all works, vlan60 connects with the vpn and i can see that my ip uses the ip of the mullvad vpn (sweden in this case )
this is a good start, but what i want is some of my other vlans to 1) remain accessible internally and 2) connect to the outside through the VPN
for some reason, i can't have vlan120 use the vpn tunnel which is being used by vlan60
not knowing where to start (and not having deep knowlegde of vlans and vpn ) , i've tried a couple of changes, for instance modifying the gateway and DNS servers of vlan120 to resemble those of vlan60 and changing the interface of vlan120 to the one vlan60 uses. all does not work
my config
# may/31/2023 14:29:15 by RouterOS 7.9.1
#
# model = RB4011iGS+
/interface bridge
add fast-forward=no ingress-filtering=no name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment=192.168.110.16 name=ether2-TV
set [ find default-name=ether3 ] name=ether3-Chromecast
set [ find default-name=ether6 ] comment=meterkast name=ether6-switch
set [ find default-name=ether7 ] comment="arcam SA30" name=ether7-arcam
set [ find default-name=ether9 ] name=ether9-RB260GSP
set [ find default-name=ether10 ] name=ether10-R500 poe-priority=1
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1
/interface wireguard
add comment=mullvad listen-port=4063 mtu=1420 name=mullvad-upstream
add listen-port=13231 mtu=1420 name=wireguard
/interface vlan
add comment=mullvad interface=bridge-local name=mullvad vlan-id=60
add interface=ether1-WAN name=vlan-internet vlan-id=300
add comment=servers interface=bridge-local name=vlan105 vlan-id=105
add comment="IOT network" interface=bridge-local name=vlan110 vlan-id=110
add comment="guest network" interface=bridge-local name=vlan120 vlan-id=120
/interface list
add comment="WAN interface" name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=vlan105 lease-time=10m name=dhcp-vlan105
/ip pool
add name=dhcp-local ranges=192.168.0.180-192.168.0.254
add name=pool-vlan110 ranges=192.168.110.180-192.168.110.249
add name=pool-vlan120 ranges=192.168.120.180-192.168.120.254
add comment=mullvad name=pool-vlan60 ranges=10.0.60.100-10.0.60.150
/ip dhcp-server
add address-pool=dhcp-local interface=bridge-local lease-time=5m name=\
dhcp-local
add address-pool=pool-vlan110 interface=vlan110 lease-time=5m name=\
dhcp-vlan110
add address-pool=pool-vlan120 interface=vlan120 lease-time=5m name=\
dhcp-vlan120
add address-pool=pool-vlan60 comment=mullvad disabled=yes interface=mullvad \
name=dhcp-vlan60
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add fib name=""
add comment=mullvad disabled=no fib name=mullvad
/container
add envlist=repeater_envs hostname=mdns-repeater interface=veth1 \
start-on-boot=yes
/container envs
add key=REPEATER_INTERFACES name=repeater_envs value="eth0.110 eth0.120"
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether3-Chromecast \
pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether4 pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=no interface=ether10-R500
add bridge=bridge-local ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge-local ingress-filtering=no interface=ether8
add bridge=bridge-local interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-local tagged=\
ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=\
ether2-TV,ether3-Chromecast,ether5,ether4,ether7-arcam,ether6-switch \
vlan-ids=110
add bridge=bridge-local tagged=\
ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP,ether4 vlan-ids=\
105
add bridge=bridge-local comment=mullvad tagged=ether9-RB260GSP,bridge-local \
vlan-ids=60
/interface list member
add interface=bridge-local list=LAN
add interface=vlan-internet list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="mobile" interface=wireguard \
public-key="xxx"
add allowed-address=10.0.0.3/32 comment="laptop" interface=wireguard \
public-key="xxx"
add allowed-address=0.0.0.0/0,::/0 comment=mullvad endpoint-address=\
185.213.154.68 endpoint-port=51820 interface=mullvad-upstream public-key=\
"xxx"
/ip address
add address=192.168.0.1/24 interface=bridge-local network=192.168.0.0
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0
add address=192.168.105.1/24 interface=vlan105 network=192.168.105.0
add address=10.0.60.1/24 comment=mullvad interface=mullvad network=10.0.60.0
add address=10.66.250.98 comment=mullvad interface=mullvad-upstream network=\
10.124.0.152
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-client
add interface=vlan-internet use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.110.80 client-id=1:2c:ab:33:9a:29:4 mac-address=\
2C:AB:33:9A:29:04 server=dhcp-vlan110
add address=192.168.110.16 client-id=1:8c:79:f5:93:ef:14 mac-address=\
8C:79:F5:93:EF:14 server=dhcp-vlan110
