Hello everyone, I have a problem, I cannot enter winbox when I am connected through wireguard. If I can access the server via remote desktop. If you can help me, I would appreciate it.
#
# model = RB760iGS
/interface bridge
add admin-mac=XXXXXXXXXX auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface wireguard
add listen-port=13235 mtu=1420 name=XXXXXXXXXX
add listen-port=13236 mtu=1420 name=XXXXXXXXXX
add listen-port=13237 mtu=1420 name=XXXXXXXXXX
add listen-port=13238 mtu=1420 name=XXXXXXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.3.2/32 interface=XXXXXXXXXX public-key=\
"XXXXXXXXXX"
add allowed-address=10.10.4.2/32 interface=XXXXXXXXXX public-key=\
"XXXXXXXXXX"
add allowed-address=10.10.5.2/32 interface=XXXXXXXXXX public-key=\
"XXXXXXXXXX"
add allowed-address=10.10.6.2/32 interface=XXXXXXXXXX public-key=\
"XXXXXXXXXX"
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
add address=10.10.3.1/24 interface=XXXXXXXXXX network=10.10.3.0
add address=10.10.4.1/24 interface=XXXXXXXXXX network=10.10.4.0
add address=10.10.5.1/24 interface=XXXXXXXXXX network=10.10.5.0
add address=10.10.6.1/24 interface=XXXXXXXXXX network=10.10.6.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.0.100 client-id=XXXXXXXXXX mac-address=\
XXXXXXXXXX server=defconf
add address=192.168.0.3 client-id=XXXXXXXXXX mac-address=\
XXXXXXXXXX server=defconf
add address=192.168.0.2 client-id=XXXXXXXXXX mac-address=\
XXXXXXXXXX server=defconf
add address=192.168.0.10 mac-address=XXXXXXXXXX server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=XXXXXXXXXX
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
xxxxxxx
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard " dst-port=13237 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13235 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13238 protocol=\
udp
add action=accept chain=input comment="wireguard " dst-port=13236 protocol=\
udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input in-interface-list=WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=\
192.168.0.1 to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment=\
"DMNTR SecurIP: Block WAN connections from BlackList" in-interface-list=\
WAN src-address-list=dmntr-blacklist
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system scheduler
add comment="DMNTR SecurIP 30m Update Script" interval=3h name=\
dmntr_securipupdate on-event="/system script run dmntr_securip" policy=\
read,write,policy,test start-date=1970-01-01 start-time=00:00:00
add comment="DMNTR SecurIP OnBoot Script" name=dmntr_securipupdateOnBoot \
on-event=":delay 30;system script run dmntr_securip" policy=\
read,write,policy,test start-time=startup
/system script
add comment="DMNTR SecurIP Script" dont-require-permissions=no name=\
dmntr_securip owner=admin policy=read,write,policy,test source="# DMNTR Ne\
twork Solutions SecurIP Installer\
\n# 2022 dmntr@dmntr.net\
\n:local destPath \"securip_dmntr.rsc\";\
\n:local priority \"2\";\
\n:do { /file remove \$destPath } on-error={};\
\n/tool fetch mode=https url=\"https://intelligence.dmntr.net/dmmntr-secur\
ip-lite.rsc\" user=\"XXXXXXXXXX\" password=\"XXXXXXXXXX\" dst-path=\"\$de\
stPath\" output=file;\
\n/system logging disable numbers=0\
\n/import file-name=\$destPath;\
\n/system logging enable numbers=0\
\n/file remove \$destPath;"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN