Hello,

I have a MK router (lets call it "CORE ROUTER") where my ISP gives me a /29 pool of public IPs which are connected to his Ether1; also this router does have two more routers connected to Ether2 (called "LAB ROUTER") and Enther3 (called "HOME ROUTER") of the first one.

I would like to assign from the /29 public IPs pool the one to the CORE ROUTER, a second to the LAB ROUTER and a third public IP to the HOME ROUTER, so each router will manage his own traffic by the assigned public IP.

Then I would like to setup a VLAN on CORE ROUTER to connect the other two routers to access all of them locally by a computer.

I have this diagram to explain better my goals. Hope it is enough clear to understand the above.

Casa55NTW251031A2468×2108 267 KB

Also this is my actual CORE ROUTER setup (public IPs are just for explanation)

2025-11-06 19:09:48 by RouterOS 7.20.2

software id = UE3C-1FI0

model = RB760iGS

serial number = E1F

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name="ether1_[WAN]"
/interface list
add comment="C&W WAN TRUNK /29" name=WAN_C&W
add comment="CORE ROUTER LAN" name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether5 name=dhcp1
/disk settings
set auto-media-interface=*8 auto-media-sharing=yes auto-smb-sharing=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment="CORE ROUTER LAN" interface=ether5 list=LAN
add comment="Cable and Wireless Trunk WAN" interface="ether1_[WAN]" list=
WAN_C&W
/ip address
add address=192.168.88.1/24 comment="LAN CORE ROUTER" interface=ether5
network=192.168.88.0
add address=190.100.85.10/30 comment="WAN-1 CORE ROUTER" interface=
"ether1_[WAN]" network=190.100.85.8
add address=201.227.85.11/29 comment="WAN-2 LAB ROUTER" disabled=yes
interface="ether1_[WAN]" network=190.100.85.8
add address=201.227.85.12/29 comment="WAN-3 HOME ROUTER" disabled=yes
interface="ether1_[WAN]" network=190.100.85.8
add address=201.227.85.13/29 comment="WAN-4 Available" disabled=yes
interface="ether1_[WAN]" network=190.100.85.8
add address=201.227.85.14/29 comment="WAN-5 Available" disabled=yes
interface="ether1_[WAN]" network=190.100.85.8
/ip dhcp-client
add comment=defconf default-route-tables=main disabled=yes interface=
"ether1_[WAN]"
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN_C&W
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface="ether1_[WAN]"
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=190.100.85.9 routing-table=main
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www port=
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
/ipv6 firewall filter
/system clock
set time-zone-name=America/Panama
/system identity
set name=CORE_ROUTER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Many tks in advance for any help!

Enrico

About this point: One easy way but unsafe (because ISP router sees traffics between the internal routers) is to put ether1, ether2, ether3 in a bridge.

But if you want to be more secure, and trully only want the DIST ROUTER in front of your network, then you can read this older post of mine for one way this can be done.

In your case:

• First remove these assigned address entries (that you've disabled already):

• Changed this address entry:

  into this entry with /32 subnet:

  /ip address
  add address=190.100.85.10/32 comment="WAN-1 CORE ROUTER" \
      interface="ether1_[WAN]" network=190.100.85.9
  

  Pay attention to the network address, it's the ISP router address, not 190.100.85.8!

• You already have this static route, so this step from the other post can be skipped:

  /ip route
  add disabled=no dst-address=0.0.0.0/0 gateway=190.100.85.9 routing-table=main
  

• Add 4 published=yes ARP entries on ether1 for the 4 remaining public IP addresses:

  /ip arp
  add address=192.100.85.11 interface="ether1_[WAN]" published=yes
  add address=192.100.85.12 interface="ether1_[WAN]" published=yes
  add address=192.100.85.13 interface="ether1_[WAN]" published=yes
  add address=192.100.85.14 interface="ether1_[WAN]" published=yes
  

• On ether2, add this IP address entry, note the /32 subnet and the gateway address!

  /ip address
  add address=190.100.85.10/32 \
      interface=ether2 network=190.100.85.11
  

  Here network has the value 190.100.85.11 which is the address we want to give the LAB router! Also ether2 is a stand-alone port, not part of any bridge! We also assign 190.100.85.10 to the router on this interface (same addressed already used on ether1).

• On ether2, add the published ARP entry for 192.100.85.9, and 192.100.85.12 too if you want LAB ROUTER and HOME ROUTER to be able to talk to each other in this subnet.

  /ip arp
  add address=192.100.85.9 interface=ether2 published=yes
  add address=192.100.85.12 interface=ether2 published=yes
  

• On the LAB ROUTER, manually configure its address as 192.100.85.11/29 gateway 192.100.85.9!

• On ether3, add this IP address entry, note the /32 subnet and the gateway address!

  /ip address
  add address=190.100.85.10/32 \
      interface=ether3 network=190.100.85.12
  

  Here network has the value 190.100.85.12 which is the address we want to give the HOME router! Also ether3 is a stand-alone port, not part of any bridge! We also assign 190.100.85.10 to the router on this interface (same addressed already used on ether1 and ether2).

• On ether3, add the published ARP entry for 192.100.85.9, and 192.100.85.11 too if you want HOME ROUTER and LAB ROUTER to be able to talk to each other in this subnet.

  /ip arp
  add address=192.100.85.9 interface=ether3 published=yes
  add address=192.100.85.11 interface=ether3 published=yes
  

• On the HOME ROUTER, manually configure its address as 192.100.85.12/29 gateway 192.100.85.9!

• Modify this NAT rule:

  So that masquerade is not performed when the two other routers use their public IP addresses to go to the internet. By adding src-address=!192.100.85.8/29, change the rule into:

  /ip firewall nat
  add action=masquerade chain=srcnat comment="masquerade" \
      ipsec-policy=out,none out-interface="ether1_[WAN]" src-address=!192.100.85.8/29
  

• If you want direct access from the internet (WAN) to the two router's public addresses, then don't forget to add the corresponding chain=forward action=accept rules above the "defconf: drop all from WAN not DSTNATed" rule in the filter table!

Hi!,

Thanks very much for your help! I'm noob in MK but after an initial check this setup looks great. This forum has been very helpful, and way better of any Google search. I have learned al lot.

As your last comment, yes I want direct access to the two routers behind main (DIST ROUTER), so tks for sharing this tip. Also as a security measure I will setup a WireGuard to each routers and close any other outside internet access, so the only way to get the routers and all services behind will be through the WG (by the way I tested it on my LAB ROUTER and runs great) or locally by DIST ROUTER (I'll have to learn to setup VLAN and connect the routers to it, but this will be a second step).

If any issue I'll let you know.

Thanks again.

Hello!

Sorry to bother you so much but still I need help...
I followed your indications and I have internet from the CORE ROUTER but I'm unable to get internet from the LAB ROUTER. If you please can check my configurations and let me know where is the error I have in the configs of this routers I would really appreciate; I'm still learning MK OS and my understanding is improving but still struggling.

This is my CORE ROUTER config:

2025-11-11 19:58:59 by RouterOS 7.20.2

software id = UE3C-1FI0

model = RB760iGS

serial number = E1

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name="ether1[CORE]"
set [ find default-name=ether2 ] name="ether2[LAB]"
set [ find default-name=ether3 ] name="ether3[HOME]"
/interface list
add comment="C&W WAN TRUNK /29" name=WAN_C&W
add comment="CORE ROUTER LAN" name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether5 name=dhcp1
/disk settings
set auto-media-interface=*8 auto-media-sharing=yes auto-smb-sharing=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment="CORE ROUTER LAN" interface=ether5 list=LAN
add comment="Cable and Wireless Trunk WAN" interface="ether1[CORE]" list=
WAN_C&W
/ip address
add address=192.168.88.1/24 comment="LAN CORE" interface=ether5 network=
192.168.88.0
add address=190.100.85.10 comment="WAN-1 CORE" interface="ether1[CORE]"
network=190.100.85.9
add address=190.100.85.10 comment="WAN-2 LAB" interface="ether2[LAB]"
network=190.100.85.11
add address=190.100.85.10 comment="WAN-3 HOME" interface="ether3[HOME]"
network=190.100.85.12
/ip arp
add address=190.100.85.11 interface="ether1[CORE]" published=yes
add address=190.100.85.12 interface="ether1[CORE]" published=yes
/ip dhcp-client
add comment=defconf default-route-tables=main disabled=yes interface=
"ether1[CORE]"
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN_C&W
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none
out-interface="ether1[CORE]" src-address=!190.100.85.8/29
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=190.100.85.9 routing-table=main
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www port=81
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
. . . . . .
/ipv6 firewall filter
. . . . . .
/system clock
set time-zone-name=America/Panama
/system identity
set name=CORE_ROUTER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

And this is the LAB ROUTER config:

