Hi everyone
I have an office mikrotik routeros v7.15.3(Office B) where I have created a l2tp profiles for the remote users. I can successfully connect to the office network using l2tp credentials and access the subnet 192.168.150.x/24 defined in the office router.
We also have a SSTP client configured in this router connecting us with office A where we have 192.168.0.0/16 subnet. Users in office B can access everything in office A as we have a static route in place.
The problem is when a user connects to the office B network via L2TP then the user is not able to access the subnet of the office A.
I have tried various firewall filter and nat rules but those didn’t help either. I would be grateful if any expert can look into it and guide me. The config is quite simple and small.
# 2024-09-11 08:35:32 by RouterOS 7.15.3
#
# model = RB3011UiAS
/interface bridge
add name=bridge1 port-cost-mode=short
add disabled=yes name=test
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.150.2-192.168.150.254
add name=VPN ranges=192.168.240.2-192.168.240.250
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.240.1 name=xyz remote-address=VPN
/interface sstp-client
add authentication=mschap2 connect-to=public-ip disabled=no name=\
sstp-out-office-A port=543 profile=default-encryption proxy-port=\
543 user=MT-Office-B
/interface bridge port
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set accept-proto-version=l2tpv2 authentication=mschap2 enabled=yes use-ipsec=\
yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.150.1/24 interface=bridge1 network=192.168.150.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.150.9 client-id=1:1c:c3:16:a:43:7e comment=NVR \
mac-address=1C:C3:16:0A:43:7E server=dhcp1
/ip dhcp-server network
add address=192.168.150.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.150.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.150.0/24 list=Camera
add address=192.168.0.0/16 list="Office A"
add address=192.168.240.0/24 list=VPN
/ip firewall filter
add action=accept chain=forward
add action=accept chain=forward dst-port=554 protocol=tcp
add action=accept chain=forward dst-port=554 protocol=udp
add action=accept chain=forward dst-address-list="Office A" src-address-list=\
VPN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=NVR dst-port=80 protocol=tcp \
to-addresses=192.168.150.9 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 protocol=udp to-addresses=\
192.168.150.9 to-ports=80
add action=dst-nat chain=dstnat dst-port=554 protocol=tcp to-addresses=\
192.168.150.9 to-ports=554
add action=dst-nat chain=dstnat dst-port=554 protocol=udp to-addresses=\
192.168.150.9 to-ports=554
/ip firewall service-port
set rtsp disabled=no
/ip route
add disabled=no dst-address=192.168.0.0/16 gateway=192.168.254.1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.20.0.0/16 gateway=192.168.254.1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=10.30.0.0/16 gateway=192.168.254.1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=10.40.0.0/16 gateway=192.168.254.1 routing-table=\
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes port=15236
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=xyz profile=xyz service=l2tp
/system clock
set time-zone-name=xyz
/system identity
set name=Office-B
/system logging
add topics=firewall
/system note
set show-at-login=no
/system package update
set channel=development
/user group
add name=admin policy="local,ftp,reboot,read,write,test,winbox,password,web,sn\
iff,sensitive,romon,rest-api,!telnet,!ssh,!policy,!api"
5nik
September 11, 2024, 12:52pm
2
If VPN clients are Windows, make sure, that they have “Use default gateway on remote network” option checked in VPN settings. Otherwise they don’t know, how can communicate with Office A subnet (route missing).
If VPN clients are Windows, make sure, that they have “Use default gateway on remote network” option checked in VPN settings. Otherwise they don’t know, how can communicate with Office A subnet (route missing).
I am using it on windows and currently I am using L2TP/IPSEC VPN.
I have checked and confirmed that the "Use default gateway on remote network " is enabled but still I am not able to communicate with Office A.
This pushing routes issue is general in Mikrotik devices or only with certain routerOS ? Any idea ?
Can you please guide me about your workaround for this problem ?
If the real source addresses of those who access Office A aren’t of importance, add a masquerade rule for all traffic leaving out of the SSTP tunnel. Otherwise, you might want to look into policy based routing and mangling
It is of importance.
I tried mangle rule as well with pre-routing and formed a seperate routing table as well for the policy but strangely it didn’t work either. Definitely I am making some mistake in the config but it is getting hard to identify that since I have tried multiple things now. Any idea ?
Wait a minute, have you added a route pointing to the L2TP subnet on Office A router?
Silly me. I have been scratching my head since last few days without thinking about this very basic thing. I am extremely grateful for your help. Now I can access office A subnets.
Last thing which is surprising me is that I can’t access 192.168.100.0/24 subnet in the office A whereas I can access all the subnets in the office A.
