Hi all,

Not sure if anyone else has ran into similar issues, but about a month or so ago, the Wireguard connections I had out to Proton VPN for clients in a particular subnet (10.10.20.0/24) suddenly stopped working. I can only presume this is due to an update as it was working fine for a couple of months without any major changes to the underlying config. I'm wondering if anyone else had similar issues?

Originally I set this up on v7.11, and I'm now on v7.12.1, but it's been broken since v7.12 if I recall correctly.

In short, I have the general subnet of 10.10.10.0/24 where anything connected to that is routed out the standard ISP without touching the VPN, but for clients connected to to the 10.10.20.0/24 subnet will always go out the Wireguard VPN provided by Proton.

I've attached my config. I have cleaned up a lot of the noise to make this easier to read, but there's nothing complicated going on here at this location (it's my parents house), so I'm fairly sure I haven't deleted anything relevant. I'm seeing this in 2 other locations I have, so I'm thinking it must be the update that caused this issue.

I'm convinced it's an IP route issue or something similar - when I try to ping 8.8.8.8 from the Wireguard interface they just timeout. If I tweak the routing to force everything out the PPPoE interface, the subnet etc works fine, so I'm happy the underlying VLAN/Subnet etc is fine.

Not sure if it's relevant, but the guide I followed at the time suggested sticking any old IP on the Wireguard interfaces themselves, which is where the 10.10.30.0/30 range comes into play. With Proton it seems to recommend 10.2.0.2/32 for the address on the WG interface (and the config provided by them for their server indicates 10.2.0.1. I have tried changing this, but this has made no difference.

Would seriously appreciate any suggestions as I've been trying to figure this out for a few weeks now.

Please post a real config in the standard format. That was a horrible abomination to look at.

/export file=anynameyouwish (minus router serial number and any public WANIP information, keys etc....)

Hi anav,

Thanks for the reply. Sorry about the mess - I've done another export.

(1) Wrong order...... think through the logic. Will traffic from VPN subnet ever reach another local subnet with the order you have????
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.10.20.0/24 table=\
Proton_UK_WG
add action=lookup-only-in-table disabled=no src-address=10.10.10.0/24 table=\
main

(2) You need to add the vlans to the list interface LAN.

(3) Should be set to the DNS Proton gives you!!
/ip dhcp-server network
add address=10.0.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.0.50.1 \
netmask=24
add address=10.10.10.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
10.10.10.1 netmask=24
add address=10.10.20.0/24 comment=defconf dns-server=PROTON-DNS gateway=\
10.10.20.1 netmask=24

(5) add this mangle rule to prevent any mtu issues.
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=Proton_UK passthrough=yes protocol=tcp tcp-flags=syn

Thanks anav, appreciate you taking the time.

Forgive my ignorance, but I'm not sure I fully understand the first point. I'm not really interested in these devices accessing devices/resources on the primary VLAN.

I've implemented the suggested points and still not able to get out to the internet via these VLANs.

Thanks for your help!

Please post the latest config for me to look at.

Thanks again anav, see attached.

1. You have these two entries in /interface bridge ports
add bridge=BRIDGE_FAL_EOIP interface=VLAN_0050_FAL_EOIP_bridge
add bridge=BRIDGE_FAL_EOIP interface=FAL_EOIP_50_TUNNEL

But the bridge is never defined.......
/interface bridge
add admin-mac=C4:AD:34:F5:C8:F7 a uto-mac=no comment=defconf name=\
BRIDGE_FAL_LOCAL
/interface ethernet

Furthermore.......
A. you have no /interface bridge vlan settings..........
B. you dont have bridge vlan filtering enabled, if all are supposed to be on one bridge........

Until you solve basic config issue looking at proton is insignificant.

In terms of wireguard..... this is wrong for two reasons. ORDER is one of them.....
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.10.20.0/24 table= Proton_UK_WG
add action=lookup-only-in-table disabled=no src-address=10.10.10.0/24 table=main

FIXED: we have to capture local traffic before we send it out the tunnel.......
/routing rule
add action=lookup-only-in-table dst-address=10.10.10.0/24 table=main comment="traffic to local subnet"
add action=lookup-only-in-table src-address=10.10.20.0/24 table= Proton_UK_WG

Firewall is weak.......or horrible or both........

/ip firewall address-list { use static dhcp leases }
add address=adminIP1 list=Authorized comment="admin local desktop"
add address=adminIP2 list=Authorized comment="admin local laptop"
add address=adminIP3 list=Authorized comment="admin local smartphone/ipad"
/ip firewall filter
add action=accept chain=input comment="Allow Established/Related" \
connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="Admin access" src-address-list=Authorized
add action=accept chain=input comment="router services" dst-port=53 protocol=udp \
ini-interface-list=LAN
add action=accept chain=input comment="router services" dst-port=53 protocol=tcp \
ini-interface-list=LAN
add action=drop chain=input comment="DROP ALL ELSE" { add this as the last rule }

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=accept chain=forward comment="entry to wg" src-address=10.10.20.0/24 out-interface=Proton_UK
add action=drop chain=forward comment="drop all else"