can't resolve wireguard issue

amelzaher · July 25, 2023, 2:10pm

I’m trying to use wireguard vpn and I’ve configured everything and it worked perfectly yesterday but today out of nowhere it’s started sending handshake timeout error ugh..
i tried changing MTU, changing allowed ips re-follow every tutorial but nothing helps, tried using windows PC and iPhone to connect same issue,

here are my config

# 2023-07-25 16:57:02 by RouterOS 7.10.2
# software id = S60Y-ELTX
#
# model = RB952Ui-5ac2nD
# serial number = should have been removed ... your moderator
/interface bridge
add name=BR_LAN
add name=BR_VPN
/interface ethernet
set [ find default-name=ether1 ] name=P1_WAN
set [ find default-name=ether2 ] name=P2
set [ find default-name=ether3 ] name=P3
set [ find default-name=ether4 ] name=P4
set [ find default-name=ether5 ] name=P5
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=egypt mode=ap-bridge \
    name=WiFi_5G ssid=MikroTik5G wireless-protocol=802.11 wps-mode=disabled
/interface wireguard
add listen-port=8010 mtu=1450 name=WG
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi-Default \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi_IoT \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=egypt disabled=no \
    installation=indoor mode=ap-bridge name=WiFi_2.4G security-profile=\
    WiFi-Default ssid=Barayez_Wi-Fi wireless-protocol=802.11 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:4B:01:A4 \
    master-interface=WiFi_2.4G multicast-buffering=disabled name=WiFi_IoT \
    security-profile=WiFi_IoT ssid=Barayez_Wi-Fi_IoT wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=DHCP_LAN ranges=10.0.10.1-10.0.10.253
add name=WiFi_2.4_Pool ranges=10.0.1.1-10.0.1.253
add name=WiFi_IoT ranges=10.0.100.1-10.0.100.253
add name=DHCP_VPN ranges=10.0.200.1-10.0.200.253
/ip dhcp-server
add add-arp=yes address-pool=DHCP_LAN interface=BR_LAN name=LAN
add add-arp=yes address-pool=WiFi_2.4_Pool insert-queue-before=bottom \
    interface=WiFi_2.4G lease-time=15m name=WiFi_2.4
add add-arp=yes address-pool=WiFi_IoT interface=WiFi_IoT lease-time=15m name=\
    WiFi_IoT
add add-arp=yes address-pool=DHCP_VPN interface=BR_VPN lease-time=15m name=\
    DHCP_VPN
/ppp profile
add change-tcp-mss=yes local-address=DHCP_VPN name=Default_L2TP \
    remote-address=DHCP_VPN use-encryption=yes
add name=Admin_AhmedMohsen remote-address=10.0.200.20
set *FFFFFFFE local-address=DHCP_VPN remote-address=DHCP_VPN
/system logging action
set 0 memory-lines=4000
set 3 remote=XX.XX.XX.XX
add name=FullLog remote=XX.XX.XX.XX target=remote
/interface bridge port
add bridge=BR_LAN interface=P3
add bridge=BR_LAN interface=P2
add bridge=BR_LAN interface=P4
add bridge=BR_LAN interface=P5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=Default_L2TP enabled=yes one-session-per-host=yes \
    use-ipsec=yes
/interface list member
add interface=P2 list=LAN
add interface=P1_WAN list=WAN
add interface=WiFi_2.4G list=LAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=\
    10.0.200.5/32,10.0.1.254/24,10.0.10.254/24,10.0.200.254/24 interface=WG \
    public-key="ygqBs4M48zJAzCgGba5vB6egRdLoIVkhZ/THYLeM9jk="
add allowed-address=10.0.200.10/32 interface=WG public-key=\
    "M3/NIFqrJi2Ye0kA9PFzJv8xvQQf0fiSZtGVpH7VbQE="
/ip address
add address=10.0.10.254/24 interface=P2 network=10.0.10.0
add address=10.0.1.254/24 interface=WiFi_2.4G network=10.0.1.0
add address=10.0.100.254/24 interface=WiFi_IoT network=10.0.100.0
add address=10.0.200.254/24 interface=WG network=10.0.200.0
add address=10.0.200.254/24 interface=BR_VPN network=10.0.200.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=WiFi_5G
add interface=P1_WAN
/ip dhcp-server lease
add address=10.0.1.245 mac-address=D8:DC:40:BE:3A:3E server=WiFi_2.4
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.1.254 gateway=10.0.1.254
add address=10.0.10.0/24 dns-server=10.0.10.254 gateway=10.0.10.254 netmask=\
    24
add address=10.0.100.0/24 gateway=10.0.100.254
/ip dns
set allow-remote-requests=yes servers=129.153.173.26,129.153.173.26
/ip firewall address-list
add address=10.0.10.0/24 list=Local_IPs
add address=10.0.1.0/24 list=Local_IPs
add address=10.0.200.0/24 list=Local_IPs
add address=10.0.200.5 list=Management_IPs
add address=10.0.1.245 list=Management_IPs
add address=10.0.1.254 list=Admin_IPs
add address=10.0.10.254 list=Admin_IPs
add address=172.0.0.1 list=Admin_IPs
add address=172.0.0.254 list=Admin_IPs
add address=10.0.200.20 list=Management_IPs
/ip firewall filter
add action=accept chain=input comment="Allow L2TP" dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input comment="Allow WG port" dst-port=8010 log=yes \
    log-prefix=WG protocol=udp
add action=accept chain=forward comment="Allow Self DNS" dst-address=\
    129.153.173.26 dst-port=53 protocol=tcp
add action=accept chain=forward dst-address=129.153.173.26 dst-port=53 \
    protocol=udp
add action=accept chain=forward comment="Allow iPhone to bypass DNS" \
    dst-port=53 protocol=udp src-mac-address=D8:DC:40:BE:3A:3E
add action=accept chain=forward comment=\
    "Allow managers IPs to acess admin IPs" dst-address-list=Admin_IPs \
    src-address-list=Management_IPs
add action=accept chain=input dst-address-list=Admin_IPs src-address-list=\
    Management_IPs
add action=drop chain=forward comment="Drop Any Diff DNS" dst-port=53 log=yes \
    log-prefix="Drop Any Diff DNS" protocol=tcp
add action=drop chain=forward dst-port=53 log=yes log-prefix=\
    "Drop Any Diff DNS" protocol=udp
add action=drop chain=forward comment="Block access to modem IPs" \
    dst-address=172.0.0.0/24 log=yes log-prefix="Block access to modem IPs"
add action=drop chain=input comment="Block access to WebGUI from WAN" \
    dst-port=8005 log=yes log-prefix="Block access to WebGUI from WAN" \
    protocol=tcp src-address-list=!Management_IPs
add action=drop chain=input comment="Block access to web gui from GUI IP" \
    dst-address=172.0.0.1 dst-port=8005 log=yes log-prefix=\
    "Block access to webgui from GUI IP" protocol=tcp
add action=drop chain=input comment="Block access to winbox from WAN" \
    disabled=yes dst-port=8200 log=yes log-prefix=\
    "Block access to winbox from WAN" protocol=tcp src-address-list=\
    !Local_IPs
add action=drop chain=input comment="Block access to telnet from WAN" \
    dst-port=2003 log=yes log-prefix="Block access to telnet from WAN" \
    protocol=tcp src-address-list=!Management_IPs
add action=drop chain=input comment="Block access to ssh from WAN" dst-port=\
    2002 log=yes log-prefix="Block access to ssh from WAN" protocol=tcp \
    src-address-list=!Management_IPs
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface=P1_WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=8010 in-interface=\
    P1_WAN protocol=udp to-addresses=10.0.200.254 to-ports=8010
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet port=2003
set ftp address=0.0.0.0/0 disabled=yes port=8010
set www port=8005
set ssh port=2002
set api disabled=yes
set winbox port=8200
set api-ssl disabled=yes
/ppp secret
add name=ahmed.mohsen profile=Admin_AhmedMohsen service=l2tp
/system clock
set time-zone-name=Africa/Cairo
/system identity
set name=KEK-MTK
/system logging
add action=remote topics=info
add action=remote topics=system
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=dhcp
add action=remote topics=e-mail
add action=remote topics=firewall
add action=FullLog disabled=yes topics=!ups

anav · July 25, 2023, 3:03pm

https://forum.mikrotik.com/viewtopic.php?t=182340

amelzaher · July 25, 2023, 5:39pm

This is the very basic setup i already followed and everything is as it should be, but still no sucess

anav · July 25, 2023, 7:36pm

Your config is very confusing and messy… needs a thorough cleaning.
In terms of wireguard can you draw a diagram of all your wireguard connections so I have context.
ROUTER is assuming, the server for incoming remote connections?
OR
Router is connecting to third party for internet
OR
???
+++++++++++++++++++++++++++++++++++++++++++++++++

Why is MTU different from standard?

Why do you have a bridge for wireguard???

Why is your P2 an interface list member when its part of the bridge?
Was the intent not to put any other bridge-LAN member as a LAN member and if so why call it Bridge_LAN ??

Why is 2.4 WIFI not a bridge member??

Allowed IPs makes sense to you after reading the article?? If so you need to… READ IT AGAIN!!!

Address structure seems really a messy affair, hard to make sense of??

Why do you have a BR_VPN interface with the same address as the Wireguard interface ???

Why does Wireguard have a DHCP Range ???

What is the purpose of this dst nat rule… using the wireguard port??
add action=dst-nat chain=dstnat disabled=yes dst-port=8010 in-interface=
P1_WAN protocol=udp to-addresses=10.0.200.254 to-ports=8010

what is the purpose of this rule.
add action=masquerade chain=srcnat

If you have WIFI WAN connection on 5G, where is the sourcenat rule for that??

Why do you use telnet to reach config of router, very unsafe method??
Same with WWW

amelzaher · July 25, 2023, 8:22pm

Why is MTU different from standard?

I was trying multiple parameters and honestly it didn’t make any difference

Why do you have a bridge for wireguard???

It’s a bridge for VPN network and, i removed it now, still no luck

Why is your P2 an interface list member when its part of the bridge?

I was trying to make it inside the LAN network, sorry i removed it now

Why is 2.4 WIFI not a bridge member??

i want to keep wifi seprated from lan in case of future expanding or isolaing

Allowed IPs makes sense to you after reading the article?? If so you need to… READ IT AGAIN!!!

Yes, correct me please

Why do you have a BR_VPN interface with the same address as the Wireguard interface

corrected

Why does Wireguard have a DHCP Range?

should i use static ips instead?

What is the purpose of this dst nat rule… using the wireguard port??
add action=dst-nat chain=dstnat disabled=yes dst-port=8010 in-interface=
P1_WAN protocol=udp to-addresses=10.0.200.254 to-ports=8010

i was trying to port forward wireguard port to mikrotik ip to see if it works but it didn’t so i disabled it

what is the purpose of this rule.
add action=masquerade chain=srcnat

to allow internet connection, my mikrotik is behind isp nat modem

If you have WIFI WAN connection on 5G, where is the sourcenat rule for that??

i don’t have 5g wan, it’s the 5g wifi interface

Why do you use telnet to reach config of router, very unsafe method??
Same with WWW

should i disable them? they are allowed only from specific ips

# 2023-07-25 23:23:27 by RouterOS 7.10.2
# software id = S60Y-ELTX
#
# model = RB952Ui-5ac2nD
# serial number = xxxxx
/interface bridge
add name=BR_LAN
add name=BR_VPN
/interface ethernet
set [ find default-name=ether1 ] name=P1_WAN
set [ find default-name=ether2 ] name=P2
set [ find default-name=ether3 ] name=P3
set [ find default-name=ether4 ] name=P4
set [ find default-name=ether5 ] name=P5
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=egypt mode=ap-bridge \
    name=WiFi_5G ssid=MikroTik5G wireless-protocol=802.11 wps-mode=disabled
/interface wireguard
add listen-port=8010 mtu=1450 name=WG
/disk
set usb1 type=hardware
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi-Default \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi_IoT \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=egypt disabled=no \
    installation=indoor mode=ap-bridge name=WiFi_2.4G security-profile=\
    WiFi-Default ssid=Barayez_Wi-Fi wireless-protocol=802.11 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:4B:01:A4 \
    master-interface=WiFi_2.4G multicast-buffering=disabled name=WiFi_IoT \
    security-profile=WiFi_IoT ssid=Barayez_Wi-Fi_IoT wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=DHCP_LAN ranges=10.0.10.1-10.0.10.253
add name=WiFi_2.4_Pool ranges=10.0.1.1-10.0.1.253
add name=WiFi_IoT ranges=10.0.100.1-10.0.100.253
add name=DHCP_VPN ranges=10.0.50.1-10.0.50.253
/ip dhcp-server
add add-arp=yes address-pool=DHCP_LAN interface=BR_LAN name=LAN
add add-arp=yes address-pool=WiFi_2.4_Pool insert-queue-before=bottom \
    interface=WiFi_2.4G lease-time=15m name=WiFi_2.4
add add-arp=yes address-pool=WiFi_IoT interface=WiFi_IoT lease-time=15m name=\
    WiFi_IoT
add add-arp=yes address-pool=DHCP_VPN interface=BR_VPN lease-time=15m name=\
    DHCP_VPN
/ppp profile
add change-tcp-mss=yes local-address=DHCP_VPN name=Default_L2TP \
    remote-address=DHCP_VPN use-encryption=yes
add name=Admin_AhmedMohsen remote-address=10.0.50.5
set *FFFFFFFE local-address=DHCP_VPN remote-address=DHCP_VPN
/system logging action
set 0 memory-lines=4000
set 3 remote=xx.xx.xx.xx
add disk-file-count=5 disk-file-name=usb1/log disk-lines-per-file=20000 name=\
    USBLog target=disk
/interface bridge port
add bridge=BR_LAN interface=P3
add bridge=BR_LAN interface=P2
add bridge=BR_LAN interface=P4
add bridge=BR_LAN interface=P5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=Default_L2TP enabled=yes one-session-per-host=yes \
    use-ipsec=yes
/interface list member
add interface=P1_WAN list=WAN
add interface=WiFi_2.4G list=LAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.0.200.10/32 interface=WG public-key=\
    "M3/NIFqrJi2Ye0kA9PFzJv8xvQQf0fiSZtGVpH7VbQE="
add allowed-address=10.0.200.5/32 interface=WG public-key=\
    "ygqBs4M48zJAzCgGba5vB6egRdLoIVkhZ/THYLeM9jk="
/ip address
add address=10.0.10.254/24 interface=P2 network=10.0.10.0
add address=10.0.1.254/24 interface=WiFi_2.4G network=10.0.1.0
add address=10.0.100.254/24 interface=WiFi_IoT network=10.0.100.0
add address=10.0.200.254/24 interface=WG network=10.0.200.0
add address=10.0.50.254/24 interface=BR_VPN network=10.0.50.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=WiFi_5G
add interface=P1_WAN
/ip dhcp-server lease
add address=10.0.1.245 mac-address=D8:DC:40:BE:3A:3E server=WiFi_2.4
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.1.254 gateway=10.0.1.254
add address=10.0.10.0/24 dns-server=10.0.10.254 gateway=10.0.10.254 netmask=\
    24
add address=10.0.100.0/24 gateway=10.0.100.254
/ip dns
set allow-remote-requests=yes servers=129.153.173.26,129.153.173.26
/ip firewall address-list
add address=10.0.10.0/24 list=Local_IPs
add address=10.0.1.0/24 list=Local_IPs
add address=10.0.200.0/24 list=Local_IPs
add address=10.0.200.5 comment=iPhone_WG list=Management_IPs
add address=10.0.1.245 comment=iPhone_LAN list=Management_IPs
add address=10.0.1.254 list=Admin_IPs