2025-11-11 19:39:42 by RouterOS 7.20.2

software id = X7GS-A6BH

model = RB5009UG+S+

serial number = HJ

/interface bridge
add admin-mac=F4:1E:57:DC:37:C9 auto-mac=no comment=defconf name=local
/interface ethernet
set [ find default-name=ether2 ] comment=C&W_Modem-L2l_Jeseni name=
"ether2[WAN1]"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=9999 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.88.11-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=local name=dhcp1
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=local auto-media-sharing=yes auto-smb-sharing=yes
/dude
set enabled=yes
/interface bridge port
add bridge=local interface=ether1
add bridge=local comment=defconf interface=ether3
add bridge=local comment=defconf interface=ether4
add bridge=local comment=defconf interface=ether5
add bridge=local comment=defconf interface=ether6
add bridge=local comment=defconf interface=ether7
add bridge=local comment=defconf interface=ether8
add bridge=local comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defcon interface="ether2[WAN1]" list=WAN
add comment=defcon interface=local list=LAN
/interface ovpn-server server
add mac-address=FE:29:BF:6D:56:78 name=ovpn-server1
/interface wireguard peers
. . . . . . . . . .
/ip address
add address=192.168.88.1/24 comment=LAN interface=local network=192.168.88.0
add address=190.100.85.11 comment=C&W_Modem-L2_StaticIP interface=
"ether2[WAN1]" network=190.100.85.9
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=
WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard G24A1" interface=WG_ALL
network=192.168.101.0
add address=192.168.102.1/24 comment="Wireguard G24A02" interface=WG_ALL
network=192.168.102.0
/ip arp
add address=190.100.85.11 interface="ether2[WAN1]" mac-address=
F4:1E:57:DC:37:C9
/ip dhcp-server lease
add address=192.168.88.2 address-lists=192.168.88.0/24 client-id=
2:90:09:D0:2C:10:6D comment="NAS OfidataLab" mac-address=
90:09:D0:2C:10:6D server=dhcp1 use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query
verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=192.168.88.2 comment="Ofidatalab local domain" match-subdomain=
yes name=local.ofidatalab.com type=A
add address=192.168.88.1 comment="router MK RB5009 2025" name=
routerofidatalab.lan type=A
/ip firewall filter
add action=accept chain=forward comment=
"accept established,related, untracked (MK Forum 2023-04-12 ANAV)"
connection-state=established,related,untracked
add action=drop chain=input comment="Block Port Scanners" src-address-list=
PORT-SCANNERS
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=add-src-to-address-list address-list=PORT-SCANNERS
address-list-timeout=3d chain=input comment="Port Scanner Detector" log=
yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Bloqueo consulta DNS desde afuera - TCP"
dst-port=53 in-interface="ether2[WAN1]" protocol=tcp
add action=drop chain=input comment=
"Bloqueo consultas DNS desde afuera - UDP" dst-port=53 in-interface=
"ether2[WAN1]" protocol=udp
add action=drop chain=forward comment=
"drop invalid (MK Forum 2023-04-12 ANAV)" connection-state=invalid
add action=fasttrack-connection chain=forward comment=
"fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=
established,related hw-offload=yes
add action=accept chain=forward comment=
"allow internet traffic (MK Forum 2023-04-12 ANAV)" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment=
"allow port forwarding dstnat (ANAV 2023-11-17)" connection-nat-state=
dstnat
add action=accept chain=forward dst-address=192.168.88.2 dst-port=443
in-interface="ether2[WAN1]" protocol=tcp
add action=accept chain=forward comment=
"WG Administracion (MK Forum 2024-04-12 ANAV)" in-interface=WG_ALL
out-interface-list=LAN src-address=192.168.100.0/24
add action=accept chain=forward comment="WG-U24AA (MK Forum 2024-04-12 ANAV)"
dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.101.0/24
add action=accept chain=forward comment="WG-U24AB (MK Forum 2024-04-12 ANAV)"
dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.102.0/24
add action=drop chain=forward comment=
"drop all else (MK Forum 2024-11-17 ANAV)"
add action=accept chain=input comment=
"defconf: accept ICMP from Ether2-[WAN1]" disabled=yes in-interface=
"ether2[WAN1]" packet-mark="" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes
dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy"
connection-state=established,related disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=
"defconf: masquerade (MK Forum 2023-04-12 ANAV)" ipsec-policy=out,none
out-interface="ether2[WAN1]"
add action=dst-nat chain=dstnat comment="DstNat Web Server http" dst-address=
190.100.85.11 dst-port=80 protocol=tcp to-addresses=192.168.88.2
to-ports=80
add action=dst-nat chain=dstnat comment="DstNat DS723+ https" dst-address=
190.100.85.11 dst-address-list="" dst-address-type=local dst-port=443
protocol=tcp src-address-list="" to-addresses=192.168.88.2 to-ports=443
add action=redirect chain=dstnat comment=
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik "
dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik "
dst-port=53 protocol=udp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=190.100.85.11
pref-src="" routing-table=main suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
. . . . . .
/ipv6 firewall filter
. . . . . .
/system clock
set time-zone-name=America/Panama
/system identity
set name=MK_RB5009_OfidataLab
/system note
set note=enricosm@jeseni.com show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/user settings
set minimum-password-length=12

Tks again
Enrico

At first sight:
190.100.85.10
is not
190.100.85.10/32
etc.

The generic form of a /32 link is that:

1. the IP address of the interface WITH the /32 suffix
2. the network is the single IP address (WITHOUT /32 suffix) of the device connected to that interface on the other end of the cable

In some cases (I guess it depends on how you set or edit an entry) RoS may add a /32 suffix to the address, in an export it should be visible.

An alternative solution you might consider is to ask your ISP for a /30 (or better, a /31) transit IP between their router and yours, and then they can statically route your /29 pool behind your router's /30 transit address. From there you have more flexibility in how you assign the /29 addresses internally. You could have your three routers have interfaces in a common VLAN and assign /29 addresses to those VLAN interfaces, or you could use private IPs for your routers and static routes to direct /29 traffic as needed, or you could do some internal NAT, and so on. Lots of possibilities depending on your goals and creativity.

Hello!
After set the configuration as suggested by @cggxannx the CORE ROUTER (see the above diagram where DIST ROUUTER is the same CORE) I d have internet but not on the LAB ROUTER. I have no idea why.

I check again the config on the LAB ROUTER and find this:

1.- At addresses If I manually configure the address as suggested here:

• On the LAB ROUTER, manually configure its address as 192.100.85.11/29 gateway 192.100.85.9!
  the Network automatically shows: 192.100.85.8. To shows the 192.100.85.9 I must change the address to 192.100.85.11/32 and the "/32" disappears.

2. On the ARP List shows:
   IP Address: 192.100.85.10 / Interface: ether2[WAN1] / Status; stale

3. Route List.
   DAC / 192.168.85.9/32 / Gateway: ether2[WAN1] / Distance: 0 /Routing: main

4. On terminal if I ping 8.8.8.8 I receive: no route to host

5. Finally this is my LAB ROUTER last configuration:

2025-10-20 03:01:18 by RouterOS 7.20.2

software id = X7GS-A6BH

model = RB5009UG+S+

serial number = HJ

/interface bridge
add admin-mac=F4:1E:57:DC:37:C9 auto-mac=no comment=defconf name=local
/interface ethernet
set [ find default-name=ether2 ] comment=C&W_Modem-L2l_Jeseni name=
"ether2[WAN1]"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
. . . . . . .
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.88.11-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=local name=dhcp1
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=local auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=local comment=defconf interface=ether3
add bridge=local comment=defconf interface=ether4
add bridge=local comment=defconf interface=ether5
add bridge=local comment=defconf interface=ether6
add bridge=local comment=defconf interface=ether7
add bridge=local comment=defconf interface=ether8
add bridge=local comment=defconf disabled=yes interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defcon interface="ether2[WAN1]" list=WAN
add comment=defcon interface=local list=LAN
/interface ovpn-server server
add mac-address=FE:29:BF:6D:56:78 name=ovpn-server1
/interface wireguard peers
. . . . . . . .
/ip address
add address=192.168.88.1/24 comment=LAN interface=local network=192.168.88.0
add address=190.100.85.11 comment=C&W_Modem-L2_StaticIP interface=
"ether2[WAN1]" network=190.100.85.9
/ip dhcp-server lease
add address=192.168.88.2 address-lists=192.168.88.0/24 client-id=
2:90:09:D0:2C:10:6D comment="NAS OfidataLab" mac-address=
90:09:D0:2C:10:6D server=dhcp1 use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query
verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=192.168.88.2 comment="Ofidatalab local domain" match-subdomain=
yes name=local.ofidatalab.com type=A
add address=192.168.88.1 comment="router MK RB5009 2025" name=
routerofidatalab.lan type=A
/ip firewall filter
add action=accept chain=forward comment=
"accept established,related, untracked (MK Forum 2023-04-12 ANAV)"
connection-state=established,related,untracked
add action=drop chain=input comment="Block Port Scanners" src-address-list=
PORT-SCANNERS
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=add-src-to-address-list address-list=PORT-SCANNERS
address-list-timeout=3d chain=input comment="Port Scanner Detector" log=
yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Bloqueo consulta DNS desde afuera - TCP"
dst-port=53 in-interface="ether2[WAN1]" protocol=tcp
add action=drop chain=input comment=
"Bloqueo consultas DNS desde afuera - UDP" dst-port=53 in-interface=
"ether2[WAN1]" protocol=udp
add action=add-dst-to-address-list address-list=Facebook
address-list-timeout=4d chain=forward comment=
"Facebook block (facebook.com)" content=facebook.com disabled=yes
src-address=192.168.101.0/24
add action=add-dst-to-address-list address-list=Facebook
address-list-timeout=4d chain=forward comment=
"Facebook block (fbcdn.net)" content=fbcdn.net.com disabled=yes
src-address=192.168.101.0/24
add action=add-dst-to-address-list address-list=Facebook
address-list-timeout=4d chain=forward comment="Facebook block (fb.com)"
content=fb.com disabled=yes src-address=192.168.101.0/24
add action=drop chain=forward comment="Facebook drop list" disabled=yes
dst-address-list=Facebook src-address=192.168.101.0/24 src-address-list=
""
add action=drop chain=forward comment=
"drop invalid (MK Forum 2023-04-12 ANAV)" connection-state=invalid
add action=fasttrack-connection chain=forward comment=
"fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=
established,related hw-offload=yes
add action=accept chain=forward comment=
"allow internet traffic (MK Forum 2023-04-12 ANAV)" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment=
"allow port forwarding dstnat (ANAV 2023-11-17)" connection-nat-state=
dstnat
add action=accept chain=forward comment=
"WG Administracion (MK Forum 2024-04-12 ANAV)" in-interface=WG_ALL
out-interface-list=LAN src-address=192.168.100.0/24
add action=accept chain=forward comment="WG-U24AA (MK Forum 2024-04-12 ANAV)"
dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.101.0/24
add action=accept chain=forward comment="WG-U24AB (MK Forum 2024-04-12 ANAV)"
dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.102.0/24
add action=drop chain=forward comment=
"drop all else (MK Forum 2024-11-17 ANAV)"
add action=accept chain=input comment=
"defconf: accept ICMP from Ether2-[WAN1]" disabled=yes in-interface=
"ether2[WAN1]" packet-mark="" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes
dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy"
connection-state=established,related disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow LOCAL WinBox" disabled=yes
in-interface=local protocol=tcp src-port=9999
add action=accept chain=input comment="Allow WG_ALL WinBox" disabled=yes
in-interface="ether2[WAN1]" in-interface-list=all protocol=tcp src-port=
9999
add action=drop chain=input comment="block everything else" disabled=yes
in-interface="ether2[WAN1]"
/ip firewall nat
add action=masquerade chain=srcnat comment=
"defconf: masquerade (MK Forum 2023-04-12 ANAV)" ipsec-policy=out,none
out-interface-list=WAN
add action=redirect chain=dstnat comment=
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik "
dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik "
dst-port=53 protocol=udp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
/ipv6 firewall filter
/system clock
set time-zone-name=America/Panama
/system identity
set name=MK_RB5009_OfidataLab
/system note
set note=@jeseni.com show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/user settings
set minimum-password-length=12

Please if anybody can help me to see if I have an configuration error.
Tks!

Hi, sorry I missed your posts. First, next time when you post the router export, put the content between these:

```routeros
paste your content here
```

so that the code is properly formatted.

Back to the issue. On the CORE ROUTER, your export shows that you are missing 4 published=yes ARP entries.

Please note that in my post above, the instruction was to add 4 ARP entries on ether1 (but if you don't need 190.100.85.13 and 190.100.85.14 yet the then two entries for 190.100.85.11 and 190.100.85.12 are enough, and you have those two entries).

However, you've missed the two published=yes ARP entries that need to be added on ether2, as well as two that are needed on ether3. Those (please note that in the old post I made typos and wrote 192.100.xxx instead of 190.100.xxx, but those prefixes were fake anyway) that I mentioned here:

and

You need at least those 6 entries under /ip arp (and 8 if you want to make it ready for the future usage of 100.100.85.13 and 100.100.85.14 too).

Without those ARP entries on ether2 and ether3, LAB ROUTER and HOME ROUTER will not be able to reach 190.100.85.9, which is the gateway to the internet.

You can also remove arp=proxy-arp from ether1[CORE] (set it to enabled).

About the firewall on CORE ROUTER, you don't need this rule to be that broad:

add action=accept chain=forward

You can modify it and just restrict to:

/ip firewall filter
add action=accept chain=forward dst-address=190.100.85.8/29 in-interface-list=WAN_C&W

The masquerade NAT rule and the /ip route entry on the CORE ROUTER are correct.

On the LAB ROUTER, instead of this address assignment:

/ip address
add address=190.100.85.11 comment=C&W_Modem-L2_StaticIP interface="ether2[WAN1]" network=190.100.85.9

You can also write

/ip address
add address=190.100.85.11/29 comment=C&W_Modem-L2_StaticIP interface="ether2[WAN1]" network=190.100.85.8

If you want it to reach other devices in 190.100.85.8/29 too.

Very important, is that on LAB ROUTER and HOME ROUTER, you need to manually add the default route:

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=190.100.85.9 routing-table=main

that points to 190.100.85.9 as the gateway! You are currently missing that on the LAB ROUTER.

@enricosm60

An address with /32 is a "special case", the network - in this case, and in this case only - needs to be set to the IP of the device "at the other end of the cable".

With a /29 the network is automatically calculated and the network for 192.100.85.11/29 is actually 192.100.85.8:

https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=29&cip=192.100.85.11&ctype=ipv4&x=Calculate

192.100.85.9 is the first usable address of that network.

Hello CGGXANNX!
Tks for your answer.
Now I have internet on both CORE and LAB routers. Still I have this issues:

1. On the LAB Router I had setup a WireGuard VPN before and this was working with a different public IP, but now I cannot have WG access from my peers. So I would like to know how to setup the LAB router to regain the WG access.

This are the actual configs:

/interface ethernet
set [ find default-name=ether1 ] name="ether1[CORE]"
set [ find default-name=ether2 ] name="ether2[LAB]"
set [ find default-name=ether3 ] name="ether3[HOME]"
/interface list
add comment="C&W WAN TRUNK /29" name=WAN_C&W
add comment="CORE ROUTER LAN" name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether5 name=dhcp1
/disk settings
set auto-media-interface=*8 auto-media-sharing=yes auto-smb-sharing=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment="CORE ROUTER LAN" interface=ether5 list=LAN
add comment="Cable and Wireless Trunk WAN" interface="ether1[CORE]" list=\
    WAN_C&W
/ip address
add address=192.168.88.1/24 comment="LAN CORE" interface=ether5 network=\
    192.168.88.0
add address=190.100.85.10 comment="WAN-1 CORE" interface="ether1[CORE]" \
    network=190.100.85.9
add address=190.100.85.10 comment="WAN-2 LAB" interface="ether2[LAB]" \
    network=190.100.85.11
add address=190.100.85.10 comment="WAN-3 HOME" interface="ether3[HOME]" \
    network=190.100.85.12
/ip arp
add address=190.100.85.11 interface="ether3[HOME]" published=yes
add address=190.100.85.9 interface="ether2[LAB]" published=yes
add address=190.100.85.12 interface="ether2[LAB]" published=yes
add address=190.100.85.9 interface="ether3[HOME]" published=yes
add address=190.100.85.11 interface="ether1[CORE]" published=yes
add address=190.100.85.12 interface="ether1[CORE]" published=yes
/ip dhcp-client
add comment=defconf default-route-tables=main disabled=yes interface=\
    "ether1[CORE]"
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "regla indicada en solucion multiples IPs" dst-address=190.100.85.8/29 \
    in-interface-list=WAN_C&W
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN_C&W
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface="ether1[CORE]" src-address=!190.100.85.8/29 to-addresses=\
    190.100.85.10
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=190.100.85.9 routing-table=main \
    suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www port=81
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
/ipv6 firewall filter
/system clock
set time-zone-name=America/Panama
/system identity
set name=CORE_ROUTER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
´´´´´´´´´´´
and this is the actual LAB ROUTER where is the WG config which is not working:

