Mikrotik to mikrotik Wireguard and diversion of AU and CZ data, DNS issues

Hello all,


I have struggled for so long so I have decided to create my own post, because I can’t figure it out.

current situation:
I have AppleTV, connected to the mikrotik, the Apple TV uses the mikrotik as DNS and GW.

I have 2 mikrotiks one with public ip “server” and second one hidden behind isp router “client”.
I run there pptp VPN and successfully managed my “client” to divert request for Czech content to run through VPN, mangle, prerouting, routing mark.
also I have static DNS to avoid DNS leaks
so I can have Czech free tv apps for kids working here in Australia.

after upgrade to ROS7, pptp shows, and protocol, not secured etc. so I did some research and find out that wireguard is the best and fast for streaming in compare to ipsec,l2tp etc.

so i have decided to go this way, create new tunnel and move everything from pptp to WG.
I also have there a bridge created that everything on port 3 is going to the pptp, but don’t worry about that for this instant (I would like to keep the pptp disabled, but functional.) there is also script in scheduler to fill the address-list - works like a charm.


so now:
“server” public IP, port 13231 open, peer created, UPDATED: now I have handshakebut it just doesn’t handshake. configured as roadwarrior from this post:
https://help.mikrotik.com/docs/display/ROS/WireGuard



wanted result:
I would kindly ask for help to: have active and working WG VPN with all marked as CZ_VPN packets goes through it, and also for all static DNS request defined below.

I read a lot of mducharme’s and anav posts pod none of them kind of helped me to success

I am attaching the client (roadwarior config)

# 2023-10-15 10:57:01 by RouterOS 7.11.2
# software id = xxxx--xxxx
#
# model = RB750Gr3
# serial number = xxxxxxxx
/interface pptp-client
add connect-to=81.xx.xxx.xxx max-mtu=1400 name=VPN_CZ user=xyz
/interface bridge
add name=bridge1
add name=bridge2
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-client
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=81.xx.xxx.xxx/32 disabled=yes exchange-mode=ike2 name=hub port=500
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge2 lease-time=10m name=dhcp1
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes name=IPsecVPN use-encryption=yes
/interface l2tp-client
add comment="new l2tp 12.10.23" connect-to=81.xx.xxx.xxx name=VPN_CZ_L2TP \
    profile=IPsecVPN use-ipsec=yes user=xxx
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=CZ_VPN
add disabled=yes fib name=CT
/interface bridge nat
add action=accept chain=srcnat out-bridge=bridge2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge2 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge2 ingress-filtering=no interface=WAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=VPN_CZ list=WAN
add interface=VPN_CZ_L2TP list=WAN
add interface=wireguard-client list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=81.xx.xxx.xxx endpoint-port=\
    13231 interface=wireguard-client public-key=\
    "servers public xxxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip address
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0
add address=192.168.110.33 disabled=yes interface=*A network=192.168.110.33
add address=192.168.100.2/24 interface=wireguard-client network=192.168.100.0
/ip dhcp-client
add interface=bridge1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.253 client-id=1:f0:b3:ec:16:76:4e mac-address=\
    F0:B3:EC:16:76:4E server=dhcp1
add address=192.168.2.254 client-id=1:a8:51:ab:91:43:3d mac-address=\
    A8:51:AB:91:43:3D server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.4.4,8.8.8.8
/ip dns static
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.o2tv\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.o2tv\\.cz\$" type=FWD
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.iol\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.iol\\.cz\$" type=FWD
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.ceskatelevize\\.cz\$" \
    type=FWD
add forward-to=192.168.100.1 regexp=".*\\.ceskatelevize\\.cz\$" type=FWD
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.czech-tv\\.cz\$" type=\
    FWD
add forward-to=192.168.100.1 regexp=".*\\.czech-tv\\.cz\$" type=FWD
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=CZ_VPN passthrough=\
    yes src-address=192.168.2.254
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=main \
    passthrough=yes src-address=192.168.4.173
add action=mark-routing chain=prerouting comment="Sortie Voyo" \
    dst-address-list=voyo new-routing-mark=CZ_VPN passthrough=yes \
    src-address=192.168.4.36
add action=mark-routing chain=prerouting comment=ct dst-address-list=ct \
    new-routing-mark=CZ_VPN passthrough=yes src-address=192.168.4.36
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=VPN_CZ
add action=masquerade chain=srcnat out-interface=wireguard-client
add action=masquerade chain=srcnat comment=L2TP disabled=yes out-interface=\
    VPN_CZ_L2TP
add action=accept chain=srcnat disabled=yes dst-address=192.168.110.32/27 \
    src-address=192.168.110.0/27
/ip ipsec identity
add my-id=fqdn:peer1.vpn.network peer=hub remote-id=fqdn:hub.vpn.network
/ip ipsec policy
add disabled=yes dst-address=192.168.110.0/27 peer=hub src-address=\
    192.168.110.32/27 tunnel=yes
add disabled=yes dst-address=81.xx.xxx.xxx/32 peer=hub src-address=\
    192.168.4.36/32 tunnel=yes
/ip route
add comment="PPTP routa pro voyo a CT" disabled=yes distance=1 dst-address=\
    0.0.0.0/0 gateway=VPN_CZ pref-src="" routing-table=CZ_VPN scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.103.1 routing-table=CT
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=VPN_CZ_L2TP \
    pref-src="" routing-table=CZ_VPN scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="WG routa pro voyo a CT" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=192.168.100.1 pref-src="" routing-table=CZ_VPN scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-table=main \
    suppress-hw-offload=no
/ip smb
set enabled=yes interfaces=ether1
/ip smb shares
add directory=share1 name=share1
/ip smb users
add name=honza read-only=no
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Prague
/system logging
add prefix=WG topics=wireguard
/system note
set show-at-login=no
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes
/system scheduler
add interval=10s name=ct on-event=":global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"ct\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"ct\" address=\$nouvelleIP timeo\
    ut=05:00:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"ivysilani\";\"ceskatelevize\";\"seznam\";\"stream\"\
    ;\"o2tv\";\"czech-tv\";\"iol\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=10s name=voyo on-event=":global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"voyo\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"voyo\" address=\$nouvelleIP tim\
    eout=05:00:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"voyo\";\"cra\";\"nova\";\"sledovanitv\";\"imedia\";\
    \"sdn\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=45m name=cloudns on-event="/tool fetch url=\"https://ipv4.cloudns\
    .net/api/dynamicURL/\?q=NTE5MjU5NDozNDI5MTQxODY6MWMzMGFiYTZiMjI3ZWIwOTllNj\
    dkOTRjMTM5ZmVkMjlhYjk4NjAwYzQ5MWRiZTRjNzk0YTA3MjIzZDdiMWQ3Mg\" mode=https" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=voyo owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"voyo\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"voyo\" address=\$nouvelleIP tim\
    eout=02:00:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"voyo\";\"cra\";\"nova\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}"
add dont-require-permissions=no name=cloudns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch url=\"https://ipv4.cloudns.net/api/dynamicURL/\?q=xxxxxxxxNTE5MjU5NDozN\
    DI5Mg\" mode=https"
/tool sniffer
set file-limit=20000KiB file-name=mac filter-interface=ether4 memory-limit=\
    2000KiB

thank you very much, I wish so I could crack it by myself, as I did with the packets marking, sending through pptp vpn only what needed. but This costed me 3 days and 3 nighters and still no results…

UPDATE: I managed to have a handshake, and ping through the tunnel, and it looks like some the data goes through it as well, there was GW for default internet missing, added to config above

now I need to send the static DNS and question is, can I make it faster? the pptp looks much faster than wireguard at this stage. I guess somewhere might be an user error in filtering or data going through

thank you very much to everyone for help…

You got a lot going on. Maybe a diagram and the far-end config help?

Just to understand, you have a Mikrotik in AU, and another in CZ? Or, is the VPN a third-party & you have two routers in AU?

While WG likely a better approach, the PPTP isn’t so bad in your case since it’s presumably already public internet traffic. It’s if PPTP is used to transport LAN traffic that the security is a problem. But if the tunnel contains traffic destined for public CZ websites, PPTP insecureness isn’t a problem.

Now I’m sure possible to get your packet marking approach to work, using a connection marking with route tables might simply what your trying to do if you want to replace PPTP. One thing in V7 that may simply things is /ip/dns/static now has a “address-list=” property - this will add any lookups to a firewall address list – so maybe possible to link the CZ-bound DNS results to mark connections based on that dst-address-list, and then route out WG via a /routing/table.

Why I mentioned that PPTP may not be the end of the world… WG encryption isn’t offloaded so it uses the CPU… BUT if router is older, CPU may limit WG speeds.

