Made the mistake of learning to setup my new NAS(TrueNas) and integrating a Mikrotik Hex into my network as my primary router and attempting to learn the ins and outs of networking. Thoroughly fried my brain in the past couple days. I've still got a bunch of questions and and still trying to find hints towards best practices and other things to try.
For now I have a specific question regarding VPN routing. Following a few guides and looking into threads on here I was able to get all of my internet traffic routed through Wireguard (Proton VPN). The minor performance hit and the ping impact leads me to prefer not having the VPN active for my PCs traffic outside of specific cases, and then I can just run the VPN on my system. What I would like to do is retain the VPN on my NAS and perhaps my daughters devices to protect those. I tried some initial tinkering with the originally working simple routing setup but to no avail. I'm definitely in over my head so far and definitely a networking novice, but willing to learn. I have further plans of continuing fighting to get ipv6 working with Starlink as my ISP, learning to setup VLANs for my IoT devices, and figuring out what method will work best for me to have my network/NAS/server accessible outside of my LAN, for starters accessing HomeAssistant from my phone when away.
My setup was done following the setup guide on the wiki and piecing together bits here and there. Plus the incomplete ipv6 efforts. I've already wiped the config once and started over so hopefully not again.![:roll:]( "Rolling Eyes")
My focus is the VPN to cover NAS traffic for now though!
ISP Starlink
For now I have a specific question regarding VPN routing. Following a few guides and looking into threads on here I was able to get all of my internet traffic routed through Wireguard (Proton VPN). The minor performance hit and the ping impact leads me to prefer not having the VPN active for my PCs traffic outside of specific cases, and then I can just run the VPN on my system. What I would like to do is retain the VPN on my NAS and perhaps my daughters devices to protect those. I tried some initial tinkering with the originally working simple routing setup but to no avail. I'm definitely in over my head so far and definitely a networking novice, but willing to learn. I have further plans of continuing fighting to get ipv6 working with Starlink as my ISP, learning to setup VLANs for my IoT devices, and figuring out what method will work best for me to have my network/NAS/server accessible outside of my LAN, for starters accessing HomeAssistant from my phone when away.
My setup was done following the setup guide on the wiki and piecing together bits here and there. Plus the incomplete ipv6 efforts. I've already wiped the config once and started over so hopefully not again.
My focus is the VPN to cover NAS traffic for now though!
ISP Starlink
Code:
# 2024-02-14 20:20:20 by RouterOS 7.14rc1# software id = **ELIDED**## model = RB760iGS# serial number = **ELIDED**/interface bridgeadd name=local/interface ethernetset [ find default-name=ether1 ] name="ether1[internet]"set [ find default-name=ether2 ] name="ether2[MainPC]"set [ find default-name=ether3 ] name="ether3[Linksys]"set [ find default-name=ether4 ] name="ether4[NAS]"/interface wireguardadd listen-port=13231 mtu=1420 name=protonWG/interface listadd name=listBridge/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip pooladd name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254/ip dhcp-serveradd address-pool=dhcp_pool0 interface=local lease-time=12h name=dhcp1/ip smb usersset [ find default=yes ] read-only=yes/routing tableadd fib name=USEproton/interface bridge portadd bridge=local interface="ether2[MainPC]"add bridge=local interface="ether3[Linksys]"add bridge=local interface="ether4[NAS]"add bridge=local interface=ether5/ip neighbor discovery-settingsset discover-interface-list=listBridge/ipv6 settingsset accept-redirects=no accept-router-advertisements=yes \ max-neighbor-entries=8192/interface l2tp-server serverset use-ipsec=yes/interface list memberadd interface=local list=listBridge/interface sstp-server serverset ciphers=aes256-sha/interface wireguard peersadd allowed-address=0.0.0.0/0 endpoint-address=**ELIDED** endpoint-port=\ 51820 interface=protonWG persistent-keepalive=25s public-key=**ELIDED**/ip addressadd address=192.168.88.1/24 interface=local network=192.168.88.0add address=10.2.0.2/30 interface=protonWG network=10.2.0.0/ip dhcp-clientadd interface="ether1[internet]" use-peer-dns=no/ip dhcp-server leaseadd address=192.168.88.240 mac-address=**ELIDED** server=dhcp1add address=192.168.88.238 client-id=**ELIDED** mac-address=**ELIDED** server=dhcp1/ip dhcp-server networkadd address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1/ip dnsset allow-remote-requests=yes servers=10.2.0.1/ip firewall address-listadd address=192.168.88.2-192.168.88.254 list=allowed_to_routeradd address=0.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=172.16.0.0/12 comment=RFC6890 list=not_in_internetadd address=192.168.0.0/16 comment=RFC6890 list=not_in_internetadd address=10.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=169.254.0.0/16 comment=RFC6890 list=not_in_internetadd address=127.