´´´´´´´´´´
LAB ROUTER
/interface bridge
add admin-mac=F4:1E:57:DC:37:C9 auto-mac=no comment=defconf name=local
/interface ethernet
set [ find default-name=ether2 ] comment=C&W_Modem-L2l_Jeseni name=\
    "ether2[WAN1]"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=35001 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.88.11-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=local name=dhcp1
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=local auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=local comment=defconf interface=ether3
add bridge=local comment=defconf interface=ether4
add bridge=local comment=defconf interface=ether5
add bridge=local comment=defconf interface=ether6
add bridge=local comment=defconf interface=ether7
add bridge=local comment=defconf interface=ether8
add bridge=local comment=defconf disabled=yes interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defcon interface="ether2[WAN1]" list=WAN
add comment=defcon interface=local list=LAN
/interface ovpn-server server
add mac-address=FE:29:BF:6D:56:78 name=ovpn-server1
/interface wireguard peers
/ip address
add address=192.168.88.1/24 comment=LAN interface=local network=192.168.88.0
add address=190.100.85.11 comment=C&W_Modem-L2_StaticIP interface=\
    "ether2[WAN1]" network=190.100.85.9
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
    WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard G24A1" interface=WG_ALL \
    network=192.168.101.0
add address=192.168.102.1/24 comment="Wireguard G24A02" interface=WG_ALL \
    network=192.168.102.0
/ip dhcp-server lease
add address=192.168.88.2 address-lists=192.168.88.0/24 client-id=\
    2:90:09:D0:2C:10:6D comment="NAS OfidataLab" mac-address=\
    90:09:D0:2C:10:6D server=dhcp1 use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=192.168.88.2 comment="Ofidatalab local domain" match-subdomain=\
    yes name=local.ofidatalab.com type=A
add address=192.168.88.1 comment="router MK RB5009 2025" name=\
    routerofidatalab.lan type=A
/ip firewall filter
add action=accept chain=forward comment=\
    "accept established,related, untracked  (MK Forum 2023-04-12 ANAV)" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Block Port Scanners" src-address-list=\
    PORT-SCANNERS
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=add-src-to-address-list address-list=PORT-SCANNERS \
    address-list-timeout=3d chain=input comment="Port Scanner Detector" log=\
    yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Bloqueo consulta DNS desde afuera - TCP" \
    dst-port=53 in-interface="ether2[WAN1]" protocol=tcp
add action=drop chain=input comment=\
    "Bloqueo consultas DNS desde afuera - UDP" dst-port=53 in-interface=\
    "ether2[WAN1]" protocol=udp
add action=drop chain=forward comment=\
    "drop invalid  (MK Forum 2023-04-12 ANAV)" connection-state=invalid
add action=fasttrack-connection chain=forward comment=\
    "fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "allow internet traffic  (MK Forum 2023-04-12 ANAV)" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow port forwarding dstnat (ANAV 2023-11-17)" connection-nat-state=\
    dstnat
    "WG Administracion (MK Forum  2024-04-12 ANAV)" in-interface=WG_ALL \
    out-interface-list=LAN src-address=192.168.100.0/24
add action=accept chain=forward comment="WG-U24AA (MK Forum 2024-04-12 ANAV)" \
    dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.101.0/24
add action=accept chain=forward comment="WG-U24AB (MK Forum 2024-04-12 ANAV)" \
    dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.102.0/24
add action=drop chain=forward comment=\
    "drop all else (MK Forum 2024-11-17 ANAV)"
add action=accept chain=input comment=\
    "defconf: accept ICMP from Ether2-[WAN1]" disabled=yes in-interface=\
    "ether2[WAN1]" packet-mark="" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    connection-state=established,related disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow LOCAL WinBox" disabled=yes \
    in-interface=local protocol=tcp src-port=8291
add action=accept chain=input comment="Allow WG_ALL WinBox" disabled=yes \
    in-interface="ether2[WAN1]" in-interface-list=all protocol=tcp src-port=\
    8291
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "defconf: masquerade  (MK Forum 2023-04-12 ANAV)" ipsec-policy=out,none \
    out-interface-list=WAN to-addresses=190.100.85.11
add action=redirect chain=dstnat comment=\
    "from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik " \
    dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
    "from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik " \
    dst-port=53 protocol=udp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=190.100.85.9 routing-table=main \
    suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
/ipv6 firewall filter
/system clock
set time-zone-name=America/Panama
/system identity
set name=MK_RB5009_OfidataLab
/system note
set note=@jeseni.com show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/user settings
set minimum-password-length=12
´´´´´´´´´´´´´´´´

My goal is to set on both routers the WG so the only way to access them from outside will be using WG and everything else will be closed.

2. Regarding the HOME Router.
I'm struggling whit the HOME router, which is a Synology RT2600ac where I'm trying to setup the Ip 190.100.85.12 as secondary WAN interface but I cannot ping from this router to the gateway 190.100.85.9 (I receive: Destination Host Unreachable) but if I connect the ISP /29 ethernet cable to the Synology router (HOME) secondary WAN and setup a static IP I can ping the gateway and use this internet access whit no problem. 

The most important issue for me is to setup WG access to all the routers.

Hello,
I'm clarifying my goal whit the issue above. Well I'm receiving from my ISP a /29 of public IPs delivered with one ethernet cable. I want to give to each of this routers its own public IP from this /29 pool to manage his own traffic so each router in the attached diagram will be totally separated to each other whit no communication between them. So the only way to access each router will be locally to attach a physical ethernet cable for management (for his own LAN) or by each own WireGuard configuration from internet creating an WG access for each router.

To be know I have configured as @CGGXANNX suggested and I got internet BUT then WG did not work and I had connectivity issues whit the HOME ROUTER (a Synology RT2600ac) so to avoid this problems I'm think that the better way is to have a totally separate WAN access for each router.

Tks

Routers251117A.pdf (107.6 KB)

Not much of a public IP guy, but that means you get 5 useable public WANIPs.

ISP router leaves 4/5
Core Router leaves 3/5
Lab router leaves 2/5
Home router leaves 1/5

So each router along the way needs one for itself and this means you have still have one spare
From a security standpoint, since all routers are actually on the same WAN subnet, you will have to include a few extra firewall rules.

Sorry I missed your previous reply because I've probably opened the thread and navigated away.

What you mean about not being able to access WG on the LAB router? Are you trying to access the WG on 190.100.85.11 from the outside internet? Does that address respond to ping from the internet?

Is the WG configuration including the peers list on the LAB ROUTER unchanged from before the move to 190.100.85.11? Are you using the endpoint 190.100.85.11:35001 to connect to it from the outside?

Your problem with WG is that the clients can established no handshake at all? Or handshake is possible but you cannot access the other subnets through WG? or cannot access the router itself through WG? Simply saying WG is not working is a bit vague

From a quick look:

• On CORE ROUTER, the router should forward everything destined to 190.100.85.11 to the LAB server, there is no DSTNAT rule modifying this, and there is a rule that accepts forwarding to dst-address=190.100.85.8/29, which is correct and is needed.

  The CORE ROUTER should also already have the correct route with destination 190.100.85.11/32 gateway ether2[LAB] dynamically added already, so this should be ok to.

  The CORE ROUTER also does not apply SRCNAT if the source is coming from 190.100.85.8/29 and this is also correct.

  => Configuration on CORE ROUTER looks fine.

• On the LAB ROUTER, I don't see the WG peers list, but I assume that you've remove it from the export for privacy reason, and they are properly configured and have not changed from the previous "working" state?

  On the LAB ROUTER, the /ip address assignment on ether2[WAN1] is address=190.100.85.11 and network=190.100.85.9, this works, but address=190.100.85.11/29 and network=190.100.85.8 is better.

  On the LAB ROUTER, the default route is ok, and you are able to access the internet with it.

  On the LAB ROUTER, I don't know why you've assigned 3 subnets to the WG_ALL interface. Was this in the original working configuration? With 3 subnets I would have created 3 WG separate interfaces instead.

  Looking at the Firewall on the LAB ROUTER, it's quite busy and some rules are questionable. But if that's your configuration, then the WG clients in general won't be able to access the devices in your LAN subnets. You need to state what you expect by having "WireGuard" working for us to see if the FW needs to be modified or not.

  You have @anav "drop all else" rule for forwarding but allows almost nothing coming from the WG_ALL interface!

Hello @CGCXANNXCGCXANNX,

Thanks very much for your patience and help!

Regarding your last comments I have this:

1. I did disconnect the HOME router from the CORE because initially it seems that works, but after sometime the HOME router shows a msg informing that is unable to reach the gateway (190.100.85.9) then I’m unable to ping the gateway from this HOME router and I don’t know why. This HOME routers is a Synology RT2600ac where I connect the public IP 190.100.85.12 to his WAN2 (Lan1) to use as backup connection and I suspect that some kind of special config is required to make it works. I’m going to see if Synology support can help or if u by any chance knows this router pls let me know. Otherwise no issue I will keep this as it whitout this connection.
2. On the LAB router, as suggested, I changed to: address=190.100.85.11/29 comment=C&W_Modem-L2_StaticIP interface="ether2[WAN1]" network=190.100.85.8
3. Whit the HOME router disconnected, I can access the LAB router WG peers and also can access a NAS behind the LAB. Anyway I’m going to create a WG interface for each subnet as suggested by you because it seems better to me.
4. I’m WORRIED whit your comments regarding the firewall on the LAB router. Would you please give me any hint to make it better? I would like to access this router and its services by WG and also access a Synology NAS where I have some services using port 443, then close everything else; by the way on this NAS I have SSL certificate and also 2FA active.

Sorry if asking a lot, but I’m trying to understand the logic behind MK OS.

Anyway if I can compensate your time pls let me know.

At this moment this are the config of the routers:

CORE router

……….

/interface ethernet
set [ find default-name=ether1 ] name="ether1[CORE]"
set [ find default-name=ether2 ] name="ether2[LAB]"
set [ find default-name=ether3 ] name="ether3[HOME]"
/interface list
add comment="C&W WAN TRUNK /29" name=WAN_C&W
add comment="CORE ROUTER LAN" name=LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether5 name=dhcp1
/disk settings
set auto-media-interface=*8 auto-media-sharing=yes auto-smb-sharing=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment="CORE ROUTER LAN" interface=ether5 list=LAN
add comment="Cable and Wireless Trunk WAN" interface="ether1[CORE]" list=
WAN_C&W
/ip address
add address=192.168.88.1/24 comment="LAN CORE" interface=ether5 network=
192.168.88.0
add address=190.100.85.10 comment="WAN-1 CORE" interface="ether1[CORE]"
network=190.100.85.9
add address=190.100.85.10 comment="WAN-2 LAB" interface="ether2[LAB]"
network=190.100.85.11
add address=190.100.85.10 comment="WAN-3 HOME" interface="ether3[HOME]"
network=190.100.85.12
/ip arp
add address=190.100.85.11 interface="ether1[CORE]" published=yes
add address=190.100.85.12 interface="ether1[CORE]" published=yes
add address=190.100.85.9 interface="ether2[LAB]" published=yes
add address=190.100.85.12 interface="ether2[LAB]" published=yes
add address=190.100.85.9 interface="ether3[HOME]" published=yes
add address=190.100.85.11 interface="ether3[HOME]" published=yes
/ip dhcp-client
add comment=defcon default-route-tables=main disabled=yes interface=
"ether1[CORE]"
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment=
"regla indicada en solucion multiples IPs" dst-address=190.100.85.8/29
in-interface-list=WAN_C&W
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN_C&W
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none
out-interface="ether1[CORE]" src-address=!190.100.85.8/29 to-addresses=
190.100.85.10
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=190.100.85.9 routing-table=main
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www port=81
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=America/Panama
/system identity
set name=CORE_ROUTER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

…………………………………………..

LAB router

/interface bridge
add admin-mac=F4:1E:57:DC:37:C9 auto-mac=no comment=defconf name=local
/interface ethernet
set [ find default-name=ether2 ] comment=C&W_Modem-L2l_Jeseni name=
"ether2[WAN1]"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=35001 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.88.11-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=local name=dhcp1
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=local auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=local interface=ether1
add bridge=local comment=defconf interface=ether3
add bridge=local comment=defconf interface=ether4
add bridge=local comment=defconf interface=ether5
add bridge=local comment=defconf interface=ether6
add bridge=local comment=defconf interface=ether7
add bridge=local comment=defconf interface=ether8
add bridge=local comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defcon interface="ether2[WAN1]" list=WAN
add comment=defcon interface=local list=LAN
/interface ovpn-server server
add mac-address=FE:29:BF:6D:56:78 name=ovpn-server1
/interface wireguard peers
/ip address
add address=192.168.88.1/24 comment=LAN interface=local network=192.168.88.0
add address=190.100.85.11/29 comment=C&W_Modem-L2_StaticIP interface=
"ether2[WAN1]" network=190.100.85.8
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=
WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard G24A1" interface=WG_ALL
network=192.168.101.0
add address=192.168.102.1/24 comment="Wireguard G24A02" interface=WG_ALL
network=192.168.102.0
/ip dhcp-server lease
add address=192.168.88.2 address-lists=192.168.88.0/24 client-id=
2:90:09:D0:2C:10:6D comment="NAS OfidataLab" mac-address=
90:09:D0:2C:10:6D server=dhcp1 use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query
verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=192.168.88.2 comment="Ofidatalab local domain" match-subdomain=
yes name=local.ofidatalab.com type=A
add address=192.168.88.1 comment="router MK RB5009 2025" name=
routerofidatalab.lan type=A
/ip firewall filter
add action=accept chain=forward comment=
"accept established,related, untracked (MK Forum 2023-04-12 ANAV)"
connection-state=established,related,untracked
add action=drop chain=input comment="Block Port Scanners" src-address-list=
PORT-SCANNERS
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=add-src-to-address-list address-list=PORT-SCANNERS
address-list-timeout=3d chain=input comment="Port Scanner Detector" log=
yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Bloqueo consulta DNS desde afuera - TCP"
dst-port=53 in-interface="ether2[WAN1]" protocol=tcp
add action=drop chain=input comment=
"Bloqueo consultas DNS desde afuera - UDP" dst-port=53 in-interface=
"ether2[WAN1]" protocol=udp
add action=drop chain=forward comment=
"drop invalid (MK Forum 2023-04-12 ANAV)" connection-state=invalid
add action=fasttrack-connection chain=forward comment=
"fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=
established,related hw-offload=yes
add action=accept chain=forward comment=
"allow internet traffic (MK Forum 2023-04-12 ANAV)" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment=
"allow port forwarding dstnat (ANAV 2023-11-17)" connection-nat-state=
dstnat
add action=accept chain=forward comment=
"WG Administracion (MK Forum 2024-04-12 ANAV)" in-interface=WG_ALL
out-interface-list=LAN src-address=192.168.100.0/24
add action=accept chain=forward comment="WG-U24AA (MK Forum 2024-04-12 ANAV)"
dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.101.0/24
add action=accept chain=forward comment="WG-U24AB (MK Forum 2024-04-12 ANAV)"
dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.102.0/24
add action=drop chain=forward comment=
"drop all else (MK Forum 2024-11-17 ANAV)"
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=
"defconf: masquerade (MK Forum 2023-04-12 ANAV)" ipsec-policy=out,none
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DstNat DS723+ https" dst-address=
190.100.85.11 dst-address-list="" dst-address-type=local dst-port=443
protocol=tcp src-address-list="" to-addresses=192.168.88.2 to-ports=443
add action=redirect chain=dstnat comment=
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik "
dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik "
dst-port=53 protocol=udp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=190.100.85.9 routing-table=main
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www address= port=99
set ssh address= port=9999
set winbox address=192.168.88.0/24,192.168.100.0/24 max-sessions=3
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
/ipv6 firewall filter
/system clock
set time-zone-name=America/Panama
/system identity
set name=MK_RB5009_OfidataLab
/system note
set note=enricosm@jeseni.com show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/user settings
set minimum-password-length=12