I can ping this subnet in my office B router but when I connect to office B via L2TP then I can’t ping and access it from my PC.
My static route is:
Dest add: 192.168.0.0/16 and gateway : 192.168.254.1 (SSTP)
Any idea.
That I’ll contribute to address space overlapping - a very broad route which could apply to the remote subnet and to the L2TP one. If you change one of them and add appropriate static routes or use a more specific route (e.g. 192.168.100.0/24 instead of 192.168.0.0/16), it should start working as expected
That I’ll contribute to address space overlapping - a very broad route which could apply to the remote subnet and to the L2TP one. If you change one of them and add appropriate static routes or use a more specific route (e.g. 192.168.100.0/24 instead of 192.168.0.0/16), it should start working as expected
Just tried that but didn’t work. Seems very strange to me even after removing the broad route.
Perhaps firewall blocking traffic? If Office A router is also MikroTik, consider exporting its config and posting it here
There are no firewall rules in office B router which is blocking traffic.
Office A config
# sep/16/2024 09:06:52 by RouterOS 6.49.7
# #
/interface bridge
add disabled=yes name=BR-VLAN50
add name=BR_LAN protocol-mode=none
add admin-mac=C2:2D:E0:31:xx:FB auto-mac=no name="xyz" protocol-mode=\
none
add name=xyz
add name=bridge_VLAN1003
add name=bridge_VLAN2003 protocol-mode=none
add name=bridge_VLAN2010 protocol-mode=none
add name=bridge_VLAN4003 protocol-mode=none
add name=bridge_WAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on mac-address=\
CC:2D:E0:31:xx:xx name=ETH1-WAN speed=100Mbps
set [ find default-name=ether10 ] mac-address=6C:3B:6B:F4:A0:E0 name=ETH10-AP \
poe-out=forced-on speed=100Mbps
set [ find default-name=ether2 ] comment="abc" \
mac-address=CC:2D:E0:31:38:FC name=ether2-abc speed=100Mbps
set [ find default-name=ether3 ] mac-address=CC:2D:E0:31:38:FD speed=100Mbps
set [ find default-name=ether4 ] comment=Switch mac-address=CC:2D:E0:31:38:FE \
speed=100Mbps
set [ find default-name=ether5 ] mac-address=CC:2D:E0:31:38:FF speed=100Mbps
set [ find default-name=ether6 ] mac-address=CC:2D:E0:31:39:01 speed=100Mbps
set [ find default-name=ether7 ] mac-address=CC:2D:E0:31:39:02 speed=100Mbps
set [ find default-name=ether8 ] comment=ARM mac-address=CC:2D:E0:31:39:03 \
speed=100Mbps
set [ find default-name=ether9 ] mac-address=CC:2D:E0:31:39:04 speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
6C:3B:6B:F4:A0:DB
/interface sstp-client
add connect-to=xyz:5543 name=sstp-out1 password=f,hfrflf,hf user=\
ppp1 verify-server-address-from-certificate=no
/interface sstp-server
add comment="office B" disabled=yes name=sstp-Office B=\
Office-B
/interface ovpn-client
add auth=md5 cipher=aes256 connect-to=xyz mac-address=\
02:B5:97:11:xx:xx mode=ethernet name=ovpn-office-A password=\
"[ttcjcs100500" port=36 user=tp_Office-A
/interface ovpn-server
add disabled=yes name=xyz user=xyz
add comment="office B" disabled=yes name=office-B user=\
office-B
add name=office-A user=office-A
add disabled=yes name=office-B user=office-B
add disabled=yes name=Savvas-Home user=savvas_hm
/interface eoip
add mac-address=02:C6:18:0B:CC:4A mtu=1500 name=-Home \
remote-address=192.168.254.8 tunnel-id=0
/interface vlan
add interface=ETH1-WAN name=Test_management vlan-id=2005
add interface=ETH1-WAN name=eth1.112 vlan-id=112
add disabled=yes interface=ether6 name=vlan0014_eth06 vlan-id=14
add interface=ether6 name=vlan0018_eth06 vlan-id=18
add interface=ether6 name=vlan0050_eth06 vlan-id=50
add disabled=yes interface=ETH1-WAN name=vlan50 vlan-id=50
add interface=ETH1-WAN name=vlan1003_eth01 vlan-id=1003
add interface=ether6 name=vlan1003_eth06 vlan-id=1003
add interface=ether8 name=vlan1003_eth08 vlan-id=1003
add interface=ETH1-WAN name=vlan1010_eth01 vlan-id=1010
add interface=ether3 name=vlan1503 vlan-id=1503
add interface=BR_LAN name=vlan2001_br vlan-id=2001
add interface=BR_LAN name=vlan2003_br vlan-id=2003
add interface=ETH1-WAN name=vlan2003_eth01 vlan-id=2003
add interface=ether6 name=vlan2003_eth06 vlan-id=2003
add interface=ether6 name=vlan2007_eth06 vlan-id=2007
add interface=ether6 name=vlan2008_eth06 vlan-id=2008
add interface=ETH1-WAN name=vlan2010_eth01 vlan-id=2010
add interface=ether6 name=vlan2010_eth06 vlan-id=2010
add interface=ether6 name=vlan2501_eth06 vlan-id=2501
add interface=BR_LAN name=vlan2502_br vlan-id=2502
add interface=ether3 name=vlan2503 vlan-id=2503
add interface=ether6 name=vlan2504_eth06 vlan-id=2504
add interface=ether4 name=vlan4003_eth04 vlan-id=4003
add interface=ETH1-WAN name=vlan4003_eth1 vlan-id=4003
add interface=ether6 name=vlan4003_eth6 vlan-id=4003
/interface list
add name=DiscoveryLAN
add name=UP-Link
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no name=Testing2005
/ip pool
add name=Pool_VLAN1_LAN ranges=192.168.110.10-192.168.110.253
add name=Pool_VLAN10_Guest ranges=192.168.10.2-192.168.10.254
add name=SIP_POOL ranges=192.168.145.2-192.168.145.20
add name=dhcp_pool5 ranges=192.168.252.2-192.168.252.254
add name=dhcp_pool6 ranges=192.168.251.2-192.168.251.254
add name=dhcp_test_pve_pool ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=Pool_VLAN1_LAN disabled=no interface=BR_LAN name=DHCP_LAN
add address-pool=dhcp_pool3 disabled=no interface=vlan1503 name=dhcp2
add address-pool=dhcp_pool5 disabled=no interface=vlan2001_br name=dhcp3
add address-pool=dhcp_pool6 interface=vlan2003_br name=dhcp4
/ppp profile
add change-tcp-mss=yes local-address=192.168.254.3 name=office-B \
remote-address=192.168.254.4 use-encryption=yes
add change-tcp-mss=yes local-address=192.168.254.5 name=office-A \
remote-address=192.168.254.6 use-encryption=yes
add change-tcp-mss=yes local-address=192.168.254.7 name=A_Sedov \
remote-address=192.168.254.8 use-encryption=yes
add change-tcp-mss=yes local-address=192.168.254.1 name=office-B \
remote-address=192.168.254.2 use-encryption=yes
add local-address=192.168.253.1 name="test - sip" remote-address=\
192.168.253.2
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge filter
add action=drop chain=forward disabled=yes in-bridge-list=all \
out-bridge-list=all
/interface bridge port
add bridge=BR_LAN interface=ether3
add bridge=BR_LAN interface=ether4
add bridge=bridge_VLAN4003 interface=ether8
add bridge=bridge_VLAN1003 interface=vlan1003_eth01
add bridge=BR-VLAN50 disabled=yes interface=vlan50
add bridge=BR_LAN interface=ETH10-AP
add bridge=bridge_WAN interface=ovpn-office-A trusted=yes
add bridge=bridge_WAN interface=ETH1-WAN path-cost=1 trusted=yes
add bridge="DPI test" interface=vlan1010_eth01 trusted=yes
add bridge=BR_LAN comment="Local lan wire" interface=ether6 multicast-router=\
disabled
add bridge=bridge_VLAN2010 disabled=yes interface=vlan2010_eth01 \
multicast-router=disabled trusted=yes
add bridge=bridge_VLAN2010 disabled=yes interface=vlan2010_eth06 \
multicast-router=disabled trusted=yes
add bridge=bridge_VLAN2003 disabled=yes interface=vlan2003_eth01
add bridge=bridge_VLAN2003 disabled=yes interface=vlan2003_br
add bridge=BR_LAN disabled=yes interface=vlan2504_eth06 multicast-router=\
disabled
add bridge=BR_LAN disabled=yes interface=vlan2003_eth06 multicast-router=\
disabled
add bridge=BR_LAN disabled=yes interface=vlan2501_eth06
add bridge=BR_LAN disabled=yes interface=vlan2008_eth06
add bridge=bridge_WAN interface=vlan1003_eth06
add bridge=BR_LAN disabled=yes interface=eoip-Lefteris-Home
add bridge=BR_LAN disabled=yes interface=vlan2007_eth06
add bridge=bridge_VLAN4003 interface=vlan4003_eth1
add bridge=bridge_VLAN4003 interface=vlan4003_eth04
add bridge=bridge_VLAN4003 interface=vlan4003_eth6
add bridge=bridge_VLAN1003 interface=vlan1003_eth08
add bridge=br-peer-techzone interface=ether2-TechZone-RT
/ip neighbor discovery-settings
set discover-interface-list=all
/ip address
add address=192.168.110.1/24 interface=BR_LAN network=192.168.110.0
add address=192.168.5.1/24 interface=BR_LAN network=192.168.5.0
add address=192.168.0.1/24 interface=BR_LAN network=192.168.0.0
add address=192.168.252.1/24 interface=vlan2001_br network=192.168.252.0
add address=192.168.251.1/24 interface=vlan2003_br network=192.168.251.0
add address=192.168.50.50/24 disabled=yes interface=vlan0050_eth06 network=\
192.168.50.0
add address=192.168.100.1/24 interface=ether9 network=192.168.100.0
/ip dhcp-client
add add-default-route=no disabled=no interface=bridge_WAN
/ip dhcp-server lease
add address=192.168.110.244 client-id=1:ac:e2:d3:13:c3:a5 mac-address=\
AC:E2:D3:13:C3:A5 server=DHCP_LAN
add address=192.168.110.112 mac-address=66:98:96:83:71:2C server=DHCP_LAN
add address=192.168.110.120 mac-address=44:D9:E7:93:37:26 server=DHCP_LAN
add address=192.168.110.100 mac-address=1E:BF:CF:E9:DC:B5 server=DHCP_LAN
add address=192.168.110.141 client-id=1:28:80:23:90:12:9b mac-address=\
/ip firewall address-list
add address=10.0.0.0/8 list=ABC
add address=172.16.0.0/12 list=ABC
add address=192.168.0.0/16 list=ABC
add address=192.168.110.0/24 list=ABC
add address=192.168.254.0/24 list=ABC
add address=192.168.222.0/24 list=ABC
/ip firewall filter
add action=accept chain=forward in-interface-list=UP-Link
add action=accept chain=forward dst-port=8295 protocol=tcp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward dst-address=xyz dst-port=3389 \
in-interface-list=UP-Link port="" protocol=tcp
add action=accept chain=input comment=sstp dst-port=543 in-interface-list=\
UP-Link protocol=tcp
add action=accept chain=forward comment=LAB disabled=yes dst-port=8295 \
in-interface-list=UP-Link protocol=tcp
add action=accept chain=forward comment=LAB disabled=yes dst-port=8295 \
in-interface-list=UP-Link protocol=udp
add action=accept chain=forward comment="chia ssh" disabled=yes dst-port=8222 \
in-interface-list=UP-Link protocol=tcp
add action=accept chain=forward comment=syslog dst-port=514 \
in-interface-list=UP-Link protocol=tcp
add action=accept chain=forward comment=SSH dst-port=22 in-interface-list=\
UP-Link protocol=tcp
add action=accept chain=forward comment=syslog dst-address=192.168.110.21 \
dst-port=514 in-interface-list=UP-Link protocol=udp
add action=accept chain=forward disabled=yes dst-port=80 in-interface-list=\
UP-Link protocol=tcp
add action=accept chain=forward dst-port=443 in-interface-list=UP-Link \
protocol=tcp
add action=accept chain=input comment=winbox dst-port=8291 in-interface-list=\
UP-Link protocol=tcp src-address-list=trusted
add action=drop chain=input disabled=yes dst-address=192.168.110.0/24 \
in-interface=vlan0014_eth06
add action=accept chain=input comment=oVPN disabled=yes dst-port=33678 \
in-interface=bridge_WAN protocol=tcp
add action=accept chain=forward disabled=yes dst-port=33678 in-interface=\
bridge_WAN protocol=tcp
add action=drop chain=input comment="Frrom Guest VLAN to other Networks" \
disabled=yes dst-address-list=PRV_Networks in-interface=bridge_VLAN2003
add action=drop chain=forward disabled=yes dst-address-list=PRV_Networks \
in-interface=bridge_VLAN2003
add action=accept chain=input comment="Default Rules" connection-state=\
established,related in-interface-list=UP-Link
add action=accept chain=forward connection-state=established,related \
in-interface-list=UP-Link
add action=accept chain=forward disabled=yes dst-address=192.168.110.21 \
dst-port=3389 in-interface-list=UP-Link protocol=tcp src-address=0.0.0.0
add action=drop chain=input connection-state=invalid,new,untracked \
in-interface-list=UP-Link src-address-list=!trusted
add action=drop chain=forward connection-state=invalid,new,untracked \
in-interface-list=UP-Link
/ip firewall nat
add action=dst-nat chain=dstnat comment=LAB dst-port=80 in-interface-list=\
UP-Link protocol=tcp to-addresses=192.168.111.2 to-ports=80
add action=dst-nat chain=dstnat comment=chia disabled=yes dst-port=8222 \
in-interface-list=UP-Link protocol=tcp to-addresses=192.168.110.53 \
to-ports=22
add action=dst-nat chain=dstnat comment=chia disabled=yes dst-port=8444 \
in-interface-list=UP-Link protocol=tcp to-addresses=192.168.110.53 \
to-ports=8444
add action=dst-nat chain=dstnat disabled=yes dst-port=22 in-interface=\
bridge_WAN protocol=tcp to-addresses=192.168.110.20 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=8293 in-interface=\
ETH1-WAN protocol=tcp to-addresses=192.168.110.87 to-ports=8291
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
ETH1-WAN protocol=tcp to-addresses=192.168.110.11 to-ports=80
add action=dst-nat chain=dstnat comment=LogSys dst-port=514 in-interface=\
bridge_WAN protocol=tcp to-addresses=192.168.110.28 to-ports=514
add action=dst-nat chain=dstnat dst-port=514 in-interface=bridge_WAN \
protocol=udp to-addresses=192.168.110.28 to-ports=514
add action=dst-nat chain=dstnat comment="IP PBX" dst-port=5060 in-interface=\
bridge_WAN protocol=udp to-addresses=192.168.110.100 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface=bridge_WAN \
protocol=udp to-addresses=192.168.110.100 to-ports=10000-20000
add action=dst-nat chain=dstnat comment=rdp disabled=yes dst-port=3389 \
in-interface-list=UP-Link protocol=tcp to-addresses=192.168.110.244 \
to-ports=3389
add action=dst-nat chain=dstnat comment="rdp win2012" disabled=yes dst-port=\
3390 in-interface-list=UP-Link protocol=tcp to-addresses=192.168.110.77 \
to-ports=3389
add action=dst-nat chain=dstnat comment=rdp disabled=yes dst-port=8089 \
in-interface-list=UP-Link protocol=tcp to-addresses=192.168.0.100 \
to-ports=8089
add action=dst-nat chain=dstnat comment=DPIUI disabled=yes dst-port=443 \
in-interface=bridge_WAN protocol=tcp to-addresses=192.168.110.82 \
to-ports=443
add action=dst-nat chain=dstnat comment=WS disabled=yes dst-port=80 \
in-interface=bridge_WAN protocol=tcp to-addresses=192.168.110.60 \
to-ports=80
add action=accept chain=srcnat comment=HQ-to-Paralimni disabled=yes \
dst-address=192.168.150.0/24 out-interface=bridge_WAN src-address=\
192.168.110.0/24
add action=masquerade chain=srcnat comment="Default NAT" out-interface-list=\
UP-Link
add action=masquerade chain=srcnat comment="Office-B Network" disabled=yes \
out-interface=sstp-Office-B src-address-list=oVPN-allowed-sources
add action=masquerade chain=srcnat comment="Office-B Network" disabled=yes \
out-interface=*F001E2 src-address-list=oVPN-allowed-sources
# Office-A not ready
add action=masquerade chain=srcnat comment="Office-A" out-interface=\
Office-A src-address-list=oVPN
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=xyz
add check-gateway=ping distance=2 gateway=xyz
add check-gateway=ping distance=3 gateway=172.16.102.1
add distance=1 dst-address=10.0.0.0/20 gateway=192.168.254.4
add distance=1 dst-address=10.20.0.0/16 gateway=xyz
add distance=1 dst-address=10.30.0.0/16 gateway=xyz
add distance=1 dst-address=10.40.0.0/16 gateway=xyz
add distance=1 dst-address=192.168.11.0/24 gateway=192.168.53.1
add distance=1 dst-address=192.168.53.0/30 gateway=192.168.254.22
add distance=2 dst-address=192.168.53.0/30 gateway=192.168.254.20
add distance=1 dst-address=192.168.54.0/24 gateway=192.168.254.18
add distance=1 dst-address=192.168.55.2/32 gateway=192.168.254.16
add disabled=yes distance=1 dst-address=192.168.90.0/24 gateway=192.168.254.6
add distance=1 dst-address=192.168.111.0/24 gateway=192.168.110.23
add distance=1 dst-address=192.168.150.0/24 gateway=192.168.254.2
add disabled=yes distance=1 dst-address=192.168.150.157/32 gateway=\
add distance=1 dst-address=192.168.240.0/24 gateway=192.168.254.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote