Hi all,
So I’ve got a strange one with an RB1100 router which I’ve added in a L2TP server interface to allow me remote access to tweak configuration. Network is still being deployed, so currently only WAN2 is active. WAN1 and WAN3 won’t be installed for another couple of weeks (hence some rules bypassing PCC).
If I VPN in from a windows machine, I get assigned an IP address from the StaffMGMT pool successfully, but no default gateway address (despite being configured within the VPN client to use the gateway on the VPN).
This is where it gets weird… so I can Winbox into the main RB1100 router, but discovery within Winbox (remotely over VPN) doesn’t work.
However, I can access the web interfaces on some MT switches (running SwOS) eg on IP addresses 10.10.0.11 without a problem, but can’t access any of the HAP AC Lite units around the site even if I enter a known IP. I thought perhaps some port issue here, so I tried accessing WebFig for those HAP units (eg. 10.10.0.101)… nope. Can’t even ping them. However they’re all on the same VLAN and same subnet.
All very odd. All switches are set to allow management from vLAN 10, so there’s something very odd here.
No issues at all if I’m connecting locally, so this problem only affects connection over VPN.
# apr/27/2024 12:26:37 by RouterOS 6.49.14
# software id = E75X-80RJ
#
# model = RB1100Dx4
# serial number = HEY09AX5MMT
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge-5
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3-Future
set [ find default-name=ether4 ] name=WAN4-Future
set [ find default-name=ether6 ] comment=TRNK-REC-18
set [ find default-name=ether7 ] comment=TRNK-REC-21
set [ find default-name=ether8 ] comment=TRNK-REC-34
set [ find default-name=ether9 ] comment=TRNK-SPARE
set [ find default-name=ether10 ] comment=TRNK-REC-SWITCH
set [ find default-name=ether11 ] name=ether11-StaffMGMT
set [ find default-name=ether12 ] name=ether12-StaffMGMT
set [ find default-name=ether13 ] name=ether13-Guest
/interface pppoe-client
add disabled=no interface=WAN2 name=WAN2GradwellSoGEA use-peer-dns=yes user=\
HIDDEN
/interface l2tp-server
add name=l2tp-in-VPN user=HIDDEN
/interface vlan
add interface=bridge1 name=vlan1_setup vlan-id=1
add interface=bridge1 name=vlan10_StaffMGMT vlan-id=10
add interface=bridge1 name=vlan20_Guest vlan-id=20
add interface=bridge1 name=vlan30_VOIP vlan-id=30
add interface=bridge1 name=vlan40_CCTV vlan-id=40
add comment=FutureWAN interface=WAN3-Future name=vlan90_WAN3 vlan-id=90
/caps-man datapath
add bridge=bridge1 name=datapath_StaffMGMT vlan-id=10 vlan-mode=use-tag
add bridge=bridge1 name=datapath_Guest vlan-id=20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_StaffMGMT
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Guest
/caps-man configuration
add country="united kingdom" datapath=datapath_Guest \
datapath.client-to-client-forwarding=no datapath.vlan-id=20 \
datapath.vlan-mode=use-tag installation=indoor mode=ap name=cfg_GuestWifi \
security=security_Guest ssid=OldMill_GuestWiFi
add country="united kingdom" datapath=datapath_StaffMGMT datapath.bridge=\
bridge1 installation=indoor mode=ap name=cfg_StaffMGMT security=\
security_StaffMGMT ssid=OldMill_Staff
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_StaffMGMT ranges=10.10.100.1-10.10.199.254
add name=dhcp_Guest ranges=10.20.100.1-10.20.199.254
add name=dhcp_VOIP ranges=10.30.100.1-10.30.199.254
add name=dhcp_CCTV ranges=10.40.100.1-10.40.199.254
/ip dhcp-server
add address-pool=dhcp_StaffMGMT disabled=no interface=vlan10_StaffMGMT \
lease-time=4w2d name=dhcpStaffMGMT
add address-pool=dhcp_Guest disabled=no interface=vlan20_Guest lease-time=1d \
name=dhcpGuest
add address-pool=dhcp_VOIP disabled=no interface=vlan30_VOIP lease-time=\
4w2d10m name=dhcpVOIP
add address-pool=dhcp_VOIP disabled=no interface=vlan40_CCTV lease-time=\
4w2d10m name=dhcpCCTV
/ppp profile
set *0 interface-list=LAN
add bridge=bridge1 interface-list=LAN local-address=dhcp_StaffMGMT name=\
SquibbyVPN remote-address=dhcp_StaffMGMT
/queue type
add kind=pcq name=pcq-download-guest pcq-classifier=dst-address pcq-rate=10M
add kind=pcq name=pcq-upload-guest pcq-classifier=src-address pcq-rate=5M
/queue simple
add disabled=yes max-limit=900M/900M name=Global queue=\
ethernet-default/ethernet-default target=\
10.10.0.0/16,10.20.0.0/16,10.30.0.0/16,10.40.0.0/16
add limit-at=700M/500M max-limit=700M/500M name=Guest queue=\
pcq-upload-guest/pcq-download-guest target=10.20.0.0/16
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
add disabled=no interface=vlan10_StaffMGMT
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_StaffMGMT \
name-format=identity slave-configurations=cfg_GuestWifi
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether6
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether8 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether9
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether10
add bridge=bridge1 ingress-filtering=yes interface=ether11-StaffMGMT pvid=10
add bridge=bridge1 ingress-filtering=yes interface=ether12-StaffMGMT pvid=10
add bridge=bridge1 ingress-filtering=yes interface=ether13-Guest pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
untagged=ether11-StaffMGMT,ether12-StaffMGMT,ether13-Guest vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
vlan-ids=20,30,40
/interface l2tp-server server
set default-profile=SquibbyVPN enabled=yes use-ipsec=yes
/interface list member
add interface=WAN1 list=WAN
add interface=vlan10_StaffMGMT list=LAN
add interface=vlan20_Guest list=LAN
add interface=vlan30_VOIP list=LAN
add interface=vlan40_CCTV list=LAN
add interface=vlan10_StaffMGMT list=MGMT
add interface=OffBridge-5 list=MGMT
add interface=WAN2GradwellSoGEA list=WAN
add interface=vlan1_setup list=LAN
add interface=l2tp-in-VPN list=LAN
add interface=l2tp-in-VPN list=MGMT
/interface pppoe-server server
add disabled=no interface=<l2tp> service-name=service1
/ip address
add address=10.30.0.1/16 interface=vlan30_VOIP network=10.30.0.0
add address=10.40.0.1/16 interface=vlan40_CCTV network=10.40.0.0
add address=10.10.0.1/16 interface=vlan10_StaffMGMT network=10.10.0.0
add address=10.20.0.1/16 interface=vlan20_Guest network=10.20.0.0
add address=192.168.55.1/24 interface=OffBridge-5 network=192.168.55.0
/ip dhcp-client
add add-default-route=no disabled=no interface=WAN1
/ip dhcp-server lease
# EDIT: LOTS OF LEASES HERE - REMOVED FOR FORUM POST #
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.0.1
add address=10.20.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1
add address=10.30.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1
add address=10.40.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.40.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.100.1-10.20.199.254 list=Guest
add address=10.10.100.0/24 list=local
add address=10.20.100.0/24 list=local
add address=10.30.100.0/24 list=local
add address=10.40.100.0/24 list=local
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=WAN2GradwellSoGEA protocol=\
ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=\
WAN2GradwellSoGEA protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=\
"fasttrack - disabled to allow queue function" connection-state=\
established,related disabled=yes
add action=fasttrack-connection chain=forward comment="Fasttrack DNS" \
dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS" \
dst-port=53 protocol=udp
add action=accept chain=forward comment=related-establ-untracked \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="MGMT to all vlans" \
in-interface-list=MGMT out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=viaWAN1 passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=forward comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=viaWAN2 passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=viaWAN1 disabled=yes new-routing-mark=useWAN1 \
passthrough=no
add action=mark-routing chain=prerouting comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=viaWAN2 disabled=yes new-routing-mark=useWAN2 \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="Disabled as not currently load balancing" disabled=yes distance=1 gateway=\
192.168.2.1 routing-mark=useWAN1
add comment="Disabled as not currently load balancing" disabled=yes distance=1 gateway=\
WAN2GradwellSoGEA routing-mark=useWAN2
add check-gateway=ping distance=1 gateway=WAN1
add distance=2 gateway=WAN2GradwellSoGEA
/ppp secret
add name=squibby profile=SquibbyVPN
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB1100-Reception
/tool sniffer
set filter-interface=WAN1