I’m able to connect via Android (happens to be a Note 8 running Android 10) via the built-in VPN function with “IPSec IKEv2 RSA”. However…while I’m able to ping my router from the phone I can’t do anything else - can’t access LAN, can’t even see WebFig.
I do notice the IP assigned to the phone is /32, and my LAN is /24, even though I’ve set address-prefix-length to 24.
# may/31/2020 12:51:53 by RouterOS 6.46.6
# software id = E0AY-F3R4
#
# model = RBD52G-5HacD2HnD
# serial number = BEF00A069D10
/interface bridge
add admin-mac=74:4D:28:CE:BB:8D auto-mac=no name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn bridge-mode=disabled channel-width=20/40mhz-XX disabled=no \
frequency=auto installation=outdoor mode=ap-bridge multicast-buffering=disabled multicast-helper=\
disabled name=Wireless-2G on-fail-retry-time=300ms preamble-mode=long ssid=BigCedar wireless-protocol=\
802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac bridge-mode=disabled channel-width=20/40/80mhz-XXXX \
disabled=no frequency=auto installation=outdoor mode=ap-bridge multicast-buffering=disabled \
multicast-helper=disabled name=Wireless-5G on-fail-retry-time=300ms preamble-mode=long ssid=BigCedar-5G \
wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless channels
add band=2ghz-onlyn extension-channel=Ce frequency=2412 list=2Ghz-20 name=ch1 width=20
add band=2ghz-onlyn extension-channel=Ce frequency=2437 list=2Ghz-20 name=ch6 width=20
add band=2ghz-onlyn extension-channel=eC frequency=2462 list=2Ghz-20 name=ch11 width=20
add band=5ghz-n/ac extension-channel=Ceee frequency=5180 list=5Ghz-20 name=ch36 width=20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-key-update=1h mode=dynamic-keys \
supplicant-identity=MikroTik
/ip dhcp-server option
add code=3 name=Router value="'192.168.5.1'"
add code=15 name="DomaIn Name" value="'bigcedar.miller'"
add code=12 name=Hostname
add code=119 name="Domain Search" value="'bigcedar.miller'"
add code=121 name=Routes value=0x00c0a80501
/ip dhcp-server option sets
add name="Basic Options" options="DomaIn Name,Domain Search,Routes"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group
add name=IKEv2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=Android-IKEv2 \
proposal-check=strict
/ip ipsec peer
add exchange-mode=ike2 name=Note8 passive=yes profile=Android-IKEv2 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Android-IKEv2-Proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.5.1-192.168.5.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp dhcp-option-set="Basic Options" disabled=no interface=bridge name=\
bigcedar.miller
/ip ipsec mode-config
add address-pool=dhcp name=RoadWarriors split-include=192.168.5.0/24
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,\
romon,dude,tikapp"
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=Wireless-2G
add bridge=bridge interface=Wireless-5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes tcp-syncookies=yes
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.5.1/24 comment="BigCedar Router" interface=bridge network=192.168.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=Internet disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.5.6 comment=BlackDragon mac-address=8C:89:A5:0E:6A:9D server=bigcedar.miller
add address=192.168.5.2 comment=Router-LivingRoom mac-address=40:16:7E:2D:F8:B0 server=bigcedar.miller
add address=192.168.5.3 comment=Router-FrontRoom mac-address=50:C7:BF:E3:5D:40 server=bigcedar.miller
add address=192.168.5.80 client-id=Jonah-PC mac-address=68:5D:43:21:E6:70
add address=192.168.5.81 client-id=Jonah-Phone mac-address=F8:95:C7:9F:80:4F
add address=192.168.5.82 client-id=Jonah-PS4-Ethernet mac-address=F8:46:1C:95:81:6B
add address=192.168.5.83 client-id=Jonah-PS4-WiFi mac-address=F8:DA:0C:E7:F2:A9
add address=192.168.5.84 client-id=Jonah-XBox mac-address=00:25:A3:B8:1E:9E
add address=192.168.5.88 client-id=Laura-Kindle mac-address=B4:7C:9C:0E:18:A0
add address=192.168.5.16 comment=Thermostat mac-address=00:40:9D:5C:B7:A1 server=bigcedar.miller
add address=192.168.5.58 comment=David-PC mac-address=9C:AD:97:89:AA:5D
add address=192.168.5.52 comment=Bedroom-SamsungTV mac-address=B8:BB:AF:37:61:6C server=bigcedar.miller \
use-src-mac=yes
add address=192.168.5.44 comment=Yvonne-Camera mac-address=10:A4:BE:EC:AF:7B server=bigcedar.miller \
use-src-mac=yes
add address=192.168.5.87 client-id=Laura-PC mac-address=74:C6:3B:B2:28:A8
add address=192.168.5.86 client-id=Laura-Echo mac-address=7C:56:97:65:C1:AF
add address=192.168.5.53 comment=Roku-LivingRoom mac-address=8C:49:62:11:F7:8C server=bigcedar.miller \
use-src-mac=yes
add address=192.168.5.45 comment=Laura-Camera mac-address=14:6B:9C:46:C1:97 server=bigcedar.miller \
use-src-mac=yes
add address=192.168.5.31 comment=AirCam-Driveway mac-address=00:27:22:60:8D:08 server=bigcedar.miller \
use-src-mac=yes
add address=192.168.5.15 comment=Brother-MFC-J835DW mac-address=00:80:92:96:B4:5F server=bigcedar.miller \
use-src-mac=yes
add address=192.168.5.7 comment=Note8 mac-address=B8:D7:AF:A1:A6:2D server=bigcedar.miller use-src-mac=yes
add address=192.168.5.23 comment="David's Echo Dot" mac-address=CC:F7:35:FA:EF:E5 server=bigcedar.miller \
use-src-mac=yes
add address=192.168.5.22 comment="David's Phone" mac-address=30:4B:07:B9:36:BE server=bigcedar.miller \
