Hi all,
I’ve used a number of tutorials on here and elsewhere to configure my hAP ac lite as a travel router. The 5G network is primarily for LAN clients, the 2G network is to connect to the hotel WiFi. In that configuration, everything seems to work OK.
The next layer is to VPN using IPsec to my home router and send all traffic over the VPN. I can establish the VPN connection, but traffic from the MikroTik LAN won’t reach the Internet when it is connected. Except sometimes - in the same hotel - it does work and I get connectivity. It’s almost like there is a routing table refresh or something and suddenly it works.
My configuration is posted below. Can anyone help please? I’m sure I’ve done something stupid!
# jun/12/2018 03:12:56 by RouterOS 6.42.3
# software id = JAY0-JX3K
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 8B0A08B1F7D7
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface l2tp-client
add add-default-route=yes allow=chap,mschap2 connect-to=<REDACTED> disabled=no ipsec-secret=<REDACTED> name=L2TP-out password=<REDACTED> use-ipsec=yes user=<REDACTED>
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no mode=ap-bridge name=wlan2-5G-LAN ssid="CEMT 5G" wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=<REDACTED>
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=wlan-WAN supplicant-identity="" wpa-pre-shared-key=tbctbctbc wpa2-pre-shared-key=tbctbctbc
add name=none supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=2462 mode=station-pseudobridge name=wlan1-2G-WAN security-profile=none ssid=HotelWiFi wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:85:E7:A9 master-interface=wlan1-2G-WAN multicast-buffering=disabled name=wlan3-2G-LAN ssid="CEMT 2G" wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan2-5G-LAN
add bridge=bridge1 interface=wlan3-2G-LAN
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=wlan1-2G-WAN
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN log=yes log-prefix=!NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat out-interface=wlan1-2G-WAN
add action=masquerade chain=srcnat out-interface=L2TP-out
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1-WAN type=external
add interface=wlan1-2G-WAN type=external
/system leds
set 2 interface=wlan3-2G-LAN
set 3 interface=wlan2-5G-LAN
set 4 interface=L2TP-out type=interface-status
add interface=wlan1-2G-WAN leds=user-led type=interface-status
/system routerboard settings
set silent-boot=no