IPsec Kill switch when vpn is down

superuzzo · Sun Dec 15, 2019 7:03 pm

Hi guys!
I'm new to MikroTik and RouterOs, and I like it

I have a hap lite router (RB941-2ND-TC) connected to my home DSL modem (FritzBox 3272), on ether1 (wan).

I've configured wlan1, ether2 and ether3 on new "bridge-p2p" with its own addresses, dhcp, public dns, and so on...
I left Ether4 on default bridge.
I also setup IPSEC as described here https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS.

My purpose is to mainly use the device for Netflix/p2p/surfing over NordVPN, except for port ether4 that should always work, even when VPN is down.
Everything works, however I would like to avoid "bridge-p2p" from connecting to the internet when VPN is down, while "bridge" should continue surfing without limitations.
Since all outgoing traffic pass through ether1, I'm experiencing some difficulties to set up filter rules correctly.

I'm not sure it could also be a matter of routes

Could you help me please?

Thanks

Davis · Sun Dec 22, 2019 7:04 am

You might be interested in ipsec-policy property of /ip firewall filter rules.

Something like this might work:

/ip firewall filter add chain=forward in-interface=bridge-p2p out-interface=ether1 ipsec-policy=out,none action=reject

superuzzo · Fri Dec 27, 2019 3:26 am

Something like this might work:

/ip firewall filter add chain=forward in-interface=bridge-p2p out-interface=ether1 ipsec-policy=out,none action=reject

I put this rule just before the "defconf: accept out ipsec policy" rule, unfortunately, everything coming from bridge-p2p (my mobile browser) towards ether1 is rejected in both cases (VPN UP or VPN DOWN). What I'm missing?

Below my configuration file.

# dec/27/2019 01:25:30 by RouterOS 6.46
#
# model = RB941-2nD
/interface bridge
add admin-mac=74:4D:28:C5:93:E1 auto-mac=no comment=defconf name=bridge
add name=bridge-p2p
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    WPA2-PSK supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge security-profile=WPA2-PSK ssid=MikroTik \
    wireless-protocol=802.11
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=addr-p2p
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ch131.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-bridge-p2p ranges=192.168.179.10-192.168.179.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool-bridge-p2p disabled=no interface=bridge-p2p lease-time=\
    1d name=dhcp-bridge-p2p
/interface bridge port
add bridge=bridge-p2p comment=defconf interface=ether2
add bridge=bridge-p2p comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge-p2p comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.179.1/24 interface=bridge-p2p network=192.168.179.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.179.0/24 dns-server=103.86.96.100,103.86.99.100 gateway=\
    192.168.179.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.179.0/24 list=addr-p2p
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=reject chain=forward comment="VPN KS TEST" disabled=yes \
    in-interface=bridge-p2p ipsec-policy=out,none log=yes log-prefix=\
    "VPN KS TEST rule - " out-interface=ether1 reject-with=\
    icmp-network-unreachable
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=my-nordvpn-user
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

icsterm · Tue Dec 31, 2019 10:43 pm

I'm also interested in a rule that blocks non-ipsec traffic once the IKEv2 tunnel drops.
Using an exclude connection mark like the way we do fasttrack except ipsec seems to not work at all under firewall - filter rules, all traffic is blocked lol:

mangle:

 4    ;;; mark-ipsec
      chain=forward action=mark-connection new-connection-mark=ipsec passthrough=yes log=no log-prefix="" 
      ipsec-policy=in,ipsec

filter:

 2    ;;; killswitch
      chain=forward action=drop connection-mark=!ipsec log=no log-prefix=""

I previously used L2TP/IPSec and that came very handy because I actually had a routing table and if the interface goes down I could use a blackhole route, but pure ipsec man, it's a level higher on the difficulty level.

I've also tried and it doesn't work:

2    ;;; killswitch
      chain=forward action=drop  log=no log-prefix="" ipsec-policy=out,none

I hope someone can at least hint me with a solution, I would appreciate greatelly.

icsterm · Wed Jan 01, 2020 5:28 pm

After digging for a solution I found one that works:

 1    ;;; fasttrack-no-ipsec
      chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark log=no 
      log-prefix="" 

 2    ;;; killswitch
      chain=forward action=drop connection-state=established,related src-address=192.168.88.0/24
      connection-mark=!ipsec log=no log-prefix=""

The key is to only drop 'established,related' combined with "!ipsec" connection-mark, because the firewall filter works before ipsec encapsulation.
I think SYN packets will leak once the VPN goes down though, but once they try establishing the filter will kick in.

icsterm · Thu Jan 02, 2020 3:14 pm

I've improved the killswitch by moving the filter in the output chain:

2    ;;; killswitch
      chain=output action=drop src-address=192.168.88.0/24 connection-mark=no-mark log=no log-prefix=""

Because I mark both ipsec and non-ipsec using mangle in the forward chain, the non-ipsec traffic gets dropped once the tunnel is down because the output chain is secondary to the forward chain.

superuzzo · Sat Jan 11, 2020 3:30 pm

Thank you icsterm, I will give a try...
However, as long as I remember correctly, one problem I experienced was even using mangle to mark connections, I was not able to "intercept" and mark IPSec connections towards NordVPN

EDIT:
To make things simplier I started over, reset the router, configured the ipsec vpn only and added these rules as you suggested, but it still does not work.
192.168.88.254 is my winbox client, I need to permit connections towards it, otherwise I will not be able to manage the device anymore.

/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="Mark non IPsec" ipsec-policy=in,none new-connection-mark=nonipsec

/ip firewall filter add chain=output dst-address=192.168.88.254 action=accept
/ip firewall filter add chain=output src-address=192.168.88.0/24 connection-mark=no-mark action=drop comment="VPN Kill Switch"

Is there anything wrong with it?

starleaf · Fri Oct 23, 2020 9:47 am

Thank you icsterm, I will give a try...
However, as long as I remember correctly, one problem I experienced was even using mangle to mark connections, I was not able to "intercept" and mark IPSec connections towards NordVPN :(

EDIT:
To make things simplier I started over, reset the router, configured the ipsec vpn only and added these rules as you suggested, but it still does not work.
192.168.88.254 is my winbox client, I need to permit connections towards it, otherwise I will not be able to manage the device anymore.

/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="Mark non IPsec" ipsec-policy=in,none new-connection-mark=nonipsec

/ip firewall filter add chain=output dst-address=192.168.88.254 action=accept
/ip firewall filter add chain=output src-address=192.168.88.0/24 connection-mark=no-mark action=drop comment="VPN Kill Switch"

Is there anything wrong with it?

Hello
I'm also looking in to make a killswitch for IPSec Ikev2. Did you manage to get it to work as you wanted?

ronal01 · Sun Nov 15, 2020 1:21 pm

I solved it: they must create a static route with distance 1 as the gateway the VPN link and with distance 2 the Wan one, and only a Nat rule, exit through the VPN tuner, if the tunnel fails the internet is deactivated

ronal01 · Thu Nov 19, 2020 1:45 pm

what I did for my kill switch on the client was to activate the nat only to the range of addresses of the tuner, only to mask everything that comes out through the VPN and a static route, 0.0.0.0 gateway L2TP Distance 1, when the VPN fails it stays without internet the router

IPsec Kill switch when vpn is down

IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down

Re: IPsec Kill switch when vpn is down