Thanks for assistance and help!
had busy week , so I came to the topic just now...
I was able to add 2nd VPN - Swiss for test and seems to be working, but i had to clone most of VPN-Sweden settings.
So after , I will come to this - how to switch or ON/OFF specific Country VPN the easiest way...
Seems like i dont get the Firewall Address list vs Rules difference.
So let's do some Dummy user guide / steps on following example what I'm using currently
/ip dhcp-server lease
add address=192.168.10.21 comment="Client01" mac-address=XX:XX:XX:XX:XX:01 server=dhcp1
add address=192.168.10.22 comment="Client02" mac-address=XX:XX:XX:XX:XX:02 server=dhcp1
add address=192.168.10.23 comment="Client03" mac-address=XX:XX:XX:XX:XX:03 server=dhcp1
add address=192.168.10.24 comment="Client04" mac-address=XX:XX:XX:XX:XX:04 server=dhcp1
add address=192.168.10.25 comment="Client05" mac-address=XX:XX:XX:XX:XX:05 server=dhcp1
.
.
..
add address=192.168.10.25 comment="Client255" mac-address=XX:XX:XX:XX:XX:255 server=dhcp1
FW Groups:
1. No-Internet (a. some user that should get no internet (not many) this list of users is identified by No-Internet)
2. Authorized - this is for example client which i'm using for WinBox on Local LAN ?
3. Local-Internet (b. some users should go out local WAN and not go out Sweden, this list of users is identified by Local-Internet)
4. Any Group needed for VPN-Internet?
#on this do I need to add each Client01-255 in here? or only those I need to control? rest is ->add address=192.168.10.0/24 list=Local-Internet
/ip firewall address-list
add address=192.168.10.21 comment="Client01" list=No-Internet
add address=192.168.10.22 comment="Client02" list=Authorized
add address=192.168.10.23 comment="Client03" list=Authorized
add address=192.168.10.24 comment="Client04" list=Local-Internet
add address=192.168.10.25 comment="Client05" list=Local-Internet
#This rule says ALL clients 192.168.10.X-XXX will go via Local-Internet?
add address=192.168.10.0/24 list=Local-Internet
#over here i'm manually enabling/disabling VPN for clients in the list
eg. Docker updates wont work via VPN...
/routing rule
#this when "disabled=no" it will stay on "Local-Internet" aka noVPN (client01-2), when "disabled=yes" it will go via useWG ->VPN Sweden (Client03-5)
add action=lookup-only-in-table comment=Client01 disabled=no src-address=192.168.10.21/32 table=main
add action=lookup-only-in-table comment=Client02 disabled=no src-address=192.168.10.22/32 table=main
add action=lookup-only-in-table comment=Client03 disabled=yes src-address=192.168.10.23/32 table=main
add action=lookup-only-in-table comment=Client04 disabled=yes src-address=192.168.10.24/32 table=main
add action=lookup-only-in-table comment=Client05 disabled=yes src-address=192.168.10.25/32 table=main
.
.
...
add action=lookup comment="Rest of LAN thru VPN" disabled=no src-address=192.168.10.0/24 table=useWG
#all clients not listed in here goes via go via useWG -> VPN Sweden (client06+ ...255)
had busy week , so I came to the topic just now...
I was able to add 2nd VPN - Swiss for test and seems to be working, but i had to clone most of VPN-Sweden settings.
So after , I will come to this - how to switch or ON/OFF specific Country VPN the easiest way...
Seems like i dont get the Firewall Address list vs Rules difference.
So let's do some Dummy user guide / steps on following example what I'm using currently
/ip dhcp-server lease
add address=192.168.10.21 comment="Client01" mac-address=XX:XX:XX:XX:XX:01 server=dhcp1
add address=192.168.10.22 comment="Client02" mac-address=XX:XX:XX:XX:XX:02 server=dhcp1
add address=192.168.10.23 comment="Client03" mac-address=XX:XX:XX:XX:XX:03 server=dhcp1
add address=192.168.10.24 comment="Client04" mac-address=XX:XX:XX:XX:XX:04 server=dhcp1
add address=192.168.10.25 comment="Client05" mac-address=XX:XX:XX:XX:XX:05 server=dhcp1
.
.
..
add address=192.168.10.25 comment="Client255" mac-address=XX:XX:XX:XX:XX:255 server=dhcp1
FW Groups:
1. No-Internet (a. some user that should get no internet (not many) this list of users is identified by No-Internet)
2. Authorized - this is for example client which i'm using for WinBox on Local LAN ?
3. Local-Internet (b. some users should go out local WAN and not go out Sweden, this list of users is identified by Local-Internet)
4. Any Group needed for VPN-Internet?
#on this do I need to add each Client01-255 in here? or only those I need to control? rest is ->add address=192.168.10.0/24 list=Local-Internet
/ip firewall address-list
add address=192.168.10.21 comment="Client01" list=No-Internet
add address=192.168.10.22 comment="Client02" list=Authorized
add address=192.168.10.23 comment="Client03" list=Authorized
add address=192.168.10.24 comment="Client04" list=Local-Internet
add address=192.168.10.25 comment="Client05" list=Local-Internet
#This rule says ALL clients 192.168.10.X-XXX will go via Local-Internet?
add address=192.168.10.0/24 list=Local-Internet
#over here i'm manually enabling/disabling VPN for clients in the list
eg. Docker updates wont work via VPN...
/routing rule
#this when "disabled=no" it will stay on "Local-Internet" aka noVPN (client01-2), when "disabled=yes" it will go via useWG ->VPN Sweden (Client03-5)
add action=lookup-only-in-table comment=Client01 disabled=no src-address=192.168.10.21/32 table=main
add action=lookup-only-in-table comment=Client02 disabled=no src-address=192.168.10.22/32 table=main
add action=lookup-only-in-table comment=Client03 disabled=yes src-address=192.168.10.23/32 table=main
add action=lookup-only-in-table comment=Client04 disabled=yes src-address=192.168.10.24/32 table=main
add action=lookup-only-in-table comment=Client05 disabled=yes src-address=192.168.10.25/32 table=main
.
.
...
add action=lookup comment="Rest of LAN thru VPN" disabled=no src-address=192.168.10.0/24 table=useWG
#all clients not listed in here goes via go via useWG -> VPN Sweden (client06+ ...255)
Statistics: Posted by daveq — Mon Feb 10, 2025 1:27 am