of a VPN connection anywhere. I followed the Proton guide as closely as I could.

Here is the updated config. Do you see anything obvious amiss?



# feb/19/2023 14:15:08 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add comment="ProtonVPN interface" listen-port=21154 mtu=1420 name=protonwg01
/interface list
add name=WAN
add name=LAN
add
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=protonvpn_wg
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/1,128.0.0.0/1 endpoint-address=********* \
endpoint-port=51820 interface=protonwg01 public-key=\
"****************************************"
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/30 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.1.1.15 mac-address=********* server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.2.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN \
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=\
under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting new-routing-mark=protonvpn_wg \
passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn new-mss=\
1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
/ip route
add comment="ProtonVPN Wireguard default route" dst-address=0.0.0.0/0 \
gateway=protonwg01 routing-table=protonvpn_wg
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Mon Feb 20, 2023 1:58 am

Okay I will assume proton vpn setup gave you some information. Have to guess because info not supplied.

1. An IP address to use................. either a single IP or perhaps a /30 address. Looks like 10.2.0.2/30
2. They gave you a PRIVATE KEY, for you to use to create your Interface ( the reason they do this is normally the router will random generate both a private key and matching public key when you add an interface and then hit apply. In this case they are providing the private key because then they will already have the public key at their end to put in for your peer settings on their device.
3. Public Key, this is from them to put on your router settings for your peer settings for their device.
4. DNS that their device uses.. 10.2.0.1
5. Endpoint port 51820 and endpoint address
6. MTU ???

Now to review config........
There are three areas to focus on getting wireguard right, allowed IPs, firewall rules, IP routes.

6. The allowed IPs in peer settings are not correct. First of all its clear you want to send out users for internet and thus all you need is the catch all for all traffic, a single entry!!
Should look like
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=********* \
endpoint-port=51820 interface=protonwg01 public-key=\

(7) The IP address from them should work fine and should provide the correct IP Route.
You can confirm this by seeing if the router created the automatic IP route for the address in your IP ROUTES.
should look like
<dac> dst-address=10.2.0.0/0 gwy=protonwg01 table=main

(8) You do not want to modify and change the /IP DNS settings that are for the LOCAL ROUTER.
You should only change the DHCP-SERVER NETWORK settings........
Should look like:
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.2.0.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
etc......

(9) Great rules,,,,,,,, now because of the drop rule, all is good, everything is dropped.
Thus you need to add a rule for allowed traffic
See below:
add action=accept chain=forward comment="allow internet" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Subnet into tunnel" \'
src-address=10.1.0.0/16 out-interface=protonwg01

add action=drop chain=forward comment="Drop all else
"

(10) I noted you are mangling traffic and its not clear why??
REMOVE all the mangling. THe only thing being mangled is a NON existent subnet 192.168.88.0/24 ????????????
We can move users out the wireguard interface WITHOUT mangling!!

(11) On the input chain rule you allow everyone access to the router and then you have rules allowing the same folks to port 53 tpc/udp.
Tell me if you actually think those rules will actually be matched, if they have already matched them on the allow all rule already.................aka redundant.

The reason is that the first rule is supposed to limit full access to the admin only and the next two rules to everybody for needed DNS services for example.
However the first rule allows everyone.
I dont know why you made the source address list as you could already use existing structures.
src-address=10.1.0.0/16 or in-interface=bridge1

In any case, suggesting to be consistent in approach the following rule:
add chain=input action=accept in-interface-list=LAN src-address-list=AdminAccess

Where AdminAccess is a firewall address list of IPs (make static DHCP leases ) like so:
add ip-address=admin-desktop_IP list=AdminAccess (wired)
add ip-address=admin-laptop_IP list=AdminAccess (wired)
add ip-address=admin-laptop_IP list=AdminAccess (wifi)
add ip-address=admin-iphone/ipad_IP list=AdminAccess (wifi)


In any case not the main issue and you just may want to leave it for testing........

(12) I see you are trying a mangling rule for MTU manipulating. Any particular reason you elected to do this before getting everything else working right?
Is it something proton suggested? Lets leave this off for now DISABLE IT, until we get to that point for finesse IF it proves to be an issue.