add address=10.0.10.254 list=Admin_IPs
add address=172.0.0.1 list=Admin_IPs
add address=172.0.0.254 list=Admin_IPs
add address=10.0.200.20 comment=Laptop_WG list=Management_IPs
add address=10.0.50.5 comment=Laptop_L2TP list=Management_IPs
add address=10.0.100.254 list=Admin_IPs
add address=10.0.200.254 list=Admin_IPs
add address=10.0.50.254 list=Admin_IPs
/ip firewall filter
add action=accept chain=input comment="Allow L2TP" dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input comment="Allow WG port" dst-port=8010 \
    log-prefix=WG protocol=udp
add action=accept chain=forward comment="Allow Self DNS" dst-address=\
    129.153.173.26 dst-port=53 protocol=tcp
add action=accept chain=forward dst-address=129.153.173.26 dst-port=53 \
    protocol=udp
add action=accept chain=forward comment="Allow iPhone to bypass DNS" \
    dst-port=53 protocol=udp src-mac-address=D8:DC:40:BE:3A:3E
add action=accept chain=forward comment=\
    "Allow managers IPs to acess admin IPs" dst-address-list=Admin_IPs \
    src-address-list=Management_IPs
add action=accept chain=input dst-address-list=Admin_IPs src-address-list=\
    Management_IPs
add action=drop chain=forward comment="Drop Any Diff DNS" dst-port=53 log=yes \
    log-prefix="Drop Any Diff DNS" protocol=tcp
add action=drop chain=forward dst-port=53 log=yes log-prefix=\
    "Drop Any Diff DNS" protocol=udp
add action=drop chain=forward comment="Block access to modem IPs" disabled=\
    yes dst-address=172.0.0.0/24 log=yes log-prefix=\
    "Block access to modem IPs"
add action=drop chain=input comment="Block access to WebGUI from WAN" \
    dst-port=8005 log=yes log-prefix="Block access to WebGUI from WAN" \
    protocol=tcp src-address-list=!Management_IPs
add action=drop chain=input comment="Block access to web gui from GUI IP" \
    dst-address=172.0.0.1 dst-port=8005 log=yes log-prefix=\
    "Block access to webgui from GUI IP" protocol=tcp
add action=drop chain=input comment="Block access to winbox from WAN" \
    disabled=yes dst-port=8200 log=yes log-prefix=\
    "Block access to winbox from WAN" protocol=tcp src-address-list=\
    !Local_IPs
add action=drop chain=input comment="Block access to telnet from WAN" \
    dst-port=2003 log=yes log-prefix="Block access to telnet from WAN" \
    protocol=tcp src-address-list=!Management_IPs
add action=drop chain=input comment="Block access to ssh from WAN" dst-port=\
    2002 log=yes log-prefix="Block access to ssh from WAN" protocol=tcp \
    src-address-list=!Management_IPs
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat disabled=yes dst-port=8010 in-interface=\
    P1_WAN protocol=udp to-addresses=10.0.200.254 to-ports=8010
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet port=2003
set ftp address=0.0.0.0/0 disabled=yes port=8010
set www port=8005
set ssh port=2002
set api disabled=yes
set winbox port=8200
set api-ssl disabled=yes
/ppp secret
add name=ahmed.mohsen profile=Admin_AhmedMohsen service=l2tp
/system clock
set time-zone-name=Africa/Cairo
/system identity
set name=KEK-MTK
/system logging
add action=USBLog topics=info
add action=USBLog topics=system
add action=USBLog topics=critical
add action=USBLog topics=error
add action=USBLog topics=warning
add action=USBLog topics=dhcp
add action=USBLog topics=e-mail
add action=USBLog topics=firewall
add action=remote topics=critical
add action=remote topics=dhcp
add action=remote topics=e-mail
add action=remote topics=error
add action=remote topics=firewall
add action=remote topics=info
add action=remote topics=system
add action=remote topics=warning
add action=remote topics=ddns
add action=USBLog topics=ddns
add action=remote topics=gsm
add action=USBLog topics=gsm
add action=USBLog topics=l2tp
add action=remote topics=l2tp
add action=USBLog topics=lte
add action=remote topics=lte
add action=USBLog topics=script
add action=remote topics=script
add action=USBLog topics=wireguard
add action=remote topics=wireguard

anav · July 25, 2023, 9:58pm

Where in the reading assigned or here at MT documents for that matter, does it require leasing anything to wireguard?? There is no dhcp!!
https://help.mikrotik.com/docs/display/ROS/WireGuard

YES disable any insecure methods of connecting TOO the router. The only ports that should be open are those protected by VPN. See b. below…

Requirements confirm…
a. mobile wg clients to access Router LAN ( specifically wired LAN devices ( not wifi users, not iot devices etc.)
b. mobile wg client who is admin needs to configure router, ( this is the way to access the router ).
c.. mobile wg clients do not access internet

amelzaher · July 25, 2023, 10:27pm

Option b, i need access to Miktotik router for remote configuration

amelzaher · July 26, 2023, 7:44pm

Any update?

anav · July 26, 2023, 7:54pm

I dont think you need a bridge for your LT2P type VPN but if it works for you…
In fact what is the purpose of your VPN connection, that cannot be provided by Wireguard???
…

/interface bridge
add name=BR_LAN   vlan-filtering=yes  ( change vlan-filtering to YES, as last rule added after config complete )
add name=BR_VPN
/interface vlan
add interface=BR_LAN name=vlanHOME  vlan-id=10
add interface=BR_LAN name=vlanIOT  vlan-id=100
add interface=BR_LAN name=vlanGUEST vlan-id=11
/interface ethernet
set [ find default-name=ether1 ] name=P1_WAN
set [ find default-name=ether2 ] name=P2
set [ find default-name=ether3 ] name=P3
set [ find default-name=ether4 ] name=P4
set [ find default-name=ether5 ] name=P5
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=egypt mode=ap-bridge \
    name=WiFi_5G ssid=MikroTik5G wireless-protocol=802.11 wps-mode=disabled
/interface wireguard
add listen-port=8010 mtu=1450 name=WG
/disk
set usb1 type=hardware
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi-Default \
    supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=WiFi_IoT \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=egypt disabled=no \
    installation=indoor mode=ap-bridge name=WiFi_2.4G security-profile=\
    WiFi-Default ssid=Barayez_Wi-Fi wireless-protocol=802.11 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:4B:01:A4 \
    master-interface=WiFi_2.4G multicast-buffering=disabled name=WiFi_IoT \
    security-profile=WiFi_IoT ssid=Barayez_Wi-Fi_IoT wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=DHCP_LAN ranges=10.0.10.1-10.0.10.253
add name=WiFi_2.4_Pool ranges=10.0.1.1-10.0.1.253
add name=WiFi_IoT ranges=10.0.100.1-10.0.100.253
add name=DHCP_VPN ranges=10.0.50.1-10.0.50.253
/ip dhcp-server
add add-arp=yes address-pool=DHCP_LAN interface=vlanHOME name=LAN
add add-arp=yes address-pool=WiFi_2.4_Pool insert-queue-before=bottom \
    interface=vlanGUEST lease-time=15m name=WiFi_2.4
add add-arp=yes address-pool=WiFi_IoT interface=vlanIOT lease-time=15m name=\
    WiFi_IoT
add add-arp=yes address-pool=DHCP_VPN interface=BR_VPN lease-time=15m name=\
    DHCP_VPN
/ppp profile
add change-tcp-mss=yes local-address=DHCP_VPN name=Default_L2TP \
    remote-address=DHCP_VPN use-encryption=yes
add name=Admin_AhmedMohsen remote-address=10.0.50.5
set *FFFFFFFE local-address=DHCP_VPN remote-address=DHCP_VPN
/system logging action
set 0 memory-lines=4000
set 3 remote=xx.xx.xx.xx
add disk-file-count=5 disk-file-name=usb1/log disk-lines-per-file=20000 name=\
    USBLog target=disk
/interface bridge port
add bridge=BR_LAN interface=P2 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=BR_LAN interface=P3 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=BR_LAN interface=P4 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=10 
add bridge=BR_LAN interface=P5 ingress filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=BR_LAN interface=WiFi_5G ingress filtering=yes frame-types=admit-priority-and-untagged pvid=10  {home user wifi?}
add bridge=BR_LAN interface=WiFi_2.4G ingress filtering=yes frame-types=admit-priority-and-untagged pvid=11  {guest user wifi?)
add bridge=BR_LAN interface=WiFi_IoT ingress filtering=yes frame-types=admit-priority-and-untagged pvid=100   {iot wifi?)
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR_LAN tagged=Bridge_LAN  untagged=P2,P3,P4,P5,WiFi_5G   vlan-ids=10
add bridge=BR_LAN tagged=Bridge_LAN  untagged=WiFi_2.4G  vlan-ids=11
add bridge=BR_LAN tagged=Bridge_LAN  untagged=WiFi_IoT  vlan-ids=100
/interface l2tp-server server
set default-profile=Default_L2TP enabled=yes one-session-per-host=yes \
    use-ipsec=yes
/interface list member
add interface=P1_WAN list=WAN
add interface=vlanHOME list=LAN
add interface=vlanGUEST list=LAN
add interface=vlanIOT list=LAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.0.200.10/32 interface=WG public-key=\
    "M....="
add allowed-address=10.0.200.5/32 interface=WG public-key=\
    "y....="
/ip address
add address=10.0.10.254/24 interface=vlanHOME network=10.0.10.0
add address=10.0.1.254/24 interface=vlanGUEST network=10.0.1.0
add address=10.0.100.254/24 interface=vlanIOT network=10.0.100.0
add address=10.0.200.1/24 interface=WG network=10.0.200.0
add address=10.0.50.254/24 interface=BR_VPN network=10.0.50.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=P1_WAN
/ip dhcp-server lease
add address=10.0.1.245 mac-address=D8:DC:40:BE:3A:3E server=WiFi_2.4
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.1.254 gateway=10.0.1.254
add address=10.0.10.0/24 dns-server=10.0.10.254 gateway=10.0.10.254
add address=10.0.100.0/24 dns-server=10.0.100.254 gateway=10.0.100.254
/ip dns
set allow-remote-requests=yes servers=129.153.173.26,129.153.173.26
/ip firewall address-list
add address=10.0.10.0/24 list=Local_IPs
add address=10.0.1.0/24 list=Local_IPs
add address=10.0.200.0/24 list=Local_IPs
add address=10.0.200.5 comment=iPhone_WG list=Management_IPs
add address=10.0.1.245 comment=iPhone_LAN list=Management_IPs
add address=10.0.1.254 list=Admin_IPs
add address=10.0.10.254 list=Admin_IPs
add address=172.0.0.1 list=Admin_IPs
add address=172.0.0.254 list=Admin_IPs
add address=10.0.200.20 comment=Laptop_WG list=Management_IPs
add address=10.0.50.5 comment=Laptop_L2TP list=Management_IPs
add address=10.0.100.254 list=Admin_IPs
add address=10.0.200.254 list=Admin_IPs
add address=10.0.50.254 list=Admin_IPs
/ip firewall filter
{ Input Chain }
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment="Allow L2TP" dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input comment="Allow WG port" dst-port=8010 \
    log-prefix=WG protocol=udp
add action=accept chain=input in-interface-list=LAN src-address-list=Management_IPs comment="Management config access"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"  { enter this as last rule and ensure management access rule is in place }	
{ Forward Chain }
(default rules to keep)	
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat {disable if not required}
add action=accept chain=input dst-address-list=Admin_IPs src-address-list=\
    Management_IPs
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2002
set api disabled=yes
set winbox port=8200
set api-ssl disabled=yes
/ppp secret
add name=ahmed.mohsen profile=Admin_AhmedMohsen service=l2tp
/system clock
set time-zone-name=Africa/Cairo