use-src-mac=yes
add address=192.168.5.46 comment="Roku-LivingRoom Wired" mac-address=8C:49:62:11:F7:8D server=\
bigcedar.miller
add address=192.168.5.8 comment="CloudHub - GLiNet Mango GL-MT300N-v2" mac-address=94:83:C4:02:9D:CC \
server=bigcedar.miller
/ip dhcp-server network
add address=192.168.5.0/24 comment=BigCedar dns-server=1.0.0.1,1.1.1.1,8.8.8.8 domain=bigcedar.miller \
gateway=192.168.5.1 ntp-server=216.229.0.49,104.131.139.195
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=209.222.18.222,209.222.18.218,1.0.0.1,1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.5.1 name=router.lan
/ip firewall address-list
add address=10.0.0.0/8 list=rfc-1918
add address=127.0.0.1 list=rfc-1918
add address=192.168.0.0/16 list=rfc-1918
add address=172.16.0.0/20 list=rfc-1918
add address=224.0.0.0/4 list=rfc-1918
add address=240.0.0.0/4 list=rfc-1918
add address=192.168.5.0/24 list=internal-nets
/ip firewall filter
add action=accept chain=input in-interface=bridge
add action=accept chain=input dst-port=500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="start of greg rules up to 5 pings in 5 seconds" limit=5,5 protocol=\
icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=input comment=\
"add all other icmp input into icmp-attack address list." protocol=icmp
add action=drop chain=input comment="drop excessive icmp traffic for 12 hours" protocol=icmp \
src-address-list=icmp-attack
add action=drop chain=input comment="block rfc 1918 and multicast inbound" in-interface=ether1 \
src-address-list=rfc-1918
add action=drop chain=input comment="block our addressing inbound - spoofed" in-interface=ether1 \
src-address-list=public-add
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment=\
"add port scannes to port-scan list" in-interface=ether1 protocol=tcp psd=21,3s,3,1 src-address-list=\
!internal-nets
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment=\
"NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment=\
"SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment=\
"SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment=\
"FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment=\
"ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port-scan address-list-timeout=2w chain=input comment=\
"NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=tarpit chain=input comment="tarpit port-scan address list to router" protocol=tcp \
src-address-list=port-scan
add action=drop chain=input comment="drop port-scan address list to our router" src-address-list=port-scan
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward in-interface=bridge out-interface=ether1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="block rfc 1918 and multicast inbound" in-interface=ether1 \
src-address-list=rfc-1918
add action=drop chain=forward comment="block our addressing inbound - spoofed" in-interface=ether1 \
src-address-list=public-add
add action=drop chain=forward comment="drop port-scan address list to our infrastructure" src-address-list=\
port-scan
add action=drop chain=forward comment="drop windows ports" port=135-139 protocol=tcp
add action=drop chain=forward comment="drop smtp traffic marked as spam" dst-port=25 protocol=tcp \
src-address-list=spam-block
add action=add-src-to-address-list address-list=spam-block address-list-timeout=2h chain=forward comment=\
"more than 5 smtp connections out as spam. add to address list" connection-limit=30,32 dst-port=25 \
limit=50,5 protocol=tcp src-address-list=rfc-1918
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.5.9 src-address=192.168.5.0/24
add action=accept chain=srcnat dst-address=192.168.5.0/24 src-address=192.168.5.9
add action=masquerade chain=srcnat ipsec-policy=out,ipsec out-interface=ether1
add action=masquerade chain=srcnat comment=Internet ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add auth-method=digital-signature certificate=BigCedar.VPN generate-policy=port-strict match-by=certificate \
mode-config=RoadWarriors notrack-chain=prerouting peer=Note8 policy-template-group=IKEv2 \
remote-certificate=vpn.Note8
/ip ipsec policy
add dst-address=192.168.5.0/24 group=IKEv2 proposal=Android-IKEv2-Proposal src-address=0.0.0.0/0 template=\
yes
set 1 disabled=yes
add dst-address=0.0.0.0/0 group=IKEv2 proposal=Android-IKEv2-Proposal src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set accounting=no
/ip route
add distance=1 gateway=pptp-pia-us routing-mark="PIA US"
add distance=1 gateway=pptp-pia-au routing-mark="PIA AU"
add distance=1 gateway=pptp-pia-ca routing-mark="PIA CA"
add distance=1 gateway=pptp-pia-uk routing-mark="PIA UK"
add distance=1 gateway=pptp-pia-ja routing-mark="PIA JA"
add distance=1 gateway=pptp-pia-nz routing-mark="PIA NZ"
add distance=1 dst-address=192.168.100.1/32 gateway=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.5.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.5.0/24
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=BigCedar
/system logging
add topics=wireless,debug
add topics=ipsec,!debug
/system note
set note="PIA VPN is available - but Netflix seems to block region-specific content to PIA VPN.\r\
\n\r\
\nEnable interface, srcnat, mangle, and route."
/system ntp client
set enabled=yes server-dns-names=1.us.pool.ntp.org,2.us.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add host=192.168.100.1