i can't ping wan interface from LAN

RouterOS Beginner Basics
1

hello friends

please i need help, i have a mikroutik hap ac2, i had plug it to an ISP modem that give to the WAN interface a DHCP address 192.168.1.25…
the probleme, i can’t ping from my lan this address.
the config line are :

 ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                     
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    ether2                                                                        
 1   xx.xx.xx.xx/25     xx.xx.xx.xx     ether5                                                                        
 2 D 192.168.1.25/24    192.168.1.0     ether1

and also for ip route :

ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1               1
 1 ADC  xx.xx.xx.xx/25     xx.xx.xx.xx     bridge                    0
 2 ADC  192.168.1.0/24     192.168.1.25    ether1                    0
 3 A S  192.168.1.1/32     0.0.0.0         ether1                    1
 4 ADC  192.168.88.0/24    192.168.88.1    bridge                    0

and for nat firewall :

ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=xx.xx.xx.xx/25 dst-address=xx.xx.xx.xx/16 log=no log-prefix="" 

 1    chain=srcnat action=src-nat to-addresses=xx.xx.xx.xx/25 dst-address=xx.xx.xx.xx/16 

 2 X  chain=srcnat action=src-nat to-addresses=xx.xx.xx.xx/16 dst-address=xx.xx.xx.xx/25 

 3    chain=srcnat action=masquerade log=no log-prefix="" 

 4    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

and for firewall rules :

 ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 2    chain=output action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 3    chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 

 4    chain=output action=accept protocol=udp dst-port=4500 log=no log-prefix="" 

 5    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 6    chain=output action=accept protocol=ipsec-esp log=no log-prefix="" 

 7    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 8    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 9    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

10    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

11    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

12    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

13    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

14    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

15    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

16    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

17    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

thanks for advance for your help

2

What LAN?
The lan of ISP modem?


You must convert the hAP ac^2 from router to plain switch + access point, because already your router do NAT?

What is for, and where it come the censored IP on ether5?

do not use print, are useless,
use export instead

3

thanks for your reply, i use it as a router for an IPSEC tunnel. and i need internet for the LAN also., i had shared a topic about my probleme with the tunnel and i think is because i can’t ping the " either1 interface"
the link for the other topic is : https://forum.mikrotik.com/viewtopic.php?f=13&t=177371

the export configuration is :

export
# aug/06/2021 12:05:22 by RouterOS 6.47.10
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=ZZ.ZZ.ZZ.ZZ.ZZ to-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s dpd-maximum-failures=100 enc-algorithm=aes-256,aes-128 lifetime=6h name=\
    IKE_Crypto
/ip ipsec peer
add address=P.P.P.P/32 exchange-mode=aggressive name=OURPEER passive=yes profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1h name=IPSec_Crypto
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=AA.AA.AA.AA/25 interface=ether5 network=AA.AA.AA.AB
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=RR.RR.RR.RR/16 src-address=AA.AA.AA.AB/25
add action=src-nat chain=srcnat dst-address=RR.RR.RR.RR/16 to-addresses=AA.AA.AA.AB/25
add action=src-nat chain=srcnat disabled=yes dst-address=AA.AA.AA.AB/25 to-addresses=RR.RR.RR.RR/16
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add my-id=user-fqdn:admin@contact.com peer=OURPEER secret=password
/ip ipsec policy
add dst-address=RR.RR.RR.RR/16 peer=OURPEER proposal=IPSec_Crypto src-address=AA.AA.AA.AB/25 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=OURPEER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

thanks

4

I’m reading, meanwhile the IP and all other things related to the interfaces on the bridge, must be put on bridge!!!
the admin-mac=ZZ.ZZ.ZZ.ZZ.ZZ of the bridge must be equal to the ether2 (original) mac address

5

yes, my IP interfaces :


export
# aug/06/2021 12:05:22 by RouterOS 6.47.10
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=ZZ.ZZ.ZZ.ZZ.ZZ to-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s dpd-maximum-failures=100 enc-algorithm=aes-256,aes-128 lifetime=6h name=\
    IKE_Crypto
/ip ipsec peer
add address=80.14.XX.XX/32 exchange-mode=aggressive name=OURPEER passive=yes profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1h name=IPSec_Crypto
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.10.10.10/25 interface=ether5 network=10.10.10.9
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add my-id=user-fqdn:admin@contact.com peer=OURPEER secret=password
/ip ipsec policy
add dst-address=10.14.10.10/16 peer=OURPEER proposal=IPSec_Crypto src-address=10.10.10.9/25 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=OURPEER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

thanks

6

Is like you do not understand: set both IP to bridge, not to etherX
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.10.10.10/25 interface=ether5 network=10.10.10.9


If you have a dhcp-client, why set a fixed route?
[…]
2 ADC 192.168.1.0/24 192.168.1.25 ether1 0
3 A S 192.168.1.1/32 0.0.0.0 ether1 1
[…]

remove this:
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0


the first rule make perfectly useless the second
Remove the first rule
/ip firewall nat

  1. add action=accept chain=srcnat dst-address=RR.RR.RR.RR/16 src-address=AA.AA.AA.AB/25
  2. add action=src-nat chain=srcnat dst-address=RR.RR.RR.RR/16 to-addresses=AA.AA.AA.AB/25

the fourth rule make perfectly useless the fifth
Remove the fourth rule
/ip firewall nat
4) add action=masquerade chain=srcnat
5) add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

7

remove this:
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0

==> i had delete it

Is like you do not understand: set both IP to bridge, not to etherX
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.10.10.10/25 interface=ether5 network=10.10.10.9

sorry i hadn’t understood, can you help me please

8

Really???

Copy & Paste this on terminal

/ip address
set [find where interface=ether2] interface=bridge
set [find where interface=ether5] interface=bridge
9

thanks, but it still doesn’t work :frowning:

10

Did you do the other things too?
Reread my previous post, I probably wrote something you didn’t read because I added it later.

My first goal is to make your setup clear of nonsense.

11

I think so, I had read and corrected my errors, take a look at my new export:

 export
# aug/06/2021 13:09:35 by RouterOS 6.47.10
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=zz:zz:zz:zz:zz:zz auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s dpd-maximum-failures=100 enc-algorithm=aes-256,aes-128 lifetime=6h name=\
    IKE_Crypto
/ip ipsec peer
add address=80.14.XX.XX/32 exchange-mode=aggressive name=OURPEER passive=yes profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1h name=IPSec_Crypto
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.10/25 interface=bridge network=10.10.10.9
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=masquerade chain=srcnat comment="\"defconf: masquerad\"ipsec-policy=out,none out-interface-list=WAN"
/ip ipsec identity
add my-id=user-fqdn:admin@contact.com peer=OURPEER secret=password
/ip ipsec policy
add dst-address=10.14.10.10/16 peer=OURPEER proposal=IPSec_Crypto src-address=10.10.10.9/25 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=OURPEER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

thanks

12

Little detail, remove b (leaving only 2ghz-g/n)
and something strange happen on NAT: masquerad"ipsec
output is traffic GENERATED from rotuerboard, not from any devices on all the networks!

Paste this, fix all what I have easily noticed, do not omit the { } !!!

{
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n
/ip firewall nat
remove [find]
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
}

after fixing it, try again, if not work post again the config, for search if any other problem.

You can’t ping ether1 192.168.1.25 from 192.168.88.x/24 network or from the remote 10.x.x.x/x?

13

yesss yesss yesss, , now i can ping but my VPN IPSec still Down,

ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER             TUNNEL SRC-ADDRESS                                      DST-ADDRESS                                            PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0      OURPEER           yes   10.10.10.9/25                                      10.14.10.10/16                                          all        encrypt require          0
 1 T X*                         ::/0                                             ::/0                                                   all
14

paste this, but do not move the rules on top:

/ip firewall filter
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=output protocol=ipsec-esp
15

i had added it, and not move it on top, but still don’t UP, :confused: :frowning:

16

export again

17

yes my dear,

 export
# aug/06/2021 14:33:18 by RouterOS 6.47.10
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=zz:zz:zz:zz:zz:zz auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge \
    ssid=MikroTik-77D1EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-77D1EB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s dpd-maximum-failures=100 enc-algorithm=aes-256,aes-128 lifetime=6h name=IKE_Crypto
/ip ipsec peer
add address=80.14.XX.XX/32 exchange-mode=aggressive name=OURPEER passive=yes profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1h name=IPSec_Crypto
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.10/25 interface=bridge network=10.10.10.9
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=output protocol=ipsec-esp
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add my-id=user-fqdn:admin@contact.com peer=OURPEER secret=password
/ip ipsec policy
add dst-address=10.14.10.10/16 peer=OURPEER proposal=IPSec_Crypto src-address=10.10.10.9/25 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=OURPEER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

thanks

18

Ok the key is the NAT

what output you have to

/interface print

?

19

for address :

ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                          
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                                                                                                                                                                                             
 1   10.10.10.10/25     10.10.10.9      bridge                                                                                                                                                                                                             
 2 D 192.168.1.25/24    192.168.1.0     ether1

for interface :


interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E5
 1  RS ether2                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E6
 2   S ether3                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E7
 3   S ether4                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E8
 4   S ether5                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E9
 5   S wlan1                               wlan             1500  1600       2290 zz:zz:zz:zz:zz:EA
 6  RS wlan2                               wlan             1500  1600       2290 zz:zz:zz:zz:zz:EB
 7  R  ;;; defconf
       bridge                              bridge           1500  1598            zz:zz:zz:zz:zz:E6
20

ok paste this, do not omit { }

this restore previous rules on first export
try to disable / enable one at time on winbox the first two rules (do not disable the last)
the third are already disabled on first export

{
/ip firewall nat
remove [find]
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
}