(13) MISSING SOURCE NAT RULE
Remember proton gave you really one IP address and thus all the users on your local subnet will be rejected at the other end as source addresses.
Thus you need to add:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=protonwg01


(a cool tip, you can have the same effect if you add the protonwg01 interface to the WAN interface list as a member and modify your one rule to
add action=masquerade chain=srcnat out-interface-list=WAN

(14) Your additional route to take your local subnet users and force them out the wireguard tunnel is excellent.
You also have the required table setup. What is MISSING is a ROUTING RULE;

/routing rule add src-address=10.1.0.0/16 action=lookup table=protonvpn_wg

Note: If you NEVER want your users to be able to get local internet, even if the wireguard tunnel is not working then change action to action=lookup-only-in-table

++++++++++++++++++
With mangling removed dont forget to put the fastrack rule back into the forward chain as first entry.

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Mon Feb 20, 2023 3:22 pm

Okay I will assume proton vpn setup gave you some information. Have to guess because info not supplied.
They did, excuses. It didn't cross my mind to post it.

I am looking at your post now, in the mean time here is the Proton supplied config:

[Interface]
# Key for pVPN
# Bouncing = 3
# NetShield = 2
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = ************
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
# US-TX#21
PublicKey = ************
AllowedIPs = 0.0.0.0/0
Endpoint = 89.**********:51820
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Mon Feb 20, 2023 3:45 pm

The one part I was remiss to mention is that on the Router Peer Settings ( since you are client ) you need to add persistent-keep-alive=35 secs ( any time will do )
+++++++++++

Regarding the proton settings,

(1) Seem standard for the most part, you use the private key they have provided, for the creation of your wireguard interface, is probably the hardest step to fathom.

(2) These settings, have nothing for you to do on the Mikrotik............
# Bouncing = 3
# NetShield = 2
# Moderate NAT = off
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on

(3) Okay they didnt give you a /30 but a /32 address.
In that case I would simply use 10.2.0.2/24 for IP address on the router. Address as /30 is very limiting.

++++++++++++++++++++

Once its clear you get a connection, then we can finesse MTU if required.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Mon Feb 20, 2023 6:35 pm

In that case I would simply use 10.2.0.2/24 for IP address on the router. Address as /30 is very limiting.
The point being? If they gave you /32, you should use /32, you won't gain anything by using something else.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Mon Feb 20, 2023 6:39 pm

Thanks again. I have made the changes as you suggest to the best of my ability. This line...

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9 etc......

You lost me here, what should be in the servers line?

Wireguard seems like it has no state or status to speak of, so how do I verify it is connected or configured correctly?

Internet at home is fine will all the modifications as you prescribe, but when I turn on the routing rule below, the internet stops immediately.

EDIT: after about 10 mins, internet stopped, reset config to previous but have this one saved

/routing rule add src-address=10.1.0.0/16 action=lookup table=protonvpn_wg

I have this disconnected at the moment

I will attach my latest config in the next post.
Last edited by poseo9wsw on Mon Feb 20, 2023 9:26 pm, edited 1 time in total.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Mon Feb 20, 2023 6:40 pm

# feb/20/2023 10:37:06 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add name=bridge1
add name=bridge2
/interface wireguard
add comment="ProtonVPN interface" listen-port=21154 mtu=1420 name=protonwg01
/interface list
add name=WAN
add name=LAN
add
add name=fVPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=protonvpn_wg
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether10 list=fVPN
/interface wireguard peers
add allowed-address=0.0.0.0/0,128.0.0.0/1 endpoint-address=........ \
endpoint-port=51820 interface=protonwg01 public-key=\
"<><>"
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/24 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.1.1.15 mac-address=*** server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.2.0.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
add address=10.1.0.0/16 disabled=yes list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN \
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Subnet into tunnel" \
out-interface=protonwg01 src-address=10.1.0.0/16
add action=drop chain=forward comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=\
under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
protonvpn_wg passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn disabled=\
yes new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=\
!0-1375
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=protonwg01
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
/ip route
add comment="ProtonVPN Wireguard default route" dst-address=0.0.0.0/0 \
gateway=protonwg01 routing-table=protonvpn_wg
/routing rule
add action=lookup disabled=yes src-address=10.1.0.0/16 table=protonvpn_wg
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Tue Feb 21, 2023 3:13 am

In that case I would simply use 10.2.0.2/24 for IP address on the router. Address as /30 is very limiting.
The point being? If they gave you /32, you should use /32, you won't gain anything by using something else.
You know because you have all the answers! LOL.
I have no confidence that a /32 Ip address will provide a proper IP router for wireguard but I do know that using a /24 will.
So I only recommend what I know works..............

I am talking about an MT router client, and I would never use /32 for an IP address on an MT Router be it client or server, so I have no clues as to what happens setting it to /32.
At the end of the day, there is no harm in it, if it is not required and thus the user will have success regardless.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Tue Feb 21, 2023 3:30 am

(1) you need to remove incomplete entries.
/interface list
add name=WAN
add name=LAN
add
add name=fVPN


(2) There is only one bridge you can remove the second one...
/interface bridge
add name=bridge1
add name=bridge2


As for the rest, you didnt change the allowed addresses as noted you still have two entries....
you didnt add persistent keep alive.
you didnt change allowed dns servers..... Which is for the router, not for wireguard and I explained that already (as you noted you changed dns in the right spot) but you also kept the wrong one argg.
you added the fastrack rule at the end of the forward chain instead of as the first rule. On top of that you included the second rule, which was only meant to show WHERE to place the first rule so you have one rule out of place and the other is a duplicate.
You are stll mangling.............
Routing rule disabled.

Not much more to add at this point.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Tue Feb 21, 2023 3:38 pm

I am breaking out my reply, as its becoming hard for me to follow.
As for the rest, you didnt change the allowed addresses as noted you still have two entries....
I asked this question, what to add confuses me. Can you help clarify this?

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9 etc......
You lost me here, what should be in the servers line?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Tue Feb 21, 2023 4:02 pm

As I wrote it, you can replace 1.1.1.1,9.9.9.9. with 8.8.8.8 for example.
Just a decent external DNS service with remote requests being allowed.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Tue Feb 21, 2023 6:32 pm

As I wrote it, you can replace 1.1.1.1,9.9.9.9. with 8.8.8.8 for example.
Just a decent external DNS service with remote requests being allowed.
OK, I understand now, 1 or many. I will do my best with a new version of the config and post it, thank you for the help. I am going to leave out the firewall as you suggested and focus on getting the connection established correctly.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Tue Feb 21, 2023 11:33 pm

(1) you need to remove incomplete entries.
/interface list
add name=WAN
add name=LAN
add
add name=fVPN


(2) There is only one bridge you can remove the second one...
/interface bridge
add name=bridge1
add name=bridge2


As for the rest, you didnt change the allowed addresses as noted you still have two entries....
you didnt add persistent keep alive.
you didnt change allowed dns servers..... Which is for the router, not for wireguard and I explained that already (as you noted you changed dns in the right spot) but you also kept the wrong one argg.
you added the fastrack rule at the end of the forward chain instead of as the first rule. On top of that you included the second rule, which was only meant to show WHERE to place the first rule so you have one rule out of place and the other is a duplicate.
You are stll mangling.............
Routing rule disabled.

Not much more to add at this point.
I believe I addressed the issues you mentioned in total minus the MTUs. Here is the updated configuration, I hope I got it, I combed thru it like 4 times.

# feb/20/2023 10:37:06 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add name=bridge1

/interface wireguard

add comment="ProtonVPN interface" listen-port=21154 mtu=1420 name=protonwg01

/interface list
add name=WAN
add name=LAN
add name=fVPN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1

/routing table
add fib name=protonvpn_wg

/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10

/ipv6 settings
set forward=no

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether10 list=fVPN

/interface wireguard peers
add allowed-address=0.0.0.0/0,128.0.0.0/1 endpoint-address=*.*.*.* \
endpoint-port=51820 interface=protonwg01 public-key=\
""

/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/24 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.1.1.15 mac-address= server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.2.0.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
add address=10.1.0.0/16 disabled=yes list=under_protonvpn

*********rules / mangling removed for now*************

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=protonwg01
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
/ip route
add comment="ProtonVPN Wireguard default route" dst-address=0.0.0.0/0 \
gateway=protonwg01 routing-table=protonvpn_wg
/routing rule
add action=lookup disabled=yes src-address=10.1.0.0/16 table=protonvpn_wg
/system clock
set time-zone-name=
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Wed Feb 22, 2023 1:18 am

UR killen me.

WHY OH WHY do you keep putting 128.0.0.0. in allowed-addresses for the peer setting.??
Remove it!

WHY OH WHY do you keep failing to add persistent-keep-alive on same settings??

Why is ether10 singled out for an interface list? In other words I dont understand its purpose?
Its on the bridge already.

You need to ENABLE this rule.
/routing rule
add action=lookup disabled=yes src-address=10.1.0.0/16 table=protonvpn_wg
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Wed Feb 22, 2023 2:16 am

UR killen me.

WHY OH WHY do you keep putting 128.0.0.0. in allowed-addresses for the peer setting.??
Remove it!

I dont know, but I see it now. I was not getting it before, sorry.

WHY OH WHY do you keep failing to add persistent-keep-alive on same settings??

I am having trouble with the syntax. PersistentKeepalive is what I am seeing on the net but you are using hyphens, not seeing anything on the RouterOS wiki.


/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=*.*.*.* \
endpoint-port=51820 PersistentKeepalive=30 interface=protonwg01 public-key=\
""
Why is ether10 singled out for an interface list? In other words I dont understand its purpose?
Its on the bridge already.

Its singled out for future use. I would like Ether10 to be the port feeding a VPN connection to my network. I intend to have a switch off Ether10 and anything connected should be using the VPN. I have not tried to get this piece working yet, so thats why it sits out there like that.

You need to ENABLE this rule.
/routing rule
add action=lookup disabled=yes src-address=10.1.0.0/16 table=protonvpn_wg

It was disabled because I thought it was hosing up the home internet, but I changed it now.


UPDATED:

# feb/20/2023 10:37:06 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number = HDC08BAF71G
/interface bridge
add name=bridge1

/interface wireguard

add comment="ProtonVPN interface" listen-port=21154 mtu=1420 name=protonwg01

/interface list
add name=WAN
add name=LAN
add name=fVPN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1

/routing table
add fib name=protonvpn_wg

/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10

/ipv6 settings
set forward=no

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether10 list=fVPN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=*.*.*.* \
endpoint-port=51820 PersistentKeepalive=30 interface=protonwg01 public-key=\
""

/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/24 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.1.1.15 mac-address= server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.2.0.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
add address=10.1.0.0/16 disabled=yes list=under_protonvpn

*********rules / mangling removed for now*************

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=protonwg01
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
/ip route
add comment="ProtonVPN Wireguard default route" dst-address=0.0.0.0/0 \
gateway=protonwg01 routing-table=protonvpn_wg
/routing rule
add action=lookup disabled=no src-address=10.1.0.0/16 table=protonvpn_wg
/system clock
set time-zone-name=
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Wed Feb 22, 2023 3:26 am

Looks good but does it work LOL
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 4:45 am

Looks good but does it work LOL
Yes, to the extent I expect right now :)

I have updated the config sans any further updates to firewall rules, the output matches and everything functions normal as a network until I enable this routing rule:

/routing rule
add action=lookup disabled=no src-address=10.1.0.0/16 table=protonvpn_wg

Here I lose internet and everything on the router lights up. I think I am successfully connected, the Wireguard interface shows a last handshake ticking up and resetting after 60 seconds.

With what looks like a successful connection, what is the simplest test I can make to see something pass thru the tunnel? Can this be done at the terminal? My knowledge of how to transition this VPN connection into something usable is quite limited, so I certainly do appreciate the assistance on this.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 5:18 am

(1) Before enabling the routing rule that you pointed out, can you ping from a PC normally, like a common site such as www.cbc.ca or 1.1.1.1 for example.

(2) ON a browser type whatsmyIP............ should get local wanip

Now enable the routing rule and try the two same steps......

+++++++++++++++++++++++++++++
If no luck,

(3) Change MTU setting on your wireguard interface from 1420 to 1500 and then try those steps?

If no luck return that MTU on the wireguard interface settings back to 1420 and go to next step.

(4) TRY this change.............
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=protonwg01 passthrough=yes protocol=tcp tcp-flags=syn


(5) If no luck try this variant.
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=protonwg01 protocol=tcp tcp-flags=syn tcp-mss=1381-65535 passthrough=yes


(6) finally if no joy...... the one you had......
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 out-interface=protonwg01 protocol=tcp tcp-flags=syn tcp-mss=!0-1375 passthrough=yes
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 6:00 pm

(1) Before enabling the routing rule that you pointed out, can you ping from a PC normally, like a common site such as www.cbc.ca or 1.1.1.1 for example.

(2) ON a browser type whatsmyIP............ should get local wanip

Now enable the routing rule and try the two same steps......

+++++++++++++++++++++++++++++
If no luck,

(3) Change MTU setting on your wireguard interface from 1420 to 1500 and then try those steps?

If no luck return that MTU on the wireguard interface settings back to 1420 and go to next step.

(4) TRY this change.............
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=protonwg01 passthrough=yes protocol=tcp tcp-flags=syn


(5) If no luck try this variant.
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=protonwg01 protocol=tcp tcp-flags=syn tcp-mss=1381-65535 passthrough=yes


(6) finally if no joy...... the one you had......
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 out-interface=protonwg01 protocol=tcp tcp-flags=syn tcp-mss=!0-1375 passthrough=yes

I have tried everything noted here, I get the same result at step 1 throughout the steps. I am able to ping the www address and 1.1.1.1 from the router and the PC at every step and my IP does not change from the WAN IP.

The internet seemed to go down when I enabled that routing rule last time, but that behavior did not happen this time. MTU had no perceptible effect. I rebooted the router a couple of times and re-did changes to no effect, the log shows 1 error after the reboot:

IPSec error, Policy install failed: proposal not found! (6)

That error appears again in the log about 10 minutes after the first instance.

Doing a print on the proposals:
 * name="default" auth-algorithms=sha1 
      enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m 
      pfs-group=modp1024 
Is this a remnant from when I tried this via the non-wireguard method? I disabled the proposal as a test and it had no effect on anything. I re-enabled it for now.


This is the current config with firewall rules as they may be problematic now:

# feb/23/2023 10:02:39 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add comment="ProtonVPN interface" listen-port=21154 name=protonwg01
/interface list
add name=WAN
add name=LAN
add name=fVPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ProtonVPN
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=protonvpn_wg
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether10 list=fVPN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=*.*.*.* endpoint-port=\
51820 interface=protonwg01 persistent-keepalive=25s public-key=\
"*************"
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/24 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add interface=ether1
add add-default-route=no interface=bridge1 script=":log info (\"dhcp detect re\
lease\")\r\
\n:for e from=0 to=40 do={\r\
\n/ip dhcp-client release (\$e)\r\
\n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=bridge1 on-alert=rogue-dhcp valid-server=\
18:*:*:*:1E:04
/ip dhcp-server lease
add address=10.1.1.15 mac-address=94:****:77 server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.2.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.1.2.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
add address=10.1.0.0/16 disabled=yes list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN \
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
add action=change-mss chain=forward comment=\
"Clamp MSS to PMTU for Outgoing packets" disabled=yes new-mss=\
clamp-to-pmtu out-interface=protonwg01 passthrough=yes protocol=tcp \
tcp-flags=syn
add action=change-mss chain=forward new-mss=1380 out-interface=protonwg01 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=protonwg01
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
/ip route
add comment="ProtonVPN Wireguard default route" disabled=yes distance=1 \
dst-address=0.0.0.0/0 gateway=protonwg01 pref-src="" routing-table=\
protonvpn_wg scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup disabled=no src-address=10.1.0.0/16 table=protonvpn_wg
/system clock
set time-zone-name=America/Chicago
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
/system script
add dont-require-permissions=no name=rogue-dhcp owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":log warning message=\"Rogue DHCP server detected!\""
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 7:19 pm

(1) YES get rid of old remnants, proposals etc, at least for testing, I have no clue, in general, but specifically how such things may screw up a config LOL

(2) I would DEFINITELY remove the rule below too, and then retry my suggested set of steps..]
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 10:03 pm

(1) YES get rid of old remnants, proposals etc, at least for testing, I have no clue, in general, but specifically how such things may screw up a config LOL

(2) I would DEFINITELY remove the rule below too, and then retry my suggested set of steps..]
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=*1 src-address=0.0.0.0/0 \
template=yes
Ok the output of config is as follows, so it looks disabled:

/ip ipsec policy
set 0 disabled=yes

Repeating the same steps yields the same result, at least this was not interfering in any way. I did another reboot and don't see the policy error anymore.

Here is the rest of the boot log, highlighting what looks like the vpn?

# feb/23/2023 14: 2: 2 by RouterOS 7.7
# software id = CPNV-JM5L
#
19:59:57 system,info router rebooted
19:59:58 interface,info protonwg01 link up
20:00:01 bridge,info "bridge1" mac address changed to 18:*****:1E:04
20:00:02 bridge,info hardware offloading activated on bridge "bridge1" ports: ether7
20:00:02 bridge,info hardware offloading activated on bridge "bridge1" ports: ether10
20:00:03 interface,info sfp-sfpplus1 link up (speed 10G, full duplex)
20:00:04 interface,info ether1 link up (speed 1G, full duplex)
20:00:04 interface,info ether7 link up (speed 1G, full duplex)
20:00:06 dhcp,info dhcp-client on ether1 got IP address 192.*******
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 10:28 pm

Id say that looks like good news.............
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 10:29 pm

Next step may be to call Proton and see what they see at their end........... You can tell them the proton link shows as being UP at your end.
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 11:11 pm

Next step may be to call Proton and see what they see at their end........... You can tell them the proton link shows as being UP at your end.
So I understand, should I have seen the whole network connected over the VPN?

I will open a support ticket, it makes sense to know what they may offer in support, at least what they are seeing on their side.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Thu Feb 23, 2023 11:39 pm

Exactly, if the link shows as up but you are not getting anything when browsing, it seems there may something we are not aware of
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Fri Feb 24, 2023 6:31 pm

Proton gave me instructions to use the following config:
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet private-key=<your_private_key>
/ip address
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<Endpoint_IP> endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key=<your_public_key>
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route
add disabled=no dst-address=<Endpoint_IP>/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
/ip dns
set servers=10.2.0.1
/ip dhcp-client
set 0 use-peer-dns=no
I have done so, and the internet went down immediately, but there was traffic across Rx and Tx columns in the wireguard settings.

Would it be possible that I now have a working VPN connection and the config is causing the issue? I read thru this but my knowledge is so limited that only the most obvious would stick out to me.

The 3 firewall rules from the prev post are all included, 2 are disabled.

The config is as follows right now:

# feb/24/2023 16:18:41 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
/interface list
add name=WAN
add name=LAN
add name=fVPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=protonvpn_wg
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether10 list=fVPN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=***** endpoint-port=\
51820 interface=wireguard-inet persistent-keepalive=25s public-key=\
"****"
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/24 interface=*14 network=10.2.0.0 <-- is this old/bad?
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
add add-default-route=no interface=bridge1 script=":log info (\"dhcp detect re\
lease\")\r\
\n:for e from=0 to=40 do={\r\
\n/ip dhcp-client release (\$e)\r\
\n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=bridge1 on-alert=rogue-dhcp valid-server=\
18::04
/ip dhcp-server lease
add address=10.1.1.15 mac-address=94::77 server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.2.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
add address=10.1.0.0/16 disabled=yes list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN \
src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
# no interface
add action=change-mss chain=forward comment=\
"Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu \
out-interface=*14 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1380 out-interface=\
*14 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=change-mss chain=forward disabled=yes new-mss=1360 out-interface=\
*14 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
# no interface
add action=masquerade chain=srcnat out-interface=*14 <-- I dont recognize this
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=\
192.168.88.0/24
/ip ipsec policy
set 0 disabled=yes
/ip route
add comment="ProtonVPN Wireguard default route" disabled=yes distance=1 \
dst-address=0.0.0.0/0 gateway=*14 pref-src="" routing-table=protonvpn_wg \
scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=*******/32 gateway=192.168.*.254 \
routing-table=main suppress-hw-offload=no
/routing rule
add action=lookup disabled=no src-address=10.1.0.0/16 table=protonvpn_wg
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
/system script
add dont-require-permissions=no name=rogue-dhcp owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":log warning message=\"Rogue DHCP server detected!\""
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Fri Feb 24, 2023 9:24 pm

I will look at your config later but lets look at the PROTON suggestions......

interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet private-key=<your_private_k
ey> OKAY

Note: I am assuming they have you the private you need to put on the interface, confirm if correct!!
Note: I am assuming they gave you their public Key to put in your peer settings for their end.

/ip address
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
OKAY

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<Endpoint_IP> endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key=<your_public_key>
OKAY

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
Optional
You dont need to state the src-address, I suppose no harm if done, but not required.


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
WRONG.
You only need one IP route and that needs to follow MT rules.
add distance=1 dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=usePROTON

/ip route
add disabled=no dst-address=<Endpoint_IP>/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
NO REMOVE not required.

/ip dns
set servers=10.2.0.1
NO we set the DNS servers on the dhcp server settings but we can modify somewhat in the real config.

/ip dhcp-client
set 0 use-peer-dns=no
NO, they have no business with your IP DHCP client settings!!!
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Fri Feb 24, 2023 10:51 pm

I will look at your config later but lets look at the PROTON suggestions......

interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet private-key=<your_private_k
ey> OKAY

Note: I am assuming they have you the private you need to put on the interface, confirm if correct!!
Note: I am assuming they gave you their public Key to put in your peer settings for their end.

I did, in fact they chastised me for sending the key, and made me create a new one. The public key came from the website, the wireguard config tool, it was in the file that is generated.
/ip address
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
OKAY

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<Endpoint_IP> endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key=<your_public_key>
OKAY

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
Optional
You dont need to state the src-address, I suppose no harm if done, but not required.


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
WRONG.
You only need one IP route and that needs to follow MT rules.
add distance=1 dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=usePROTON
Noted
/ip route
add disabled=no dst-address=<Endpoint_IP>/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no
NO REMOVE not required.

/ip dns
set servers=10.2.0.1
NO we set the DNS servers on the dhcp server settings but we can modify somewhat in the real config.

/ip dhcp-client
set 0 use-peer-dns=no
NO, they have no business with your IP DHCP client settings!!!
Noted... I will post a new config in a bit
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 25, 2023 1:47 am

UPDATED:
# feb/24/2023 16:18:41 by RouterOS 7.7
# software id = CPNV-JM5L
#
# model = CCR2004-16G-2S+
# serial number = 
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
/interface list
add name=WAN
add name=LAN
add name=fVPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp_pool2 ranges=10.1.0.1-10.1.2.0,10.1.2.2-10.1.255.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge1 lease-time=1h name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add fib name=protonvpn_wg
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether10
/ipv6 settings
set forward=no
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=ether10 list=fVPN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address= endpoint-port=\
    51820 interface=wireguard-inet persistent-keepalive=25s public-key=\
    ""
/ip address
add address=10.1.2.1/16 interface=bridge1 network=10.1.0.0
add address=10.2.0.2/24 interface=*14 network=10.2.0.0
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
add add-default-route=no interface=bridge1 script=":log info (\"dhcp detect re\
    lease\")\r\
    \n:for e from=0 to=40 do={\r\
    \n/ip dhcp-client release (\$e)\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=bridge1 on-alert=rogue-dhcp valid-server=\
    18:F04
/ip dhcp-server lease
add address=10.1.1.15 mac-address=94:7 server=dhcp1
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.2.1 gateway=10.1.2.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=10.0.0.0-10.2.255.254 list=TRUSTED
add address=192.168.88.0/24 list=under_protonvpn
add address=10.1.0.0/16 disabled=yes list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow admin" in-interface-list=LAN \
    src-address-list=TRUSTED
add action=accept chain=input comment="users to Router services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="users to Router services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=\
    LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
# no interface
add action=change-mss chain=forward comment=\
    "Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu \
    out-interface=*14 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1380 out-interface=\
    *14 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=change-mss chain=forward disabled=yes new-mss=1360 out-interface=\
    *14 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
# no interface
add action=masquerade chain=srcnat out-interface=*14
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=\
    192.168.88.0/24
/ip ipsec policy
set 0 disabled=yes
/ip route
add comment="ProtonVPN Wireguard default route" disabled=yes distance=1 \
    dst-address=0.0.0.0/0 gateway=*14 pref-src="" routing-table=protonvpn_wg \
    scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup disabled=no src-address=10.1.0.0/16 table=protonvpn_wg
/system identity
set name="MikroTik CCR2004-16G-2S"
/system routerboard settings
set enter-setup-on=delete-key
/system script
add dont-require-permissions=no name=rogue-dhcp owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    ":log warning message=\"Rogue DHCP server detected!\""
Last edited by BartoszP on Sat Feb 25, 2023 5:05 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 25, 2023 6:46 am

I dont understand *14 ??????
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 25, 2023 5:04 pm

I dont understand *14 ??????
It looks like a lost reference, removing it has no effect.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 25, 2023 6:20 pm

That is not right the *14 was in several places in your config, mangle rules, sourcenat rule.
Very bizarre I am tempted to recommend a complete reset...................
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 25, 2023 9:26 pm

That is not right the *14 was in several places in your config, mangle rules, sourcenat rule.
Very bizarre I am tempted to recommend a complete reset...................
I'm going to do that and report back. Look, you've been more than patient, please don't feel obliged to help me further. I chose this path, cudda botta netgear or something like that. If you want to see it finally work, I will stick it thru but I would understand if it were reversed. I am 20 years a retired software engineer, so I have stood over many of your shoulders without bothering to learn it :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sat Feb 25, 2023 10:12 pm

I would like to see why proton is so difficult.......... or if I have an error in my thinking so its good to wrestle to the ground.....
 
poseo9wsw
newbie
Topic Author
Posts: 48
Joined: Thu Feb 02, 2023 6:41 pm

Re: Configure ProtonVPN on router with VPN active on set of ports?

Sun Mar 19, 2023 4:23 am

I would like to see why proton is so difficult.......... or if I have an error in my thinking so its good to wrestle to the ground.....

I'm afraid I had to steal the suspense, partner. I went dark because of a few things and had to go a different route.

In summary, hopefully some cool info for others.

My WAN has a 5G port, ATT-junq (attempts to bypass, more fun!) - and lo and behold nobody wants to make their 10g cards neg down to 5, 2.5 etc. So all this 10G goodness everywhere was lost on my poor NBASE-T, all forgotten.

So I took action! If MikroTik wouldn't negotiate speed, I'll buy a little PC (lil-PC) and put pfSense on it... well, did you know FreeBSD has problems? I do now. They don't fancy new chips and fancy new drivers, so if I wanted that connection speed I needed to buy an overpriced intel card.

Lil-PC has 3 nics, the onboard, and 2 I bought, the 5g card and a double SFP+ card with 2 10g ports. NIC 1g, 5g and 10g/ab:
- NIC 1g is management NIC, LAN IP, fake gateway so no internet access (yes, high tech)
- NIC 5g is WAN from ATT router, gets IP from ATT router in bridged connection that includes SFP+ card
- NIC 10g a and b:
- a - WAN out passthru to Mikrotik router
- b - finally the point of the post - TO BE - VPN-HOST port

Fast forward several days, a few more gray hairs, patience at an end, I have a solution.

Since Mikro vpn was problematic, and Proton cant get their stuff right, I am in the process of setting up a vpn on lil-PC. I seem to have success with proton and ubuntu, so then this DMZ box I built will hopefully host the VPN and be connected to a switch so that anything connected is VPN'd in. No the most elegant solution, but hey.

Any holes in this? I am segregating the MikroTik router in this scenario, and will have to provide DHCP and DNS to the VPN clients, I suppose Ubuntu could do this... so I was thinking...

Instead of pfSense, routerOS can be virtualized, perhaps have a routerOS manage the VPN network, but do it such that its virtualized ON the box that it's serving. Its circular, but should function?

Who is online

Users browsing this forum: Bing [Bot], CGGXANNX, DanMos79, dozer46, godel0914, Google [Bot], GoogleOther [Bot] and 58 guests