add address=192.168.110.17 client-id=1:c0:56:27:8f:d5:ea mac-address=\
C0:56:27:8F:D5:EA server=dhcp-vlan110
add address=192.168.110.20 mac-address=44:09:B8:FE:EB:8C server=dhcp-vlan110
add address=192.168.110.59 comment="slp Ronald" mac-address=DC:4F:22:CB:07:2C \
server=dhcp-vlan110
add address=192.168.110.62 comment=trap mac-address=DC:4F:22:FA:56:A1 server=\
dhcp-vlan110
add address=192.168.110.60 comment=werkkamer mac-address=60:01:94:99:7A:26 \
server=dhcp-vlan110
add address=192.168.110.61 comment="slp Zeb" mac-address=60:01:94:99:78:4D \
server=dhcp-vlan110
add address=192.168.110.58 comment="wasmachine PoW r2" mac-address=\
CC:50:E3:1A:F6:8B server=dhcp-vlan110
add address=192.168.110.50 comment=gateway mac-address=7C:49:EB:1C:F3:47 \
server=dhcp-vlan110
add address=192.168.110.57 comment=s20 mac-address=B4:E6:2D:25:3F:73 server=\
dhcp-vlan110
add address=192.168.110.51 comment=gang1 mac-address=60:01:94:D6:08:CB \
server=dhcp-vlan110
add address=192.168.110.52 comment=gang2 mac-address=60:01:94:D6:C7:B3 \
server=dhcp-vlan110
add address=192.168.110.63 comment=slpObi mac-address=DC:4F:22:C6:A5:22 \
server=dhcp-vlan110
add address=192.168.110.18 client-id=1:0:11:32:d9:61:16 mac-address=\
00:11:32:D9:61:16 server=dhcp-vlan110
add address=192.168.110.66 comment=voorraadkast mac-address=34:CE:00:9B:16:08 \
server=dhcp-vlan110
add address=192.168.110.69 mac-address=54:48:E6:53:5A:87 server=dhcp-vlan110
add address=192.168.110.68 mac-address=64:90:C1:97:AB:E2 server=dhcp-vlan110
add address=192.168.110.67 mac-address=5C:E5:0C:E1:7B:F0 server=dhcp-vlan110
add address=192.168.110.70 mac-address=54:48:E6:51:C8:C0 server=dhcp-vlan110
add address=172.16.0.20 client-id=1:22:ae:66:87:2d:c3 disabled=yes \
mac-address=22:AE:66:87:2D:C3 server=*A
add address=192.168.110.40 comment=OTGW mac-address=F4:CF:A2:ED:C2:4B server=\
dhcp-vlan110
add address=192.168.0.10 client-id=1:e4:5f:1:70:90:93 comment="sensecap M1" \
mac-address=E4:5F:01:70:90:93 server=dhcp-local
add address=192.168.110.71 mac-address=54:48:E6:53:59:BB server=dhcp-vlan110
add address=192.168.110.22 mac-address=A8:48:FA:E9:15:68 server=dhcp-vlan110
add address=192.168.110.5 client-id=1:ca:7a:a8:1a:6c:61 mac-address=\
CA:7A:A8:1A:6C:61 server=dhcp-vlan110
add address=192.168.110.142 client-id=1:6a:3f:2d:31:84:4e comment=pixel6 \
mac-address=6A:3F:2D:31:84:4E server=dhcp-vlan110
add address=192.168.110.24 mac-address=18:FE:34:CF:74:17 server=dhcp-vlan110
add address=192.168.110.81 comment="alfen wallbox" mac-address=\
3A:65:45:61:7E:46 server=dhcp-vlan110
add address=192.168.110.55 comment="AC werkkamer" mac-address=\
60:01:94:0C:66:E1 server=dhcp-vlan110
add address=192.168.110.14 client-id=1:90:56:82:43:29:c4 mac-address=\
90:56:82:43:29:C4 server=dhcp-vlan110
add address=192.168.110.15 client-id=1:0:1b:7c:8:3b:24 mac-address=\
00:1B:7C:08:3B:24 server=dhcp-vlan110
add address=192.168.110.56 mac-address=40:F5:20:2D:29:DD server=dhcp-vlan110
/ip dhcp-server network
add address=10.0.60.0/24 comment=mullvad dns-server=100.64.0.23 gateway=\
10.0.60.1
add address=192.168.0.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local \
gateway=192.168.0.1
add address=192.168.105.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
local gateway=192.168.105.1 netmask=24
add address=192.168.110.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
local gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
local gateway=192.168.120.1 netmask=24
/ip dns
set cache-max-ttl=1d
/ip firewall address-list
add address=192.168.100.0/24 list=localNet
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 list=not_in_internet
add address=192.168.0.0/16 list=not_in_internet
add address=169.254.0.0/16 list=not_in_internet
add address=127.0.0.0/8 list=not_in_internet
add address=224.0.0.0/4 list=not_in_internet
add address=198.18.0.0/15 list=not_in_internet
add address=192.0.0.0/24 list=not_in_internet
add address=192.0.2.0/24 list=not_in_internet
add address=198.51.100.0/24 list=not_in_internet
add address=203.0.113.0/24 list=not_in_internet
add address=100.64.0.0/10 list=not_in_internet
add address=240.0.0.0/4 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=255.255.255.255 list=lan_ip
add address=192.168.0.0/24 comment="Trusted LAN " list=trusted-LAN
add address=192.168.110.0/24 list="untrusted VLAN"
add address=192.168.120.0/24 list="untrusted VLAN"
add address=192.168.0.0/16 list=mynetwork
add address=192.168.0.12 list=pihole
add address=172.16.0.0/12 list="untrusted VLAN"
add address=10.0.0.0/24 list=vpn
add address=192.168.0.10 disabled=yes list=extDNS
add address=172.16.0.20 disabled=yes list=extDNS
add address=192.168.0.128 disabled=yes list=extDNS
add address=192.168.105.0/24 list="untrusted VLAN"
add address=192.168.110.105 comment=homeassistant list=acl_postgres
add address=192.168.110.107 comment=teslamate list=acl_postgres
add address=192.168.110.118 comment=miniflux list=acl_postgres
add address=192.168.110.104 comment=grafana list=acl_influx
add address=192.168.110.105 comment=homeassistant list=acl_influx
add address=192.168.110.107 comment=teslamate list=acl_influx
add address=192.168.110.104 comment=grafana list=acl_postgres
add address=192.168.0.1 comment=snmp list=infra
add address=192.168.0.2 comment=snmp list=infra
add address=192.168.0.5 comment=snmp list=infra
add address=172.21.0.2 comment=docker list=acl_mariadb
add address=192.168.110.216 list=acl_influx
add address=192.168.0.183 list=acl_influx
add address=192.168.110.5 comment=docker list=acl_postgres
add address=192.168.0.11 list=pihole
add address=192.168.110.103 comment=spotweb list=acl_postgres
add address=192.168.110.119 comment=invidious list=acl_postgres
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="servers to LAN" dst-address-list=\
mynetwork in-interface=vlan105
add action=accept chain=forward comment=postgres dst-address=192.168.105.11 \
dst-port=5432 protocol=tcp src-address-list=acl_postgres
add action=accept chain=forward comment=influxdb dst-address=192.168.105.12 \
dst-port=8086 protocol=tcp src-address-list=acl_influx
add action=accept chain=forward comment=mysql disabled=yes dst-address=\
192.168.105.15 dst-port=3306 protocol=tcp
add action=accept chain=input comment="telegraf snmp" dst-address=192.168.0.1 \
protocol=udp src-address=192.168.105.14
add action=accept chain=forward comment="telegraf snmp" dst-address-list=\
infra protocol=udp src-address=192.168.105.14
add action=accept chain=input comment="api access from homeassistant" \
dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=forward dst-address=192.168.120.0/24 protocol=tcp \
src-address=192.168.110.105
add action=accept chain=forward dst-address=192.168.120.0/24 protocol=udp \
src-address=192.168.110.105
add action=accept chain=forward comment="VLAN DNS" dst-address-list=pihole \
dst-port=53 protocol=udp src-address-list="untrusted VLAN"
add action=accept chain=forward comment="VLAN DNS" dst-address-list=pihole \
dst-port=53 protocol=tcp src-address-list="untrusted VLAN"
add action=accept chain=forward comment="sensecap M1" disabled=yes \
dst-address=192.168.0.10 dst-port=44158 protocol=tcp src-port=44158
add action=accept chain=input comment=wireguard dst-port=13231 log-prefix=\
wireguard protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Accept from VPN to LAN" \
connection-state=established,related dst-address-list="untrusted VLAN" \
src-address-list=vpn
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="Drop from VLAN to LAN" \
connection-state=!established dst-address-list=trusted-LAN \
src-address-list="untrusted VLAN"
add action=drop chain=forward comment="Drop from VLAN to VLAN" \
dst-address-list="untrusted VLAN" src-address-list="untrusted VLAN"
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defcon: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting comment=mullvad in-interface=mullvad \
new-routing-mark=mullvad
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="redirect port for Sensecap M1" \
disabled=yes dst-port=44158 protocol=tcp to-addresses=192.168.0.10 \
to-ports=44158
add action=dst-nat chain=dstnat comment="bypass pihole" disabled=yes \
dst-port=53 protocol=udp src-address-list=extDNS to-addresses=1.1.1.1
add action=dst-nat chain=dstnat comment="bypass pihole" disabled=yes \
dst-port=53 protocol=tcp src-address-list=extDNS to-addresses=1.1.1.1
add action=masquerade chain=srcnat comment=mullvad out-interface=\
mullvad-upstream
/ip route
add comment=mullvad disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
10.124.0.152 pref-src="" routing-table=mullvad scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set active-flow-timeout=1m cache-entries=64k
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup-only-in-table comment=mullvad routing-mark=mullvad table=\
mullvad
/snmp
set enabled=yes trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="MikroTik RB4011iGS+RM"
/system logging
add topics=dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=64.99.80.121
add address=20.101.57.9
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add interval=1w name=run-7d on-event=backup policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/19/2021 start-time=09:07:12
/system script
add dont-require-permissions=no name=backup owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="backupscript"
/tool bandwidth-server
set enabled=no
/tool graphing
set page-refresh=60
/tool netwatch
add comment="update DNS when Ubound is down" disabled=no down-script="updatedns"