Connection To Internet Not Working Correctly

chagy · July 19, 2024, 5:48pm

2024-07-19 12:41:27 by RouterOS 7.15.2

software id = LBIX-Y0FR

model = RB960PGS

serial number = HFD0995CQF2

/interface bridge
add admin-mac=78:9A:18:C0:33:9F auto-mac=no comment=defconf name=bridge
port-cost-mode=short
/interface vlan
add interface=ether2 name=“vlan 700” vlan-id=700
add interface=ether2 name=“vlan 710” vlan-id=710
add interface=ether2 name=“vlan 799” vlan-id=799
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=213.98.173.154/32 exchange-mode=ike2 local-address=10.52.100.1
name=Reus
add address=213.97.36.126/32 exchange-mode=ike2 local-address=10.52.100.1
name=“Ramon Home”
add address=35.205.54.237/32 exchange-mode=ike2 local-address=10.52.100.1
name=“Google Cloud”
/ip ipsec profile
set [ find default=yes ] dh-group=
ecp256,ecp521,modp4096,modp2048,modp1536,modp1024 dpd-interval=1m
enc-algorithm=aes-256,aes-192,aes-128,3des lifetime=1h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=“ae
s-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-
128-gcm,3des,des” lifetime=1h
add auth-algorithms=sha512,sha256,sha1 disabled=yes enc-algorithms=
aes-256-cbc,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm name=
“Proposals Ramon Home”
/ip pool
add name=“Green-Bay pool” ranges=10.52.100.20-10.52.100.254
add name=“Guest Pool” ranges=172.16.1.20-172.16.1.254
/ip dhcp-server
add address-pool=“Green-Bay pool” interface=“vlan 710” lease-time=10m name=
“Green Bay”
add address-pool=“Guest Pool” interface=“vlan 799” lease-time=10m name=
“Wifi Dupon Guest”
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes interface=ether1 internal-path-cost=10
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.52.100.1/24 comment=defconf interface=“vlan 710” network=
10.52.100.0
add address=192.168.200.45/30 interface=“vlan 700” network=192.168.200.44
add address=172.16.1.1/24 interface=“vlan 799” network=172.16.1.0
add address=135.135.5.50/30 interface=ether1 network=135.135.5.48
add address=10.52.100.1/24 interface=bridge network=10.52.100.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=*1 disabled=yes interface=bridge lease-time=10m name=defconf
/ip dhcp-server network
add address=10.52.100.0/24 dns-server=8.8.8.8 gateway=10.52.100.1 netmask=24
add address=172.16.1.0/24 dns-server=8.8.8.8 gateway=172.16.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.52.100.1 comment=defconf name=router.lan
/ip firewall address-list
add address=80.28.210.181 list=“Public IP’s”
add address=2.207.204.34 list=“Public IP’s”
add address=192.168.4.0/23 list=“Private networks”
add address=192.168.230.0/24 list=“Private networks”
add address=192.168.16.0/24 list=“Private networks”
add address=10.132.0.0/24 list=“Private networks”
add address=80.28.210.181 list=“Private networks”
add address=2.207.204.34 list=“Private networks”
add address=35.205.246.246 list=“Public IP’s”
add address=10.52.100.0/24 list=“Private networks”
add address=98.103.58.154 list=“Public IP’s”
add address=104.155.54.147 list=“Public IP’s”
add address=208.216.242.130 list=“Public IP’s”
add address=213.98.173.154 list=“Public IP’s”
add address=213.97.36.126 list=“Public IP’s”
add address=135.135.5.49 list=“Public IP’s”
add address=135.135.5.50 list=“Public IP’s”
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=fasttrack-connection chain=forward connection-state=
established,related hw-offload=yes
add action=accept chain=forward connection-mark=“” connection-state=
established,related
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-address=10.52.100.0/24 src-address=
10.132.0.0/24
add action=accept chain=input dst-address=10.52.100.0/24 src-address=
135.135.5.48/30
add action=accept chain=output dst-address=10.132.0.0/24 src-address=
10.52.0.0/24
add action=accept chain=output dst-address=135.135.5.48/30 src-address=
10.52.0.0/24
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=input disabled=yes dst-address=192.168.230.0/24
src-address=10.132.0.0/24
add action=accept chain=output disabled=yes dst-address=10.132.0.0/24
src-address=192.168.230.0/24
add action=drop chain=input dst-port=22 protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=
“Private networks”
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=
“Public IP’s”
add action=drop chain=input dst-port=8291 protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input dst-port=88 protocol=tcp src-address-list=
“Private networks”
add action=accept chain=input dst-port=88 protocol=tcp src-address-list=
“Public IP’s”
add action=drop chain=input dst-port=88 protocol=tcp src-address=0.0.0.0/0
add action=accept chain=input dst-port=2202 protocol=tcp src-address-list=
“Private networks”
add action=accept chain=input dst-port=2202 protocol=tcp src-address-list=
“Public IP’s”
add action=drop chain=input dst-port=2202 protocol=tcp src-address=0.0.0.0/0
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward comment=“accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“accept out ipsec policy”
ipsec-policy=out,ipsec
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=10.132.0.0/24
ipsec-policy=in,ipsec new-connection-mark=no-mark passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.230.0/24
ipsec-policy=in,ipsec new-connection-mark=no-mark passthrough=yes
add action=mark-connection chain=prerouting dst-address=192.168.4.0/23
ipsec-policy=in,ipsec new-connection-mark=no-mark passthrough=yes
add action=mark-connection chain=prerouting dst-address=135.135.5.48/30
ipsec-policy=in,ipsec new-connection-mark=no-mark passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” disabled=yes
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=accept chain=srcnat dst-address=10.132.0.0/24 src-address=
10.52.100.0/24
add action=accept chain=srcnat dst-address=192.168.4.0/23 src-address=
10.52.100.0/24
add action=accept chain=srcnat dst-address=192.168.230.0/24 src-address=
10.52.100.0/24
add action=accept chain=dstnat dst-address=10.52.100.0/24 src-address=
10.132.0.0/24
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
10.52.100.0/24
add action=masquerade chain=srcnat dst-address=!10.132.0.0/24 src-address=
10.52.100.0/24
add action=masquerade chain=srcnat dst-address=!192.168.4.0/23 src-address=
10.52.100.0/24
add action=masquerade chain=srcnat dst-address=!192.168.230.0/24 src-address=
10.52.100.0/24
add action=masquerade chain=srcnat disabled=yes
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 src-address=
172.16.1.0/24
add action=accept chain=forward comment=“Router fw IPsec in accept”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“Router fw IPsec out accept”
ipsec-policy=out,ipsec
/ip firewall service-port
set sip disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec identity
add generate-policy=port-override notrack-chain=prerouting peer=Reus
add notrack-chain=prerouting peer=“Ramon Home”
add notrack-chain=prerouting peer=“Google Cloud”
/ip ipsec policy
add dst-address=10.132.0.0/24 peer=“Google Cloud” src-address=10.52.100.0/24
tunnel=yes
add disabled=yes dst-address=192.168.4.0/23 peer=Reus src-address=
10.52.100.0/24 tunnel=yes
add disabled=yes dst-address=192.168.230.0/24 peer=“Ramon Home” src-address=
10.52.100.0/24 tunnel=yes
add dst-address=10.132.0.0/24 peer=“Google Cloud” src-address=10.52.0.0/19
tunnel=yes
/ip route
add disabled=no dst-address=10.52.0.0/19 gateway=192.168.200.46
add disabled=no dst-address=10.4.0.0/18 gateway=192.168.200.46
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=135.135.5.49
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=88
set ssh port=2202
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Chicago
/system identity
set name=GreenBay
/system logging
add prefix=ipsec topics=ipsec
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN