some overriding of normal routing using routing rules can break it. That's unless you're doing something unusual, e.g. to first interface, so it reaches client and everything works. Router knows it's for its own address, so it processes it, and sends response back to 192.168.1.100, i.e. If client 192.168.1.100 connected to first interface sends packet to 192.168.2.1, it doesn't actually go to the other interface. Let's say that router has 192.168.1.1/24 on one interface and 192.168.2.1/24 on another, be it vlan, ethernet or anything. I still don't see any asymmetric routing.
If you have several, but only one should be responding, you need to block others using firewall (in chain=input). Same with connections to different local addresses. If you don't want something routed, you have to block it. Router's purpose is to route, so it routes anything it knows how, between all available interfaces. NetShield is only available with our Plus or Visionary plan.- "Automatic intervlan routing" is not issue, that's expected behaviour. Add the suffix +f1 to block malware only or +f2 to block malware, ads, and trackers (for example: openvpn_ikev2_username+f2). Note: To use our NetShield DNS filtering feature, you need to add suffixes to your OpenVPN/IKEv2 username. It MUST exist, otherwise configuration is not working. In “/ip ipsec policy” you should be able to see a new dynamic rule added next to your ProtonVPN policy. ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal= "ProtonVPN proposal" src-address=0.0.0.0/0 template=yes
ip ipsec identity add auth-method=eap certificate= "ProtonVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config= "ProtonVPN mode config" password= peer= "ProtonVPN server" policy-template-group=ProtonVPN username= ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s name= "ProtonVPN proposal" pfs-group=none ip ipsec peer add address= exchange-mode=ike2 name= "ProtonVPN server" profile= "ProtonVPN profile" ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name= "ProtonVPN profile" ip ipsec policy group add name=ProtonVPN
ip ipsec mode-config add connection-mark=under_protonvpn name= "ProtonVPN mode config" responder=no
0 kommentar(er)
