Specific DST-List over VPN

globalmedia · Mon Apr 15, 2024 4:21 am

I would like to understand what I am doing wrong.
I have a Wireguard VPN working. I can ping local and remote IP addresses from LAN. The VPN interface is configured for masquerated too. But when I am trying to force specific traffic over VPN it's losing packages.

/ip route add distance=1 dst-address=0.0.0.0/0 gateway=vpn routing-table=vpn scope=30 suppress-hw-offload=no target-scope=10

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-list=vpn new-connection-mark=vpn passthrough=yes
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=vpn new-routing-mark=vpn passthrough=no

I can ping dst list and I see due to the ms that I am routing over VPN, but when I try to access the website, a lot of data is not loading correctly, just some.

rplant · Mon Apr 15, 2024 6:23 am

Not much to go on there.

So per @anav
/export file=anynameyouwish (minus router serial number and any public WANIP information, keys etc. )

However I will also make a guess.
You need to limit the traffic that gets fast tracked.

eg.

Just before the fasttrack rule.

/ip firewall filter
....

add action=accept chain=forward comment="dont fast track vpn" connection-mark=vpn connection-state=established,related

#** The default fasttrack rules **
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related,untracked hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

anav · Mon Apr 15, 2024 2:16 pm

What VPN are you connecting to??
If its a thirdparty VPN did they also provide a DNS server address??

Specific DST-List over VPN

Specific DST-List over VPN

Re: Specific DST-List over VPN

Re: Specific DST-List over VPN