I have setup a Wireguard based PIA VPN following this tutorial: viewtopic.php?t=205188. Based on several posts I noticed that the instructed routing mark isn't working RouterOS 7 as shown in the tutorial, so I pointed the routing mark to the routing table and create a separate routing rule. I did the other steps and created the appropriate mangle rules. I created a 0.0.0.0/0 ip route rule pointing it to the VPN and tested it. I'm able to open internet sites as usual, but when I open the test site I've setup (www.wtfismyip.com), traffic stalls. When I look to the interfaces I created, I notice some traffic and on the VPN side, I can see the IP addresses (source/ destination) coming by what I expect. But Periodically I only see this, including only Tx traffic. No Rx. I tried several things, but I am a bit lost here. So, hopefully you guys can point me in the right direction.
Hereby my config:
Code: Select all
# 2024-04-26 21:29:36 by RouterOS 7.14.2
# software id = 3D2G-X07G
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add admin-mac=78:9A:18:BB:D7:8B auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface ovpn-client
add auth=sha256 cipher=aes256-cbc connect-to=us-california.privacy.network \
disabled=yes mac-address=FE:3E:A1:EE:B8:68 name=PIA_US_CAL port=501 \
route-nopull=yes user=p5112900 verify-server-certificate=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=MikroTik-Wireguard
add listen-port=57611 mtu=1420 name=wg-pia-il
/interface vlan
add interface=bridge name=LAB vlan-id=3
add interface=bridge name="LAN Network" vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.20-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.20-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface="LAN Network" name=dhcp1
add address-pool=dhcp_pool2 interface=LAB name=dhcp2
/routing table
add disabled=no fib name=PIA
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20
add bridge=bridge comment=defconf interface=ether3 pvid=20
add bridge=bridge comment=defconf interface=ether4 pvid=20
add bridge=bridge comment=defconf interface=ether5 pvid=20
add bridge=bridge comment=defconf interface=ether6 pvid=20
add bridge=bridge comment=defconf interface=ether7 pvid=20
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment="LAN Network" tagged=bridge,ether8 untagged=\
ether3,ether4,ether5,ether6,ether2,ether7 vlan-ids=20
add bridge=bridge comment=IPTV tagged=\
ether8,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=4
add bridge=bridge comment=LAB tagged=ether8,bridge vlan-ids=30
/interface list member
add interface="LAN Network" list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.100.10/32 comment="Macbook" interface=\
MikroTik-Wireguard public-key=\
"TT"
add allowed-address=192.168.100.11/32 comment="iPhone" interface=\
MikroTik-Wireguard public-key=\
"Pj"
add allowed-address=192.168.100.12/32 comment="iPhone" interface=\
MikroTik-Wireguard public-key=\
"dt"
add allowed-address=192.168.100.0/32,192.168.3.0/24 comment=\
"Tunnel naar ouders" endpoint-address=xxx endpoint-port=13231 \
interface=MikroTik-Wireguard public-key=\
"Nb"
add allowed-address=0.0.0.0/0 endpoint-address=191.96.227.154 endpoint-port=\
1337 interface=wg-pia-il persistent-keepalive=25s public-key=\
"np"
/ip address
add address=192.168.30.1/24 interface=LAB network=192.168.30.0
add address=192.168.100.1/24 interface=MikroTik-Wireguard network=\
192.168.100.0
add address=192.168.20.1/24 interface="LAN Network" network=192.168.20.0
add address=192.168.2.20/24 interface=ether1 network=192.168.2.0
add address=10.25.161.123/17 interface=wg-pia-il network=10.25.128.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.20.215 client-id=1:ac:e2:d3:14:86:e3 mac-address=\
AC:E2:D3:14:86:E3 server=dhcp1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=192.168.2.254
/ip dns static
add address=192.168.2.254 comment=Router name=kpn.lan
add address=192.168.20.1 comment=Router name=router.lan
add address=192.168.20.2 comment=Woonkamer name=sw01.lan
add address=192.168.20.10 comment=Zolder name=nas.lan
add address=192.168.20.10 name=administratie.nas.lan
add address=192.168.20.215 name=batocera.lan
add address=192.168.3.254 name=routeraad.lan
add address=10.25.128.1 name=gw-wg-pia-il
/ip firewall address-list
add address=wtfismyip.com list=vpn-list
/ip firewall filter
add action=accept chain=input comment="Allow WireGuard traffic" src-address=\
192.168.100.0/24
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="Block LAB traffic to the Internet" \
in-interface=LAB
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=\
PIA-Connection packet-mark=no-mark passthrough=yes src-address=\
192.168.20.31
add action=mark-packet chain=prerouting connection-mark=no-mark \
dst-address-list=vpn-list new-packet-mark=PIA-Connection passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=PIA packet-mark=\
PIA-Connection passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=FTP dst-port=20 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.20.10 to-ports=20
add action=dst-nat chain=dstnat comment=FTP dst-port=21 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.20.10 to-ports=21
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.20.10 to-ports=443
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
32400
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.20.10 to-ports=80
add action=dst-nat chain=dstnat comment="Synology WEBDAV" dst-port=5006 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
5006
add action=dst-nat chain=dstnat comment="Synology Hyperbackup" dst-port=6281 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
6281
add action=dst-nat chain=dstnat comment="Synology Management" dst-port=5001 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
5001
add action=dst-nat chain=dstnat comment="Home Assistant" dst-port=8124 \
in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.20.10 \
to-ports=8124
add action=dst-nat chain=dstnat comment="Active Backup" dst-port=5510 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
5510
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=1194 \
in-interface-list=WAN protocol=udp to-addresses=192.168.20.10 to-ports=\
1194
/ip firewall service-port
set tftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment="Route naar ouders via WireGuard" disabled=no distance=1 \
dst-address=192.168.3.0/24 gateway=MikroTik-Wireguard pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.254 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
wg-pia-il pref-src="" routing-table=PIA scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.20.0/24
set ssh address=192.168.20.0/24 port=2202
set winbox address=192.168.20.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup disabled=no routing-mark=PIA table=main
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=ROUTER
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN