Moving config from RB951G-2HnD to RB4011

I’ve just bought an RB4011 to replace my RB951G-2HnD.

The RB951G has firewall, CAPSMAN, IPSec VPN etc all working well - I have 2 APs in my house too.

I exported the config from the RB951G and carefully duplicated it on the RB4011 through the Winbox terminal bit by bit, getting rid of errors as I went.

I can connect to the internet and the SSIDs all work
but:

1. The CAPS all connect but they don’t appear to get a a lease or IP from the Router even though the CAPS get SSIDs etc. I cannot access the CAPS directly using a browser
2. The VPNs don’t connect.

If I plug the RB951G back in everything starts to work immediately!

The basis of the config is quite old but I’d rather not rebuild the whole thing.

Has anyone got any ideas why this might be happening?

Charles

First things first, do you use same routeros on both devices?
I assume you made and export file of your old router, which you imported (partially or completely) on the new?
Do you start with default config (AP config) or from scratch (nothing setup)?

If you start with the proposed WIFI AP setup, device has basic interfaces, DHCP, bridge set up that naming scheme and values
might be not compatible with what you want to use:

• Wireless i/f name
• bridge name
• DHCP and adresses…

What I normally do (but the pro’s might have better advice):
Take you export file (make a 2nd copy for backup) [and use something like ATOM file editor with “DIFF” package between them to see if you have done all right]:

• In wireless: Create first the main/physical i/f yourself by hand (each interface sub section) and match the name you used on this in the export file
• in your export file erase the line which did config that interface. Copy all the rest within the wireless section of config file and past into terminal.
• Check that all went well
• in “ethernet” see if number of available interfaces match on both devices, if not adopt them.
  (normally you only need to check names of the ETH ports if you have no complex setup).

Whatever I config on the new device, I erase from my config file. So I know what is missing and what not!
Do above for each subsection of routers (IP, tools, system and their sub sections).

If all is done, make export and do a DIFF of the RB4011 file and the old router file. It will quickly show you what is different
and you can inspect if all is really the same.

PS: make sure you make backups and config exports while doing this! I have locked myself out tons of times and had to redo
things twice (or more )
Hope this helps a bit …

Do you use certificates in your CAPsMAN and VPN configuration? Certificates are not part of the exportable configuration and should be copied separately.

Thanks for your responses, very helpful.

I went back to basics for the new RB4011. I used the default config and then added in the things I need.

The CAPSMAN now works. I suspect it was a firewall rule issue.

The IPSec VPN doesn’t work. I have copied the exact VPN config and I think I’ve got the Firewall correct too. The VPN uses a Pre-Shared Key, not a certificate.

If I plug the RB951 in, the VPN connects to the other Mikrotik in France. Do I have to do anything like flush the router in France to recognise the RB4011?

I can put the config up here if the problem is not obvious.

TIA

Charles

Please, do it.

…of all three devices - the 951, the 4011, and the remote peer.

Basically there may be a connection tracking issue if the 951 and the 4011 don’t have a public IP directly on themselves and each gets another private one from some device between them and the internet which is doing NAT, as the UDP packets coming from the remote peer may get forwarded to the 951’s private address. To get rid of this issue, it should be enough to reboot that NAT device. But it’s just a guess, and if it was wrong, you’ll need to post the configuratons. Another guess is that you use certificates to authenticate the peers to each other and you copied the certificate from the 951 to the 4011 without the private key.

Sindy, you helped me before. You may remember I have the router in France.

I think it may be because I am not setting the sa-src-address (via the Peer local address). I think I must have set it up before v6.44. It seems to continue to work on the old pairing (RB951 - France) but not on the new pairing (RBB4011-France).

I think it means I have to set Peer address and local-address. I think I have to do that using the IP address rather than the host name (eg “france.ddns.com”)

I’ll try in in Safe Mode.

Charles

I haven’t tried it yet. I was not sure about Safe Mode. If I make the change in France, I imagine the VPN will go down and (hopefully) reconnects. However, Safe Mode recognises that the connection has been lost and undoes my changes!! Therefore I never know if my change will work. Is that how Safe Mode works?

Anyway, If I am right about needing to set Peer local-address, I have a problem. Which IP address to use?

The French Mikrotik is behind another router and therefore has the WAN address on 192.168.1.39 rather than the external IP address.

Which should I use?