Similar on packet marking… I suspect that’s more intensive than using a connection tracking to mark traffic to CZ.

Hi,

yes I have one mikrotik in AU and second in the CZ.

meanwhile, I managed to get the traffic going. I accidentally deleted default GW for the internet and also was able to compare the tunnel capabilities (I have 50Mbps connection)

PPTP:

wireguard:

I succesffuly marking the data with the same mangle I did with pptp.

one service, which is immune to dns leaks works perfectly.

the other one which is sensitive to DNS doesn’t work at all.


so I am using this static DNS forward (worked on PPTP)

add forward-to=192.168.100.1 regexp=".*\\.o2tv\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.iol\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.ceskatelevize\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.czech-tv\\.cz\$" type=FWD

this code is filling address list, I am using the address list for marking: works for one service as I mentioned.

:global ajouteIP do={
  :if ([:len [/ip firewall address-list find address="$nouvelleIP" and list="voyo"]] = 0) do={
    /ip firewall address-list add list="voyo" address=$nouvelleIP timeout=05:00:00
  }
}

:local myServers {"voyo";"cra";"nova";"sledovanitv";"imedia";"sdn";"ivysilani";"ceskatelevize";"seznam";"stream";"o2tv";"czech-tv";"iol";"tel"}
/ip dns cache all {
  :foreach i in=$myServers do={
    :foreach j in=[find where (name~$i)] do={
      :local myName [get $j name]
      :local myType [get $j type]
      :local myData [get $j data]
      :if ($myType = "A") do={
        $ajouteIP nouvelleIP=$myData
       }

      :if ($myType = "CNAME") do={
        :local ipResolue [:resolve "$myData"];
         $ajouteIP nouvelleIP=$ipResolue
      }
    }
  }
}

I think the problem I am having now is the DNS fwd…

I managed to get routing working,

unfortunately, DNS forward doesn’t work at all.

can someone point me out where the issue can sit?

I am managing add dynamically Address-list which helps to filter that only traffic from APPLE TV for Czech apps goest to WG.
but I am afraid DNS is taken from main and in result of that I experiencing DNS Leak. so I am trying to DNS forward.

I have still the PPTP 192.168.103.1 as DNS and it work. if I turn pptp off and WG on, the target is remote 192.168.100.1 and the DNS forward doesn’t work at all.

thank you for help

# 2023-10-16 13:41:05 by RouterOS 7.11.2
# software id = xxxxx
#
# model = RB750Gr3
# serial number = 
/interface pptp-client
add connect-to=81.x.x.x max-mtu=1400 name=VPN_CZ user=xxx
/interface bridge
add name=bridge1
add name=bridge2
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-client
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge2 lease-time=10m name=dhcp1
/port
set 0 name=serial0
/routing table
add fib name=CZ_VPN
/interface bridge nat
add action=accept chain=srcnat out-bridge=bridge2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge2 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge2 ingress-filtering=no interface=WAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=VPN_CZ list=WAN
add interface=*B list=WAN
add interface=wireguard-client list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=81.x.x.xxx endpoint-port=\
    13231 interface=wireguard-client persistent-keepalive=40s public-key=\
    "DLplvLZZ3s="
/ip address
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0
add address=192.168.100.2/24 interface=wireguard-client network=192.168.100.0
/ip dhcp-client
add interface=bridge1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.253 client-id=1:f0:b3:ec:16:76:4e mac-address=\
    F0:B3:EC:16:76:4E server=dhcp1
add address=192.168.2.254 client-id=1:a8:51:ab:91:43:3d mac-address=\
    A8:51:AB:91:43:3D server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.4.4,8.8.8.8
/ip dns static
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.o2tv\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.o2tv\\.cz\$" type=FWD
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.iol\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.sysct\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.tel\\.cz\$" type=FWD
add forward-to=192.168.100.1 regexp=".*\\.nova\\.cz\$" type=FWD
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.ceskatelevize\\.cz\$" \
    type=FWD
add forward-to=192.168.100.1 regexp=".*\\.ceskatelevize\\.cz\$" type=FWD
add disabled=yes forward-to=192.168.103.1 regexp=".*\\.czech-tv\\.cz\$" type=\
    FWD
add forward-to=192.168.100.1 regexp=".*\\.czech-tv\\.cz\$" type=FWD
/ip firewall mangle
add action=mark-routing chain=prerouting comment="apple tv do eth 3" \
    disabled=yes new-routing-mark=CZ_VPN passthrough=yes src-address=\
    192.168.2.254
add action=mark-routing chain=prerouting comment="Sortie Voyo" \
    dst-address-list=voyo new-routing-mark=CZ_VPN passthrough=yes \
    src-address=192.168.4.36
add action=mark-routing chain=prerouting comment=ct disabled=yes \
    dst-address-list=ct new-routing-mark=CZ_VPN passthrough=yes src-address=\
    192.168.4.36
/ip firewall nat
add action=masquerade chain=srcnat comment="PPTP VPN" disabled=yes \
    out-interface=VPN_CZ
add action=masquerade chain=srcnat comment="Wireguard VPN" out-interface=\
    wireguard-client
/ip route
add comment="PPTP routa pro voyo a CT" disabled=yes distance=1 dst-address=\
    0.0.0.0/0 gateway=VPN_CZ pref-src="" routing-table=CZ_VPN scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.103.1 \
    pref-src="" routing-table=*401 scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="WG routa pro voyo a CT" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=192.168.100.1 pref-src="" routing-table=CZ_VPN scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-table=main \
    suppress-hw-offload=no
/ip smb
set enabled=yes interfaces=ether1
/ip smb shares
add directory=share1 name=share1
/ip smb users
add name=hona read-only=no
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Australia/Brisbane
/system logging
add prefix=WG topics=wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=au.pool.ntp.org
add address=0.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add disabled=yes interval=10s name=ct on-event=":global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"ct\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"ct\" address=\$nouvelleIP timeo\
    ut=05:00:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"ivysilani\";\"ceskatelevize\";\"seznam\";\"stream\"\
    ;\"o2tv\";\"czech-tv\";\"iol\";\"tel\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=5s name=voyo on-event=":global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"voyo\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"voyo\" address=\$nouvelleIP tim\
    eout=05:00:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers {\"voyo\";\"cra\";\"nova\";\"sledovanitv\";\"imedia\";\
    \"sdn\";\"ivysilani\";\"ceskatelevize\";\"seznam\";\"stream\";\"o2tv\";\"c\
    zech-tv\";\"iol\";\"tel\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=45m name=cloudns on-event="/tool fetch url=\"https://ipv4.cloudns\
    .net/api/dynamicURL/\?q=NTE5MjU5NDozNDI5MTQxODY6MWMzMGFiYTZiMjI3ZWIwOTllNj\
    dkOTRjMTM5ZmVkMjlhYjk4NjAwYzQ5MWRiZTRjNzk0YTA3MjIzZDdiMWQ3Mg\" mode=https" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=voyo owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global ajouteIP do={\r\
    \n  :if ([:len [/ip firewall address-list find address=\"\$nouvelleIP\" an\
    d list=\"voyo\"]] = 0) do={\r\
    \n    /ip firewall address-list add list=\"voyo\" address=\$nouvelleIP tim\
    eout=02:00:00\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n:local myServers { \"voyo\";\"cra\";\"nova\"}\r\
    \n/ip dns cache all {\r\
    \n  :foreach i in=\$myServers do={\r\
    \n    :foreach j in=[find where (name~\$i)] do={\r\
    \n      :local myName [get \$j name]\r\
    \n      :local myType [get \$j type]\r\
    \n      :local myData [get \$j data]\r\
    \n      :if (\$myType = \"A\") do={\r\
    \n        \$ajouteIP nouvelleIP=\$myData\r\
    \n       }\r\
    \n\r\
    \n      :if (\$myType = \"CNAME\") do={\r\
    \n        :local ipResolue [:resolve \"\$myData\"];\r\
    \n         \$ajouteIP nouvelleIP=\$ipResolue\r\
    \n      }\r\
    \n    }\r\
    \n  }\r\
    \n}"
add dont-require-permissions=no name=cloudns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch url=\"https://ipv4.cloudns.net/api/dynamicURL/\?q=NTE5MjU5NDozN\
    iMWQ3Mg\" mode=https"
/tool sniffer
set file-limit=20000KiB file-name=mac filter-interface=ether4 memory-limit=\
    2000KiB

Is the firewall on the CZ router blocking incoming DNS from WG IP? Might want to add accept rule for port 53 from 192.168.100.2 on the CZ router.