I'm inching towards understanding this/getting it working but there's still one piece of the puzzle missing i think. Here's my config so far:
# 2023-09-30 12:11:50 by RouterOS 7.11.2
# software id = DNSC-DX1W
#
# model = RB750Gr3
/interface bridge
add admin-mac=18:FD:74:74:08:BC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
max-mru=1492 max-mtu=1480 name=pppoe-out1 use-peer-dns=\
yes user=XXXXXXXXXXXXX
/interface wireguard
add listen-port=37728 mtu=1420 name=nordvpn private-key=\
"XXXXXXXXXXXXXXXXXXXXXX"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add fib name=useNordVPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=nordvpn list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=uk2220.nordvpn.com endpoint-address=\
" 178.239.162.243" endpoint-port=51820 interface=nordvpn \
persistent-keepalive=40s public-key=\
"K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.5.0.2/24 interface=nordvpn network=10.5.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward in-interface-list=LAN out-interface=nordvpn
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup src-address=192.168.1.0/24 table=useNordVPN
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Things that I've done:
- Added the wireguard interface + peer with appropriate keys pulled from the nordvpn linux client. I believe this part is working correctly
- Added a 10.0.5.2/24 address for the nordvpn tunnel
- Added a forward firewall rule to allow LAN traffic into the tunnel
- Added the nordvpn interface to the WAN interface list so that the existing src-nat masquerade rule will apply to it
- Added a routing table + routing rule as specified in 7.4 of this: viewtopic.php?p=906311#p906311
Now obviously it doesn't do anything yet because I haven't actually added a route to the new routing table. And this is where I'm stuck. If I do this:
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=nordvpn pref-src="" routing-table=useNordVPN scope=30 suppress-hw-offload=no target-scope=10
My entire network dies and I can't even reach the router any more. The first time I did this, I didn't have winbox setup and I had to factory reset the router and rebuild my network from scratch. So that was fun.
I'm wondering if this has something to do with the strange double NAT setup that my ISP has. Here's my current list of routes before adding the extra route for wireguard:
Av afi=ip4 contribution=active dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=pppoe-out1 immediate-gw=pppoe-out1 distance=1 scope=30 target-scope=10 vrf-interface=pppoe-out1 belongs-to="vpn"
debug.fwp-ptr=0x20242000
Ac afi=ip4 contribution=active dst-address=10.5.0.0/24 routing-table=main gateway=nordvpn immediate-gw=nordvpn distance=0 scope=10 belongs-to="connected" local-address=10.5.0.2%nordvpn
debug.fwp-ptr=0x20242120
Ac afi=ip4 contribution=active dst-address=192.168.1.0/24 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10 belongs-to="connected" local-address=192.168.1.1%bridge
debug.fwp-ptr=0x20242060
Ac afi=ip4 contribution=active dst-address=192.168.207.1/32 routing-table=main gateway=pppoe-out1 immediate-gw=pppoe-out1 distance=0 scope=10 belongs-to="connected" local-address=192.168.207.239%pppoe-out1
debug.fwp-ptr=0x202420C0
A H afi=link contribution=active dst-address=ether1 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=ether2 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=ether3 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=ether4 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=ether5 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=bridge routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=pppoe-out1 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=nordvpn routing-table=main distance=0 belongs-to="interface"
Can anyone suggest what I need to add as a route to get just my public internet traffic to leave via the VPN?