社区讨论
/工具获取url="https://downloads.nordcdn.com/certificates/root.der" /证书导入file-name=root.der name="NordVPN CA" passphrase=""
#标记需要通过VPN server的流量/ip firewall address-list add address=192.168.88.10 list=under_nordvpn /ip firewall address-list add address=192.168.88.11 list=under_nordvpn /ip firewall mangle add action= Mark -connection chain=prerouting src-address-list=under_nordvpn new-connection-mark=under_nordvpn passthrough=yes # IPsec/IKEv2 configuration /ip IPsec mode-config add connect - Mark =under_nordvpn name="NordVPN mode config" responder=no /ip IPsec策略组addname=NordVPN /ip ipsec profile add dh-group=modp2048 en -algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile" /ip ipsec peer add address=lv55.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile" /ip ipsec proposal add auth-algorithms=sha256 en -algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none /ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode .config" password=XXXXXXXXXX peer="NordVPN server" policy-template-group=NordVPN username=XXXXXXXXXX /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes #它必须存在,否则配置将不起作用。#(可选)实现killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes #从fasttrack /ip防火墙filter中排除此类VPN流量add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection] #减少MSS (should be about 1200 to 1400, but 1360 worked for me) /ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_nordvpn tcp-flags=syn tcp-mss=!0-1360
# IPsec/IKEv2 configuration /ip IPsec mode-config add connection-mark=under_nordvpn name="NordVPN mode config" responder=no /ip IPsec策略组add name=NordVPN /ip IPsec profile add dh-group=modp2048 ence -algorithm= aes256 . #配置IPsec安全策略组add name=NordVPN /ip IPsec profile add dh-group=modp2048 ence -algorithm= aes256hash-algorithm=sha512 name="NordVPN profile" /ip ipsec peer add address=lv55.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile" /ip ipsec proposal add auth-algorithms=sha256 ence -algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none /ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password=XXXXXXXXXX peer="NordVPN server"policy-template-group=NordVPN username=XXXXXXXXXX /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes #它必须存在,否则配置将不起作用。#(可选)实现killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes #从fasttrack /ip防火墙filter中排除此类VPN流量add action=accept chain=forward connection-mark=under_nordvpn place-before=[find where action=fasttrack-connection] #减少MSS (should be about 1200 to 1400, but 1360 worked for me) /ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_nordvpn tcp-flags=syn tcp-mss=!0-1360
/ip route add gateway=vpn-blackhole routing-mark=to_vpn /ip firewall mangle add chain=prerouting src-address-list=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
这种杀戮开关并不好。实际上是相当危险的。
当我点燃桥,充当VPN上行或下行的黑洞时,我应该看到流量吗?我看到的流量只有ARP。当我重新启用我自己的killswitch线(dst 100.69.69.69)时,NAT中的那些线就会捕获流量。
在查找/IP路由时,PPPoE-out的距离为0,黑洞的距离为1。我不能把黑洞设为零。
用例#2,如何killswitch网站,如youtube.com有多个IP地址?
注意:你不能通过VPN有效地路由Youtube, Netflix或任何其他大网站的所有流量。他们有许多不同的域名和IP地址,这些地址不断变化。建议将设备上的所有流量都通过VPN路由。
用例#2,如何killswitch网站,如youtube.com有多个IP地址? 你不能,因为: 注意:你不能通过VPN有效地路由Youtube, Netflix或任何其他大网站的所有流量。他们有许多不同的域名和IP地址,这些地址不断变化。建议将设备上的所有流量都通过VPN路由。 我已经更新了这些步骤,并给出了上面引用的说明。为了实现这一点,您需要通过VPN路由设备上的所有流量。再次参见第二种方法了解更新的步骤。
/ip firewall mangle add action=mark-connection chain=postrouting new-connection-mark=under_vpn out-interface-list=!ALL_LAN直通=yes src-address-list=HOST-NeedVPN add action=change-mss chain=forward connect -mark=under_vpn new-mss=1360直通=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360 add action=mark-routing chain=prerouting connect -mark=under_vpn new-routing-mark=to_vpn passthrough=yes src-address-list=HOST-NeedVPN
/ip路由规则add action=lookup-only-in-table dst-address=<本地子网1> table=main add action=lookup-only-in-table dst-address=<本地子网2> table=main…
它是killswitch,它会影响所有来自“under_vpn”列表中的主机的数据包,包括那些到其他本地子网的数据包。 你的修改打破了killswitch,因为它现在只对连接标记=under_vpn的包有效,但你在第一个包出去时设置了这个,所以只有后续的包会受到影响,也就是说,当VPN关闭时,第一个包会泄漏出去。 这也回答了你的问题,设置在后走的标记如何在前走的工作。可以,但是不是同一个数据包.连接标记就是这样,路由器自动识别属于同一连接的报文,并为其分配连接标记(区别于报文和路由标记)。 你想要的是杀戮切换始终工作,但排除本地子网。一种方法是添加dst-address-list=!<所有本地子网>到它的列表。另一个是使用路由规则: 代码:选择所有 /ip路由规则add action=lookup-only-in-table dst-address=<本地子网1> table=main add action=lookup-only-in-table dst-address=<本地子网2> table=main… 我更喜欢后者,因为它也可以帮助做其他事情。例如,如果您要对您的内部服务器进行发夹式NAT,那么这个方法可以工作,而前者则不行(没有额外的更改)。
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp src-address-list=under_vpn tcp-flags=syn tcp- MSS =!0 - 1360
/ip ipsec policy move *ffffff destination=0 add action=none dst-address= 192.168.80.0 /24 src-address=0.0.0.0/0 place-before=1
此外,NordVPN和其他允许在配置文件中使用SHA384,在连接的第一阶段提供更高级别的加密。
/ip ipsec profile add name="NordVPN" hash-algorithm=sha384 ence -algorithm=aes-256 dh-group=ecp256,modp3072 . cfg
请告诉我如何正确转发端口,例如在这个配置中的torrent ?
1.它和这个线程有什么关系?2.为什么你需要端口转发…洪流?
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=under_vpn new-connection-mark=under_vpn passthrough=yes
/ip firewall mangle add chain=prerouting connection-mark=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!no_vpn dst-address-type = !Local new-connection-mark=under_vpn passthrough=yes /ip firewall mangle add chain=prerouting connect -mark=under_vpn action=mark-routing new-routing-mark=to_vpn passthrough=yes
嗨,我有十六进制S路由器,我遵循了第一封邮件的说明,只更改了nordvpn服务器和密码,并没有实现终止开关。所有的配置都是在路由器重置为出厂默认值FW 6.48之后完成的。当我试图通过VPN连接使用PC时,它一切正常,但当试图通过android设备访问时,只有很少的网站真正工作。Youtube.com可以访问,但视频不能通过浏览器播放,amazon.com根本无法打开,不能连接环形摄像头等。我试过将MSS值降低到1200,但没有效果。如果你能找到正确的方向,我会很感激的。谢谢你!
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!no_vpn dst-address-type = !本地新连接标记=under_vpn passthrough=yes
/ip route add distance=1 gateway=96.38.160.1 routing-mark=BypassVPN /ip firewall mangle add action=mark-routing chain=prerouting dest -port=80,443 new-routing-mark=BypassVPN passthrough=no protocol=tcp src-address=10.236.1.0/24
/ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp
像这样的东西有用吗? 代码:选择所有 /ip firewall mangle add action=mark-connection chain=prerouting dst-port=!80,443 new-connection-mark=under_nordvpn passthrough=yes protocol=tcp
但是多重异常呢?
/ip firewall mangle add action=mark-connection chain=prerouting dst-port=80,443 new-connection-mark=novpn passthrough=yes protocol=tcp /ip firewall mangle add action=mark-connection chain=prerouting dst-address=123.123.123.123 new-connection-mark=novpn passthrough=yes /ip firewall mangle add action=mark-connection chain=prerouting connect -mark=!Novpn new-connection-mark=under_nordvpn passthrough=yes
如果我是你,我会这么做:
/ ip ipsec配置文件添加dh-group = ecp256 modp3072 enc-algorithm = aes - 256散列算法= sha384 \ name = " NordVPN概要" / ip ipsec对话添加地址= us8452.nordvpn.com exchange-mode = ike2 name =“NordVPN同行”\ profile =“NordVPN概要”/ ip ipsec提议添加auth-algorithms = sha256 enc-algorithms = aes - 256 - cbc, aes - 128 - cbc一生= 0年代\ name = " NordVPN提议“pfs-group =没有/ ip ipsec策略添加dst-address = 0.0.0.0/0组= NordVPN提议=“NordVPN提议“\ src-address = = yes / ip ipsec 0.0.0.0/0模板mode-config add connection-mark=NordVPN name=NordVPN responder=no /ip ipsec identity add aup -method=eap certificate=NordVPN eap-methods=eap-mschapv2 \ generate-policy=port-strict mode-config=NordVPN notrack-chain=prerouting \ password=[password] peer="NordVPN peer" \ policy-template-group=NordVPN username=[username]
/ip firewall filter #输入链规则add action=accept chain= Input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain= Input comment="defconf: drop invalid" connection-state=invalid add action=accept chain= Input comment="defconf: accept ICMP" protocol= ICMP add action=accept chain= Input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain= Input comment="defconf: "drop all not coming from LAN" in-interface-list=!LAN #正向链规则add action=accept chain= Forward comment="Don't fasttrack NordVPN traffic" connect -mark=NordVPN dst-address-list=localnet add action=accept chain= Forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain= Forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain= Forward comment="defconf: fasttrack" connect -mark=!ipsec connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related,untracked " connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!d年代tnat connection-state=new in-interface-list=WAN /ip firewall mangle add action=mark-connection chain=forward comment="Mark outgoing IPSec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes add action=mark-connection chain=forward comment="Mark incoming IPSec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes add action=mark-connection chain=prerouting comment="Mark NordVPN IPSec traffic" connection-mark=!ipsec dst-address-list=!localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-64 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none /ip firewall raw add action=notrack chain=prerouting comment="notrack ipsec to local" disabled=yes dst-address-list=localnet src-address-list=ipsec-remote add action=notrack chain=prerouting comment="notrack lcoal to ipsec" disabled=yes dst-address-list=ipsec-remote src-address-list=localnet
add action= Mark -connection chain=prerouting comment="标记NordVPN IPSec流量" connect - Mark =!ipsec dst-address-list = !localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0 - 64
你好, 试着把下面的规则移到上面,然后再试一次。关闭NordVPN IPSEC连接,清除连接轨道列表后重试。 代码:选择所有 add action= Mark -connection chain=prerouting comment="标记NordVPN IPSec流量" connect - Mark =!ipsec dst-address-list = !localnet,ipsec-remote new-connection-mark=NordVPN passthrough=yes src-address-list=NordVPN add action=change-mss chain=forward connection-mark=NordVPN new-mss=64 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0 - 64 而且这些规则对我来说有点奇怪。为什么MSS 0-64?或者像"connection-mark=!ipsec"。我不确定,因为你的配置有相当多的自定义,这很难说从你的规则。 还要尝试在测试中去掉killswitch实现。为了测试,我喜欢wtfismyip.com网站,因为它显示了你的公共IP,当你开始使用NordVPN时,它会改变。:)
peer=NordVPN peer auth-method=eap eap-methods=eap-mschapv2 mode-config=NordVPN notrack-chain="output" certificate=NordVPN username=[username] password=[password] generate-policy=port-strict policy-template-group=NordVPN .日志含义
@lenart,谢谢,对我有用!
/ip firewall raw add action=notrack chain=pre - routing protocol=ipsec-esp src-address-list=IKEVtraffic add action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic
这是我的IPSec设置
/ip防火墙add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic . add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtrafficadd action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic
# add to list /ip firewall address-list add address=192.168.88.8 list=vpn_p2p_users # create profile /ip ipsec策略组add name=NordVPN /ip ipsec profile add name=NordVPN /ip ipsec peer add address=us8657.nordvpn.com exchange-mode=ike2 name=us8657.nordvpn.com profile=NordVPN /ip ipsec proposal add name=NordVPN pfs-group=none /ip ipsec identity add aup -method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=NordVPN username=your_service_login . #password=*** peer=us8657.nordvpn.com policy-template-group=NordVPN /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes /ip ipsec mode-config add name=NordVPN responder=no src-address-list=vpn_p2p_users # killswitch /ip防火墙nat add action=return chain=srcnat src-address-list=vpn_p2p_users
注2:你可能能够路由公司的所有流量,但如果公司使用流行的主机,如Amazon AWS或Linode,你可能会在NordVPN下路由30-40%的网站。例如,Mikrotik.c雷竞技网站om解析为“159.148.147.196”。快速谷歌显示Mikrotik有自己的ASN,其中包含雷竞技网站512个ip,换句话说,如果你想在NordVPN下访问Mikrotik服务/网站,你应该使用这个(第二)方法将159.148.147.0/24和159.148.172.0/24添加到你的地址列表中。
我更新了一些步骤,并进行了总体清理。 /ip防火墙add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic . add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtrafficadd action=notrack chain=output protocol=ipsec-esp dst-address-list=IKEVtraffic 我不能让这工作,即使与简单的“添加动作=notrack链=输出协议=ipsec-esp”字节计数器只是不增加。我哪里做错了?常规规则上面的快速轨道工作得很好,尽管…
嘿,大家, 我有一个类似的设置:-其中ip地址列表只通过VPN-其余的通过广域网但出于某种原因,我做了更少的步骤来获得相同的结果,但它是有效的(到目前为止没有来自供应商的信) 我在想,我错过了什么,我的设定有多危险 代码:选择所有 # add to list /ip firewall address-list add address=192.168.88.8 list=vpn_p2p_users # create profile /ip ipsec策略组add name=NordVPN /ip ipsec profile add name=NordVPN /ip ipsec peer add address=us8657.nordvpn.com exchange-mode=ike2 name=us8657.nordvpn.com profile=NordVPN /ip ipsec proposal add name=NordVPN pfs-group=none /ip ipsec identity add aup -method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=NordVPN username=your_service_login . #password=*** peer=us8657.nordvpn.com policy-template-group=NordVPN /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes /ip ipsec mode-config add name=NordVPN responder=no src-address-list=vpn_p2p_users # killswitch /ip防火墙nat add action=return chain=srcnat src-address-list=vpn_p2p_users
这真的是这两种方法之间唯一的区别吗?
会不会是主岗位的某个命令更新中丢失了一些细节?我在#1和#2之间做了区别,唯一的区别是第三个命令:“firewall manage”命令,在#2上有“dst-*”,而在#1上有“src-*”。这真的是这两种方法之间唯一的区别吗?
我的问题是:我如何让所有的流量通过隧道,除了所有的流量为192.168.x.x?
/ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=unmarkable_nordvpn passthrough=yes src-address=192.168.x. confX /ip防火墙mangle add action=mark-connection chain=prerouting connection-mark=!Unmarkable_nordvpn new-connection-mark=nordvpn passthrough=yes src-address=192.168.0.0/16
add action=dst-nat chain=srcnat routing-mark=Leak-IKEV to-addresses=100.69.69.68 add action=dst-nat chain=dstnat routing-mark=Leak-IKEV to-addresses=100.69.69.69 connection-mark=no-mark
提示:在路由器上使用NordVPN连接的用户名和密码与登录他们的网页时使用的用户名和密码不同。必须使用“服务凭证(手动设置)”中的https://my.nordaccount.com/pl/dashboard/nordvpn/"
#执行killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole /ip firewall mangle add chain=prerouting src-address-list=local action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes
# 12月/ 12/2021 14:07:30 Rol雷竞技uterOS 6.47.1 雷电竞app下载官方版苹果id = Z46B-UBXL # # #软件模型桥= RB750Gr3 /接口添加admin-mac = C4:广告:34:C6:1E: 0 auto-mac =无可奉告= defconf name =桥protocol-mode =没有/接口以太网组[找到缺省名称= ether1]广告= 10饱,饱100 1000饱,2500饱,5000饱,10000饱设置[找到缺省名称= ether2]广告= 10饱,饱100 1000饱,2500饱,5000饱,10000饱/接口vlan添加接口= ether1 name = e1-v201 vlan id = 201/interface pppoe-client add add-default-route=yes disabled=no interface= a1 -v201 max-mru=1492 max-mtu=1492 name=pppoe-out1 password= user= /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [find default=yes] supplican -identity=雷竞技网站MikroTik /ip hotspot profile set [find default=yes] html-directory=flash/hotspot /ip ipsec mode-config add connect -mark=under_nordvpn name="NordVPN mode config" responder=no /ipipsec策略组add name=NordVPN /ip ipsec profile add dh-group=modp2048 en -algorithm=aes-256 hash-algorithm=sha512 name="NordVPN profile" /ip ipsec peer add address=in104.nordvpn.com exchange-mode=ike2 name="NordVPN server" profile="NordVPN profile" /ip ipsec proposal add auth-algorithms=sha256 en -algorithms=aes-256-cbc lifetime=0s name="NordVPN proposal" pfs-group=none /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=default-dhcpdisabled=no interface=bridge name=defconf /用户组set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web, smell,sensitive,api,romon,dude,tikapp /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 /ip邻居discovery-settings set discovery- interface-list=LAN /接口列表成员add评论= defconf界面=桥列表=局域网添加评论= = ether1 defconf接口列表=广域网/ ip地址添加地址= 192.168.88.1/24评论= =桥接网络= 192.168.88.0 defconf接口/ ip dhcp客户端添加评论= defconf禁用=没有接口= ether1 / ip dhcp服务器网络添加地址= 192.168.88.0/24评论= defconf网关= 192.168.88.1 / ip dns设置allow-remote-requests = yes服务器= 8.8.8.8 8.8.4.4 / ip dns静态添加地址= 192.168.88.1 name =路由器。lan type=A /ip防火墙address-list add address=192.168.86.80 list=under_nordvpn add address=192.168.86.84 list=under_nordvpn /ip防火墙filter add action=accept chain=forward connect -mark=under_nordvpn add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf:add action=accept chain=input comment="defconf: accept established,related,untracked" connect -state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connect -state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol= ICMP add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!d年代tnat connection-state=new in-interface-list=WAN /ip firewall mangle add action=mark-connection chain=prerouting new-connection-mark=under_nordvpn passthrough=yes src-address-list=under_nordvpn add action=change-mss chain=forward connection-mark=no-mark new-mss=1452 out-interface=pppoe-out1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535 add action=change-mss chain=forward connection-mark=under_nordvpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-out1 /ip ipsec identity add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="NordVPN mode config" password= peer="NordVPN server" policy-template-group=NordVPN username= /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal="NordVPN proposal" src-address=0.0.0.0/0 template=yes /system clock set time-zone-name=America/Los_Angeles /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
大家好,我在NordVPN网站上尝试了方向之后来到这个帖子,我很兴奋,因为它适用于这么多人,但配置不适合我。我希望我的网络上有两个设备,一个苹果电视和一个笔记本电脑接入VPN连接,其余的不接入。
这种行为是预期的吗?
当静态服务器和动态服务器都被设置时,静态服务器条目是首选的,但是,它并不表示静态服务器将总是被使用(例如,以前的查询是从动态服务器接收的,但是静态是后来添加的,那么动态条目将是首选的)。
#(可选)实现killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole /ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes
在ROS7中如何实现终止开关?ROS7中的路由缺少路由标记 代码:选择所有 #(可选)实现killswitch /interface bridge add name=nordvpn_blackhole protocol-mode=none /ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole /ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes
/ip firewall mangle add action=mark-connection chain=input in-interface=ether2 new-connection-mark=VPN passthrough=yes
有同样的问题。唯一把我绑在ROS6上的东西。
/ route - table add fib name=nordvpn_blackhole . /
/ip route add gateway=nordvpn_blackhole routing-mark=nordvpn_blackhole . /
/ip firewall mangle add chain=prerouting src-address-list=under_nordvpn action=mark-routing new-routing-mark=nordvpn_blackhole passthrough=yes
/ip route add blackhole disabled=no distance=254 dst-address=0.0.0.0/0 routing-table=under_nordvpn scope=30 target-scope=10
一种基本的方法是在VPN的动态路由去激活时,添加第二条路由来接管。 代码:选择所有 /ip route add blackhole disabled=no distance=254 dst-address=0.0.0.0/0 routing-table=under_nordvpn scope=30 target-scope=10 那么,当使用NordVPN时,为什么不移动到WireGuard呢?
嗯,这似乎是不可能的,IKEv2直接连接到广域网,在我的情况下是PPPoE。 线程只标记为ROSv6,所以即使作者也没有找到实现kill-switch的方法。
当连接处于活动状态时,您会看到NAT中出现一条动态线。 复制这一行并将操作dst- address更改为100.69.69.69并保存。这个IP没有任何用处。 当VPN下行时,这条线仍然在那里,当VPN仍在运行时,它也捕获了流量。
你对此有何评论
互联网 <-----------> ISP <------------> 调制解调器<——PPPOE-DHCP-DNS ---------> 太 <-------- DHCP-DNS-VPN -----------> 客户
互联网 <-----------> ISP <------------> 调制解调器<——桥 ---------> 太<——PPPOE OUT-DHCP-DNS-VPN -----------> 客户
@msatter -谢谢你的输入。 实际上,我并不认为这是对我所给出的指南的改进。我的意思是它确实有效,但是使用简单的mangle规则是处理VPN流量的一种更动态的方式。
/ip路由规则add action=lookup-only-in-table src-address="LOCAL_IP" table="PPTP_CLIENT_NAME"