社区讨论
/工具获取url="https://downloads.nordcdn.com/certificates/root.der" /证书导入file-name=root.der name="NordVPN CA" passphrase=""
#标记通过VPN server /ip firewall address-list add address=192.168.88.10 list=under_nordvpn /ip firewall address-list add address=192.168.88.11 list=under_nordvpn /ip firewall mangle add action= Mark -connection chain=prerouting src-address-list=under_nordvpn new-connection-mark=under_nordvpn passthrough=yes # IPsec/IKEv2 configuration /ip IPsec mode-config add connection-mark=under_nordvpn name="NordVPN mode config" responder=no /ip IPsec策略组addname=NordVPN /ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile" /ip ipsec peer add address=lv55.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile" /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none /ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN modeconfig" password=XXXXXXXXXX peer="NordVPN server" policy-template-group=NordVPN username=XXXXXXXXXX /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes #在"/ip ipsec policy"中,你应该可以看到在你的NordVPN策略旁边添加了一个新的动态规则。它必须存在,否则配置将无法工作。#(可选)实现killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole passthrough=yes #从fasttrack /ip firewall filter中排除这样的VPN流量add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection] # ReduceMSS (should be about 1200 to 1400, but 1360 worked for me) /ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_nordvpn tcp-flags=syn tcp-mss=!0-1360
#标记通过VPN server /ip firewall address-list add address=wtfismyip.com list=under_nordvpn /ip firewall mangle add action= Mark -connection chain=prerouting dst-address-list=under_nordvpn new-connection-mark=under_nordvpn passthrough=yes # IPsec/IKEv2 configuration /ip IPsec mode-config add connection-mark=under_nordvpn name="NordVPN mode config" responder=no /ip IPsec策略组add name=NordVPN /ip IPsec profile add dh-group=modp2048 enc-algorithm=aes-256hash-algorithm=sha512 name="NordVPN profile" /ip ipsec peer add address=lv55.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile" /ip ipsec proposal add auth-algorithms= sha256en -algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none /ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password=XXXXXXXXXX peer="NordVPN server"policy-template-group=NordVPN username=XXXXXXXXXX /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes #在"/ip ipsec policy"中,你应该可以看到在你的NordVPN策略旁边添加了一个新的动态规则。它必须存在,否则配置将无法工作。#(可选)实现killswitch /interface bridge add name= nordvpn_黑洞protocol-mode=none /ip route add gateway= nordvpn_黑洞routing-mark= nordvpn_黑洞routing- list=under_nordvpn action=mark-routing new-routing-mark= nordvpn_黑洞passthrough=yes #从fasttrack /ip firewall filter中排除这样的VPN流量add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection] # ReduceMSS (should be about 1200 to 1400, but 1360 worked for me) /ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_nordvpn tcp-flags=syn tcp-mss=!0-1360
/interface bridge add name=vpn-黑洞protocol-mode=none /ip route add gateway=vpn-黑洞routing-mark=to_vpn /ip firewall mangle add chain=prerouting src-address-list=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
这个开关不太好。事实上相当危险。
当我点燃网桥时,当它上升或下降时,我应该看到流量作为VPN的黑洞吗?我看到的唯一流量是ARP。当我重新启用我自己的杀戮开关线路(dst 100.69.69.69),然后这些线路在NAT捕获流量。
在查看/IP路由时,PPPoE-out的距离为0,黑洞的距离为1。我不能把黑洞设为零。
用例#2,如何杀死切换网站,如youtube.com,有多个IP地址?
注意:你不能通过VPN有效地路由Youtube, Netflix或任何其他大型网站的所有流量。他们有许多不同的域名和IP地址,这些域名和IP地址不断变化。相反,通过VPN路由您设备的所有流量。
用例#2,如何杀死切换网站,如youtube.com,有多个IP地址? 你不能,因为: 注意:你不能通过VPN有效地路由Youtube, Netflix或任何其他大型网站的所有流量。他们有许多不同的域名和IP地址,这些域名和IP地址不断变化。相反,通过VPN路由您设备的所有流量。 我已经更新了这些步骤,并给出了上面引用的注释。为了实现这一点,您需要通过VPN路由设备的所有流量。再次参见第二种方法更新步骤。
/ip firewall mangle add action=mark-connection chain=postrouting new-connection-mark=under_vpn out-interface-list=!ALL_LAN直通=yes src-address-list=HOST-NeedVPN add action=change-mss chain=forward connection-mark=under_vpn new-mss=1360直通=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360 add action=mark-routing chain=prerouting connection-mark=under_vpn new-routing-mark=to_vpn passthrough=yes src-address-list=HOST-NeedVPN
/ip route rule add action= only-in-table dst-address= table=main…
这是killswitch,它会影响所有来自“under_vpn”列表中列出的主机的数据包,包括那些到其他本地子网的数据包。 你的修改打破了killswitch,因为它现在只适用于connection-mark=under_vpn的数据包,但你设置当第一个数据包发出时,所以只有后续的数据包会受到影响,即当VPN关闭时,第一个数据包会泄漏。 这也回答了你的问题,如何在出发前设置标记。可以,但是不是同一个数据包.连接标记是这样的,路由器自动识别属于同一连接的数据包,并为它们分配连接标记(区别于数据包和路由标记)。 你想要的是杀戮开关总是工作,但排除本地子网。一种方法是添加dst-address-list=!<所有本地子网>到它的列表。另一个是使用路由规则: 代码:选择所有 /ip route rule add action= only-in-table dst-address= table=main… 我更喜欢后者,因为它也可以帮助其他事情。例如,如果你要对你的内部服务器做发夹NAT,那么这个可以工作,而前者不能(没有额外的更改)。
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp src-address-list=under_vpn tcp-flags=syn tcp- MSS =!0 - 1360
/ip ipsec policy move *ffffff destination=0 add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 place-before=1 .单击“确定”
此外,NordVPN和其他允许在配置文件中使用SHA384,这在连接的第一阶段提供了更高级别的加密。
/ip ipsec配置文件add name="NordVPN" hash-algorithm=sha384 enc-algorithm=aes-256 dh-group=ecp256,modp3072 . sh- group= "NordVPN
请告诉我如何正确地转发端口,例如在这个配置中的torrent ?
1.它和这个线程有什么关系?2.为什么你需要端口转发…洪流?
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=under_vpn new-connection-mark=under_vpn passthrough=yes
/ip firewall mangle add chain=prerouting connection-mark=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!no_vpn dst-address-type = !Local new-connection-mark=under_vpn passthrough=yes /ip firewall mangle add chain=prerouting connection-mark=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
嗨,我有一个十六进制S路由器,我遵循了信中第一个帖子的说明,只改变了nordvpn服务器和密码,没有实现终止开关。所有配置都是在路由器恢复出厂配置后完成的,即FW 6.48。当我试图通过VPN连接使用PC时,它的一切都很好,但当试图通过android设备访问时,它就像只有很少的网站真正工作。Youtube.com是可访问的,但视频不能通过浏览器播放,亚马逊网站是不开放的,不能连接到环形摄像机,等等。我试过将MSS值降低到1200,但没有效果。如果你说对了,我会很感激的。谢谢你!
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!no_vpn dst-address-type = !Local new-connection-mark=under_vpn passthrough=yes
/ip route add distance=1 gateway=96.38.160.1 routing-mark=BypassVPN /ip firewall mangle add action=mark-routing chain=prerouting dst-port=80,443 new-routing-mark=BypassVPN passthrough=no protocol=tcp src-address=10.236.1.0/24
/ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp
这样的东西有用吗? 代码:选择所有 /ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp
但是如果有多个例外呢?
/ip firewall mangle add action=mark-connection chain=prerouting dst-port=80,443 new-connection-mark=novpn pass =yes protocol=tcp /ip firewall mangle add action=mark-connection chain=prerouting dst-address=123.123.123.123 new-connection-mark=novpn pass =yes /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=!Novpn new-connection-mark=under_nordvpn passthrough=yes
如果我是你,我会这样做:
/ ip ipsec配置文件添加dh-group = ecp256 modp3072 enc-algorithm = aes - 256散列算法= sha384 \ name = " NordVPN概要" / ip ipsec对话添加地址= us8452.nordvpn.com exchange-mode = ike2 name =“NordVPN同行”\ profile =“NordVPN概要”/ ip ipsec提议添加auth-algorithms = sha256 enc-algorithms = aes - 256 - cbc, aes - 128 - cbc一生= 0年代\ name = " NordVPN提议“pfs-group =没有/ ip ipsec策略添加dst-address = 0.0.0.0/0组= NordVPN提议=“NordVPN提议“\ src-address = = yes / ip ipsec 0.0.0.0/0模板mode-config add connection-mark=NordVPN name=NordVPN responder=no /ip ipsec identity add auth-method=eap certificate=NordVPN eap-methods=eap-mschapv2 \ generation -policy=port-strict mode-config=NordVPN notrack-chain=prerouting \ password=[password] peer="NordVPN peer" \ policy-template-group=NordVPN username=[username]
/ip firewall filter #输入链规则add action=accept chain= Input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain= Input comment="defconf: drop invalid" connection-state=invalid add action=accept chain= Input comment="defconf: accept ICMP" protocol= ICMP add action=accept chain= Input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain= Input comment="defconf: accept established,related,untracked"drop all not from LAN" in-interface-list=!LAN #正向链规则add action=accept chain= Forward comment="Don't fasttrack NordVPN traffic" connect -mark=NordVPN dst-address-list=localnet add action=accept chain= Forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain= Forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fast -connection chain= Forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related,untracked " connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!d年代tnat connection-state=new in-interface-list=WAN /ip firewall mangle add action=mark-connection chain=forward comment="Mark outgoing IPSec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes add action=mark-connection chain=forward comment="Mark incoming IPSec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-64 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none /ip firewall raw add action=notrack chain=prerouting comment="notrack ipsec to local" disabled=yes dst-address-list=localnet src-address-list=ipsec-remote add action=notrack chain=prerouting comment="notrack lcoal to ipsec" disabled=yes dst-address-list=ipsec-remote src-address-list=localnet
add action= Mark -connection chain=prerouting comment="标记NordVPN IPSec流量" connection-mark=!ipsec dst-address-list = !localnet,ipsec-remote new-connection-mark=北dvpn直通=yes src-address-list=北dvpn add action=change-mss chain=forward connection-mark=北dvpn new-mss=64直通=yes protocol=tcp tcp-flags=syn tcp-mss=!0 - 64
你好, 试着从规则下面移动到顶部,然后再试一次。关闭NordVPN IPSEC连接,清除连接轨道列表后重试。 代码:选择所有 add action= Mark -connection chain=prerouting comment="标记NordVPN IPSec流量" connection-mark=!ipsec dst-address-list = !localnet,ipsec-remote new-connection-mark=北dvpn直通=yes src-address-list=北dvpn add action=change-mss chain=forward connection-mark=北dvpn new-mss=64直通=yes protocol=tcp tcp-flags=syn tcp-mss=!0 - 64 而且这些规则对我来说有点奇怪。为什么是MSS 0-64?或者像"connection-mark=!ipsec"。我不确定,因为你的配置有相当多的自定义,很难说从你的规则。 另外,在测试时也要尝试去掉killswitch的实现。对于测试,我喜欢wtfismyip.com网站,因为它显示了你的公共IP,当你开始使用NordVPN时,它会发生变化。:)
peer=北dvpn peer auth-method=eap eap-methods=eap-mschapv2 mode-config=北dvpn notrack-chain="output" certificate=北dvpn username=[username] password=[password] generate-policy=port-strict policy-template-group=北dvpn
@lenart,谢谢,这对我有用!
/ip firewall raw add action=notrack chain=预路由协议=ipsec-esp src-address-list=IKEVtraffic add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic
这是我的IPSec设置
/ip防火墙rawadd action=notrack chain=预路由协议=ipsec-esp src-address-list=IKEVtrafficadd action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic
# add to list /ip firewall address-list add address=192.168.88.8 list=vpn_p2p_users # create profile /ip ipsec policy group add name=NordVPN /ip ipsec profile add name= nordvpn.com exchange-mode=ike2 name=us8657.nordvpn.com profile=NordVPN /ip ipsec proposal add name=NordVPN pfs-group=none /ip ipsec identity add aut -method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=NordVPN username=your_service_login .password=*** peer=us8657.nordvpn.com policy-template-group=NordVPN /ip ipsec策略add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes /ip ipsec mode-config add name=NordVPN responder=no src-address-list=vpn_p2p_users # killswitch /ip firewall nat add action=return chain=srcnat src-address-list=vpn_p2p_users
注2:你可能可以路由公司的所有流量,但如果公司使用流行的主机,例如亚马逊AWS或Linode,你可能最终会在NordVPN下路由30-40%的网站。例如,Mikrotik.c雷竞技网站om解析为“159.148.147.196”。快速谷歌显示Mikrotik有自己的ASN,包含51雷竞技网站2个ip,换句话说,如果你想在NordVPN下访问Mikrotik服务/网站,你应该使用这种(第二种)方法将159.148.147.0/24和159.148.172.0/24添加到你的地址列表中。
我更新了一些步骤并做了一般的清理。 /ip防火墙rawadd action=notrack chain=预路由协议=ipsec-esp src-address-list=IKEVtrafficadd action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic 我不能让这个工作,即使是简单的“添加动作=notrack链=输出协议=ipsec-esp”字节计数器只是没有增加。我哪里做错了?常规规则以上快速轨道工作出色,但…
嘿,大家, 我有一个类似的设置:- ip地址列表只通过VPN-其余的通过WAN但出于某种原因,我采取了更少的步骤来获得相同的结果,但它是有效的(到目前为止还没有来自提供商的信件) 我在想,我错过了什么,我的设定有多危险 代码:选择所有 # add to list /ip firewall address-list add address=192.168.88.8 list=vpn_p2p_users # create profile /ip ipsec policy group add name=NordVPN /ip ipsec profile add name= nordvpn.com exchange-mode=ike2 name=us8657.nordvpn.com profile=NordVPN /ip ipsec proposal add name=NordVPN pfs-group=none /ip ipsec identity add aut -method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=NordVPN username=your_service_login .password=*** peer=us8657.nordvpn.com policy-template-group=NordVPN /ip ipsec策略add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes /ip ipsec mode-config add name=NordVPN responder=no src-address-list=vpn_p2p_users # killswitch /ip firewall nat add action=return chain=srcnat src-address-list=vpn_p2p_users
这真的是两种方法之间唯一的区别吗?
会不会是在主帖子上的某个命令更新中丢失了一些细节?我在#1和#2之间做了一个区别,唯一的区别是第三个命令:' firewall mange '命令,在#2上有' dst-* ',而不是在#1上有' src-* '。这真的是两种方法之间唯一的区别吗?
我的问题是:我如何让所有流量通过隧道,除了所有用于192.168.x.x的流量?
/ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=unmarkable_nordvpn passthrough=yes src-address=192.168.x。X /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=!Unmarkable_nordvpn new-connection-mark=nordvpn passthrough=yes src-address=192.168.0.0/16
add action=dst-nat chain=srcnat routing-mark=Leak-IKEV to-addresses=100.69.69.68 add action=dst-nat chain=dstnat routing-mark=Leak-IKEV to-addresses=100.69.69.69 connection-mark=no-mark
提示:路由器上NordVPN连接的用户名和密码与你登录他们的网页时使用的用户名和密码不同。必须使用“服务凭据(手动设置)”中的“https://my.nordaccount.com/pl/dashboard/nordvpn/"
#实现killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole /ip firewall mangle add chain=prerouting src-address-list=local action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes
# 12月/ 12/2021 14:07:30 Rol雷竞技uterOS 6.47.1 雷电竞app下载官方版苹果id = Z46B-UBXL # # #软件模型桥= RB750Gr3 /接口添加admin-mac = C4:广告:34:C6:1E: 0 auto-mac =无可奉告= defconf name =桥protocol-mode =没有/接口以太网组[找到缺省名称= ether1]广告= 10饱,饱100 1000饱,2500饱,5000饱,10000饱设置[找到缺省名称= ether2]广告= 10饱,饱100 1000饱,2500饱,5000饱,10000饱/接口vlan添加接口= ether1 name = e1-v201 vlan id = 201/interface pppoe-client add add-default-route=yes disabled=no interface=e1-v201 max-mru=1492 max-mtu=1492 name=pppoe-out1 password= user= /接口列表add comment=defconf name=WAN add comment=defconf name=LAN /接口无线安全配置文件set [find default=yes] supplican -identity=MikroTik /ip热点配置文件set [find default=yes]雷竞技网站 html-directory=flash/hotspot /ip ipsec mode-config add connection-mark=under_nordvpn name="NordVPN mode config" responder=no /ipipsec安全策略组add name=NordVPN /ip ipsec安全策略add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile" /ip ipsec peer add address=in104.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile" /ip ipsec安全提议add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=default-dhcpdisabled=no interface=bridge name=defconf /用户组set full policy=local,telnet,ssh,ftp,reboot,读,写,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp /interface网桥端口add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 /ip neighbor discovery-settings set discovery- interface-list=LAN /接口列表成员add评论= defconf界面=桥列表=局域网添加评论= = ether1 defconf接口列表=广域网/ ip地址添加地址= 192.168.88.1/24评论= =桥接网络= 192.168.88.0 defconf接口/ ip dhcp客户端添加评论= defconf禁用=没有接口= ether1 / ip dhcp服务器网络添加地址= 192.168.88.0/24评论= defconf网关= 192.168.88.1 / ip dns设置allow-remote-requests = yes服务器= 8.8.8.8 8.8.4.4 / ip dns静态添加地址= 192.168.88.1 name =路由器。lan type=A /ip firewall address-list add address=192.168.86.80 list=under_nordvpn add address=192.168.86.84 list=under_nordvpn /ip firewall filter add action=accept chain=forward connection-mark=under_nordvpn add action=fast -connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf:accept established,related,untracked connect -state=established,related,untracked add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol= ICMP add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!d年代tnat connection-state=new in-interface-list=WAN /ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=under_nordvpn passthrough=yes src-address-list=under_nordvpn add action=change-mss chain=forward connection-mark=no-mark new-mss=1452 out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535 add action=change-mss chain=forward connection-mark=under_nordvpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-out1 /ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password= peer="NordVPN server" policy-template-group=NordVPN username= /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes /system clock set time-zone-name=America/Los_Angeles /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
你好,我在NordVPN网站上尝试了方向后来到了这个帖子,我很兴奋,因为它适用于这么多人,但配置不适合我。我想在我的网络上有两台设备,一台苹果电视和一台笔记本电脑访问VPN连接,其余的不访问。
这种行为是意料之中的吗?
当同时设置静态服务器和动态服务器时,静态服务器项更受欢迎,但是,这并不意味着静态服务器将总是被使用(例如,以前的查询是从动态服务器接收的,但后来添加了静态服务器,那么动态服务器项将是首选)。
#(可选)实现killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole /ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes
如何在ROS7中实现终止开关?ROS7中的路由缺少路由标记 代码:选择所有 #(可选)实现killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole /ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes
/ip firewall mangle add action=mark-connection chain=input in-interface=ether2 new-connection-mark=VPN passthrough=yes
也有同样的问题。唯一能让我留在ROS6的东西。
add fib name= nordvpn_黑洞
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole
/ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes
/ip route add blackhole disabled=no distance=254 dst-address=0.0.0.0/0 routing-table=under_nordvpn scope=30 target-scope=10
一个基本的方法是添加第二条路由,当VPN的动态路由去激活时接管。 代码:选择所有 /ip route add blackhole disabled=no distance=254 dst-address=0.0.0.0/0 routing-table=under_nordvpn scope=30 target-scope=10 那么,当使用NordVPN时,为什么不移动到WireGuard呢?
嗯,这似乎是不可能的,IKEv2直接连接到广域网,在我的情况下是PPPoE。 线程只被标记为ROSv6,所以即使作者也没有找到实现kill-switch的方法。
当连接处于活动状态时,您将在NAT中看到一条动态线。 复制这一行并将操作dst- address更改为100.69.69.69并保存。这个IP无处可去。 当VPN下行时,这条线仍然在那里,当VPN仍在启动时,它还会捕获流量。
你对此有何评论
互联网 <-----------> ISP <------------> 调制解调器<——PPPOE-DHCP-DNS ---------> 太 <-------- DHCP-DNS-VPN -----------> 客户
互联网 <-----------> ISP <------------> 调制解调器<——桥 ---------> 太<——PPPOE OUT-DHCP-DNS-VPN -----------> 客户
@msatter -谢谢你的投入。 实际上,我并不认为这是对我所给出的指南的改进。我的意思是它确实有效,但使用简单的mangle规则是一种更动态的处理VPN流量的方式。
添加路由规则action= "LOCAL_IP" table="PPTP_CLIENT_NAME"