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=224.0.0.0/4 comment=Multicast list=not_in_internetadd address=198.18.0.0/15 comment=RFC6890 list=not_in_internetadd address=192.0.0.0/24 comment=RFC6890 list=not_in_internetadd address=192.0.2.0/24 comment=RFC6890 list=not_in_internetadd address=198.51.100.0/24 comment=RFC6890 list=not_in_internetadd address=203.0.113.0/24 comment=RFC6890 list=not_in_internetadd address=100.64.0.0/10 comment=RFC6890 list=not_in_internetadd address=240.0.0.0/4 comment=RFC6890 list=not_in_internetadd address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\ not_in_internet/ip firewall filteradd action=accept chain=input comment="accept established,related" \ connection-state=established,relatedadd action=drop chain=input connection-state=invalidadd action=accept chain=input comment="allow ICMP" in-interface=\ "ether1[internet]" protocol=icmpadd action=accept chain=input comment="allow Winbox" in-interface=\ "ether1[internet]" port=8291 protocol=tcpadd action=accept chain=input comment="allow SSH" in-interface=\ "ether1[internet]" port=22 protocol=tcpadd action=drop chain=input comment="block everything else" in-interface=\ "ether1[internet]"add action=fasttrack-connection chain=forward comment=\ "fast-track for established,related" connection-state=established,related \ hw-offload=yesadd action=accept chain=forward comment="accept established,related" \ connection-state=established,relatedadd action=drop chain=forward connection-state=invalidadd action=drop chain=forward comment=\ "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \ connection-state=new in-interface="ether1[internet]"add action=accept chain=input comment="default configuration" \ connection-state=established,relatedadd action=accept chain=input src-address-list=allowed_to_routeradd action=accept chain=input protocol=icmpadd action=drop chain=inputadd action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \ protocol=icmpadd action=drop chain=forward comment=\ "Drop incoming from internet which is not public IP" in-interface=\ "ether1[internet]" log=yes log-prefix=!public src-address-list=\ not_in_internetadd action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\ icmpadd action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \ protocol=icmpadd action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \ protocol=icmpadd action=accept chain=icmp comment=\ "host unreachable fragmentation required" icmp-options=3:4 protocol=icmpadd action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \ protocol=icmpadd action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \ protocol=icmpadd action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \ protocol=icmpadd action=drop chain=icmp comment="deny all other types"/ip firewall natadd action=masquerade chain=srcnat out-interface="ether1[internet]"add action=masquerade chain=srcnat out-interface=protonWG src-address=\ 192.168.88.0/24/ip serviceset telnet disabled=yesset ftp disabled=yesset ssh port=2200set api disabled=yesset api-ssl disabled=yes/ip smb sharesset [ find default=yes ] directory=pub/ipv6 firewall address-listadd address=fd12:672e:6f65:8899::/64 list=allowedadd address=fe80::/16 list=allowedadd address=ff02::/16 comment=multicast list=allowedadd address=::/48 list=allowedadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6add address=fe80::/10 list=prefix_delegationadd address=2406:2d40:4100:7990::1/128 list=prefix_delegation/ipv6 firewall filteradd action=accept chain=input comment="allow established and related" \ connection-state=established,relatedadd action=accept chain=input comment="accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \ src-address=fe80::/10add action=accept chain=input comment="allow allowed addresses" \ src-address-list=allowedadd action=drop chain=inputadd action=accept chain=forward comment=established,related connection-state=\ established,relatedadd action=drop chain=forward comment=invalid connection-state=invalid log=\ yes log-prefix=ipv6,invalidadd action=drop chain=forward log-prefix=IPV6add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment=DHCPv6 protocol=udp src-port=546-547add action=accept chain=input dst-port=5678 protocol=udpadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address-list=prefix_delegationadd action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=input dst-port=5678 protocol=udpadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address-list=prefix_delegationadd action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec/ipv6 firewall natadd action=masquerade chain=srcnat out-interface="ether1[internet]"/ipv6 ndset [ find default=yes ] advertise-dns=no advertise-mac-address=no hop-limit=\ 64 managed-address-configuration=yes mtu=1280 other-configuration=yes \ ra-interval=3m20s-8m20s/ipv6 nd prefix defaultset preferred-lifetime=10m valid-lifetime=15m/routing ruleadd action=lookup disabled=no src-address=local table=mainadd action=lookup-only-in-table disabled=no dst-address=/0 table=main/system clockset time-zone-name=America/Los_Angeles/system noteset show-at-login=no/tool mac-serverset allowed-interface-list=listBridge/tool mac-server mac-winboxset allowed-interface-list=listBridgeStatistics: Posted by hawk767 — Thu Feb 15, 2024 6:36 am