TIA
Charles

As said above - post the configuration exports of all three machines, anonymised as per the hint in my automatic signature. And explain whether the 951 and the 4011 at the British side of the Channel have the same WAN IP address or different ones.

You are right that safe mode will revert the changes if the tunnel goes down, but thinking about it the second time, I can see no reason why you should tamper with the French end since the 951->4011 migration happens in Britain, so except for the certificates and ipsec identities which may or may not be related to the issue, there is no reason to change anything in France…?

Hopefully all here!

Here is the London RB4011 - This is the one that does not connect to France.

# may/04/2020 11:54:59 by RouterOS 6.46.6
# software id = YCNI-BQ6N
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name="2GHz Channel 11"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5180 name="5Ghz - Channel 36"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5260 name="5Ghz - Channel 52"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5500 name="5Ghz - Channel 100"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5580 name="5Ghz - Channel 116"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5660 name="5Ghz - Channel 132"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5765 name="5Ghz - Channel 153"
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name="2GHz Channel 1"
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name="2GHz Channel 6"
/interface bridge
add admin-mac=C4:AD:34:60:79:47 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
add name=guest-bridge
/interface wireless
# managed by CAPsMAN
# channel: 5500/20-Ceee/ac/DP(24dBm)+5210/80/P(17dBm), SSID: MYSSID, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge secondary-channel=auto ssid=MikroTik-607951 \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2437/20/gn(17dBm), SSID: MYSSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-C64D6C wireless-protocol=802.11
/interface l2tp-server
add name=l2tp-in-Nexus user=Nexus
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
    main-datapath
add bridge=guest-bridge name=guest-datapath
/caps-man security
add authentication-types=wpa2-psk name=default_security
add authentication-types=wpa2-psk name=guest-security
/caps-man configuration
add channel="5Ghz - Channel 36" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 36" security=default_security ssid=MYSSID
add channel="5Ghz - Channel 153" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 153" security=default_security ssid=MYSSID
add channel="5Ghz - Channel 52" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 52" security=default_security ssid=MYSSID
add channel="5Ghz - Channel 100" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 100" security=default_security ssid=MYSSID
add channel="5Ghz - Channel 116" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 116" security=default_security ssid=MYSSID
add channel="5Ghz - Channel 132" country="united kingdom" datapath=\
    main-datapath distance=indoors hide-ssid=no installation=indoor mode=ap \
    name="Master-5GHz - Channel 132" security=default_security ssid=MYSSID
add channel="2GHz Channel 1" country="united kingdom" datapath=main-datapath \
    hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 1" \
    security=default_security ssid=MYSSID
add channel="2GHz Channel 6" country="united kingdom" datapath=main-datapath \
    hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 6" \
    security=default_security ssid=MYSSID
add channel="2GHz Channel 11" country="united kingdom" datapath=main-datapath \
    hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 11" \
    security=default_security ssid=MYSSID
add comment=5G datapath=main-datapath name=Down5 security=default_security \
    ssid=MYSSID-down5
add datapath=main-datapath name=Up5 security=default_security ssid=MYSSID-up5
add datapath=main-datapath name=Up2 security=default_security ssid=MYSSID-up2
add datapath=main-datapath name=Down2 security=default_security ssid=\
    MYSSID-down2
add datapath=main-datapath name=UpUp2 security=default_security ssid=\
    MYSSID-upup2
add datapath=main-datapath name=UpUp5 security=default_security ssid=\
    MYSSID-upup5
add datapath=main-datapath name=newone5 security=default_security ssid=\
    MYSSID-new5
add comment="Guest Wifi" datapath=guest-datapath name=guest security=\
    guest-security ssid=MYSSID-guest
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
    sha512 name=profile_1
/ip ipsec peer
add address=FRANCE-WAN-IP/32 comment=FRANCELondon exchange-mode=ike2 \
    local-address=UK-WAN-IP name=peerFRANCE profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=default-dhcp ranges=192.168.64.2-192.168.64.100
add name=vpn-pool ranges=192.168.64.101-192.168.64.150
add name=dhcp-pool-guest ranges=192.168.66.10-192.168.66.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp-pool-guest disabled=no interface=guest-bridge name=\
    guest-dhcp
/ppp profile
set *0 local-address=192.168.64.1 remote-address=vpn-pool
set *FFFFFFFE local-address=192.168.64.1 remote-address=vpn-pool
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment=Down2G master-configuration=\
    "Master-2GHz - Channel 6" name-format=prefix-identity name-prefix=Down2G \
    radio-mac=74:4D:28:C6:4D:6C slave-configurations=guest,Down2
add action=create-dynamic-enabled comment=UpUp2G master-configuration=\
    "Master-2GHz - Channel 11" name-format=prefix-identity name-prefix=UpUp2G \
    radio-mac=CC:2D:E0:EB:1D:7E slave-configurations=guest,UpUp2
add action=create-dynamic-enabled comment=UpUp5G master-configuration=\
    "Master-5GHz - Channel 132" name-format=prefix-identity name-prefix=\
    UpUp5G radio-mac=CC:2D:E0:EB:1D:7F slave-configurations=guest,UpUp5
add action=create-dynamic-enabled comment=Down5G master-configuration=\
    "Master-5GHz - Channel 100" name-format=prefix-identity name-prefix=\
    Down5G radio-mac=C4:AD:34:60:79:51 slave-configurations=guest,Down5
add action=create-dynamic-enabled comment=Up5G master-configuration=\
    "Master-5GHz - Channel 36" name-format=prefix-identity name-prefix=Up5G \
    radio-mac=64:D1:54:04:7E:1A slave-configurations=guest,Up5
add action=create-dynamic-enabled comment=Up2G master-configuration=\
    "Master-2GHz - Channel 1" name-format=prefix-identity name-prefix=Up2G \
    radio-mac=64:D1:54:04:7E:1B slave-configurations=guest,Up2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=guest-bridge list=LAN
add interface=l2tp-in-Nexus list=LAN
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge \
    enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.64.1/24 comment=defconf interface=bridge network=\
    192.168.64.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.64.11 client-id=1:74:d4:35:37:2e:9d mac-address=\
    74:D4:35:37:2E:9D server=defconf
add address=192.168.64.16 client-id=1:0:f:55:a9:39:4a mac-address=\
    00:0F:55:A9:39:4A server=defconf
add address=192.168.64.49 client-id=1:94:9f:3e:18:18:5e mac-address=\
    94:9F:3E:18:18:5E server=defconf
add address=192.168.64.13 client-id=1:d8:eb:97:d0:cc:ff mac-address=\
    D8:EB:97:D0:CC:FF server=defconf
add address=192.168.64.50 client-id=1:b8:e9:37:5e:50:ba mac-address=\
    B8:E9:37:5E:50:BA server=defconf
add address=192.168.64.2 client-id=1:64:d1:54:4:7e:19 mac-address=\
    64:D1:54:04:7E:19 server=defconf
add address=192.168.64.3 client-id=1:cc:2d:e0:eb:1d:79 mac-address=\
    CC:2D:E0:EB:1D:79 server=defconf
/ip dhcp-server network
add address=192.168.64.0/24 comment=defconf gateway=192.168.64.1
add address=192.168.66.0/24 comment="Guest Network" gateway=192.168.66.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.64.1 comment=defconf name=router.lan
/ip firewall address-list
add address=216.218.206.0/24 comment="myList delete" list=blacklist
add address=1.10.16.0/20 comment="spamhaus delete" list=blacklist
add address=5.188.11.0/24 comment="edrop delete" list=blacklist
add address=103.253.73.77 comment="malc0de delete" list=blacklist
add address=192.168.64.1-192.168.64.254 list=AllowedAccessToBlackSynology
add address=192.168.65.1-192.168.65.254 list=AllowedAccessToBlackSynology
add address=192.168.66.10-192.168.66.254 list=GuestNetwork
add address=192.168.64.1-192.168.64.254 list=MainNetwork
add address=192.168.64.13 list=Camera
add address=80.82.77.0/24 comment="dshield delete" list=blacklist
add address=122.228.10.0/24 comment="myList delete" list=blacklist
add address=195.169.125.251 comment="myList delete" list=blacklist
add address=41.93.128.0/17 comment=spamhaus list=blacklist
add address=194.5.99.0/24 comment=edrop list=blacklist
add address=185.140.53.0/24 comment=edrop list=blacklist
add address=125.119.32.0/22 comment=edrop list=blacklist
add address=94.23.64.40 comment=malc0de list=blacklist
add address=166.93.0.0/16 comment=spamhaus list=blacklist
add address=38.39.160.0/20 comment=edrop list=blacklist
add address=196.61.192.0/20 comment=spamhaus list=blacklist
add address=185.244.29.0/24 comment=edrop list=blacklist
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=log chain=forward disabled=yes log=yes log-prefix="From France" \
    src-address=192.168.65.202
add action=accept chain=forward disabled=yes dst-address=192.168.64.6 \
    dst-port=23 log=yes log-prefix="Allow Telnet  to Synology" protocol=tcp
add action=drop chain=forward disabled=yes dst-port=443 log=yes log-prefix=\
    "Drop Facebook" protocol=tcp tls-host=*facebook.com
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related dst-address=!192.168.65.192/28 \
    src-address=!192.168.65.192/28
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "Stop access to Synology except from 64 65 AllowAccesstoBlackSyno" \
    disabled=yes dst-address=192.168.64.6 log=yes log-prefix=\
    "CH_Track Access To Black Synology" src-address-list=\
    !AllowedAccessToBlackSynology
add action=drop chain=forward comment="Camera Out" log=yes log-prefix=\
    "Camera out:" out-interface-list=WAN src-address-list=Camera
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="CH_Track invalid"
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN ipsec-policy=in,none log=yes log-prefix="CH_Track !public" \
    src-address-list=not_in_internet
add action=drop chain=input comment="Drop input from blacklist" log-prefix=\
    "CH_Track Drop input from blacklist" src-address-list=blacklist
add action=drop chain=forward comment="Drop from Blacklist sites" log=yes \
    log-prefix="CH_Track forward from Blacklist In:" src-address-list=\
    blacklist
add action=drop chain=forward comment="Drop to Blacklist sites" \
    dst-address-list=blacklist log=yes log-prefix=\
    "CH_Track forward to Blacklist"
add action=drop chain=output comment="Drop from Router to blacklist sites" \
    dst-address-list=blacklist log=yes log-prefix=\
    "CH_Track blacklist out from router"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN ipsec-policy=in,none
add action=drop chain=forward comment="TCP flags and Port 0 attacks" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward comment=\
    "Block from Guest Network to Main Network" dst-address-list=MainNetwork \
    src-address-list=GuestNetwork
add action=drop chain=input comment="Block from Guest Network to Main Router" \
    dst-address=192.168.64.1 src-address-list=GuestNetwork
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" protocol=\
    ipsec-esp
add action=accept chain=input comment="ICMP Ping" protocol=icmp
add action=accept chain=input comment=\
    "accept input established,related,untracked" connection-state=\
    established,related,untracked log-prefix=\
    "accept input established,related,untracked"
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=passthrough chain=input in-interface-list=!LAN
add action=drop chain=input comment=\
    "Drop everything else that has got through" in-interface-list=WAN \
    log-prefix="Last rule: Input"
add action=drop chain=forward comment=\
    "Drop everything else that has got through" in-interface-list=WAN \
    ipsec-policy=in,none log=yes log-prefix="Last Rule: Forward: Drop"
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=15092 log=yes \
    log-prefix="CH_Track NAT RDP" protocol=tcp to-addresses=192.168.64.11 \
    to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=23 log=yes log-prefix=\
    Telnet protocol=tcp to-addresses=192.168.64.6 to-ports=23
add action=accept chain=srcnat comment=FRANCELondon dst-address=\
    192.168.65.0/24 src-address=192.168.64.0/24
add action=accept chain=dstnat comment=FRANCELondon dst-address=\
    192.168.64.0/24 src-address=192.168.65.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=\
    192.168.65.0/24
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=\
    192.168.64.0/24
/ip ipsec identity
add peer=peerFRANCE
/ip ipsec policy
add comment=FRANCELondon-Laptop dst-address=192.168.65.192/28 peer=peerFRANCE \
    sa-dst-address=FRANCE-WAN-IP sa-src-address=UK-WAN-IP src-address=\
    0.0.0.0/0 tunnel=yes
add comment=FRANCELondon dst-address=192.168.65.0/24 peer=peerFRANCE \
    sa-dst-address=FRANCE-WAN-IP sa-src-address=UK-WAN-IP src-address=\
    192.168.64.0/24 tunnel=yes
/ip route
add comment=FRANCELondon distance=1 dst-address=192.168.65.0/24 gateway=ether1 \
    pref-src=192.168.64.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=Nexus service=l2tp
/system clock
set time-zone-name=Europe/London
/system identity
set name=Down
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
set 0 topics=info,!caps
add topics=ipsec,!packet
add topics=ppp,!debug
/system scheduler
add disabled=yes interval=1h name="Update Time" on-event=\
    "/ip cloud set update-time=yes" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    aug/22/2017 start-time=23:38:00
add interval=1d name="Update Blacklists" on-event=RenewBlacklists policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/09/2017 start-time=01:30:00
add disabled=yes interval=1d name=UsageReport on-event=Usage2 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/10/2017 start-time=03:00:00
add comment="sep/29/2018 10:52:34" disabled=yes interval=30m name=\
    VPN_Connections on-event=VPN_Connections policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/17/2017 start-time=16:36:00
add interval=1m name=ipsec-peer-update-FRANCELondon on-event=\
    "/system script run ipsec-peer-update-FRANCELondon" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/06/2018 start-time=22:06:53
add interval=10m name=ip-cloud-forceupdate on-event="/ip cloud force-update" \
    policy=read,write start-date=aug/06/2018 start-time=22:06:59
add comment=20200314172325 interval=30m name=LogMonitor on-event=LogMonitor \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/17/2018 start-time=22:23:25
add interval=1d name="Update Software" on-event=UpdateSoftwareScript policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/09/2019 start-time=05:00:00
add interval=1d name="Update Firmware" on-event=UpdateFirmwareScript policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/09/2019 start-time=05:15:00
/system script
add dont-require-permissions=no name=ipsec-peer-update-FRANCELondon owner=\
    admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local peerid    \"FRANCELondon\"\
    \n:local peerhost  \"FRANCE DDNS\"\
    \n:local peerip    [:resolve \$peerhost]\
    \n:local wanIP [/ip address get [find interface=\"ether1\"] address]\
    \n:set wanIP [:pick \$wanIP 0 [:find \$wanIP \"/\"]]\
    \n#########################################\
    \n# Change Peer address if different\
    \n#########################################\
    \n:local peeruid \"Address\"\
    \n:set peeruid     [/ip ipsec peer   find comment=\"\$peerid\" and address\
    !=\"\$peerip/32\"]\
    \n#\
    \n:if (\$peeruid != \"\") do={\
    \n  /ip ipsec peer set \$peeruid address=\"\$peerip/32\"\
    \n  :log info \"Script ipsec-peer-update updated peer '\$peerid' with addr\
    ess '\$peerip'\"\
    \n}\
    \n#########################################\
    \n# Change Peer local-address if different\
    \n#########################################\
    \n:local peerlocaluid \"Local Address\"\
    \n:set peerlocaluid   [/ip ipsec peer find comment=\"\$peerid\" and local-\
    address!=\"\$wanIP\"]\
    \n#\
    \n:if (\$peerlocaluid != \"\") do={\
    \n  /ip ipsec peer set \$peerlocaluid local-address=\"\$wanIP\"\
    \n  :log info \"Script ipsec-peer-update updated peer '\$peerid' with loca\
    l-address '\$wanIP'\"\
    \n}\
    \n#\
    \n#########################################\
    \n# Change Policy - NOT NEEDED since 6.44\
    \n#########################################\
    \n#:global policyuid\
    \n#:set policyuid   [/ip ipsec policy find comment=\"\$peerid\" and sa-dst\
    -address!=\"\$peerip\"]\
    \n#\
    \n#:if (\$policyuid != \"\") do={\
    \n#  /ip ipsec policy set \$policyuid sa-dst-address=\"\$peerip\"\
    \n#  :log info \"Script ipsec-peer-update updated policy '\$peerid' with d\
    st address '\$peerip'\"\
    \n#}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=ipsec-peer-update-FRANCELondon down-script="/system scheduler enabl\
    e ipsec-peer-update-FRANCELondon\
    \n/system scheduler enable ip-cloud-forceupdate" host=192.168.65.1 \
    up-script="/system scheduler disable ip-cloud-forceupdate\
    \n/system scheduler disable ipsec-peer-update-FRANCELondon"
/tool sniffer
set filter-ip-address=192.168.64.11/32

Here is the London RB951 - This one connects to France.

# may/04/2020 14:29:46 by RouterOS 6.46.6
# software id = UTIL-NR1C
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name="2GHz Channel 11"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5180 name="5Ghz - Channel 36"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5260 name="5Ghz - Channel 52"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5500 name="5Ghz - Channel 100"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5580 name="5Ghz - Channel 116"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5660 name="5Ghz - Channel 132"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5765 name="5Ghz - Channel 153"
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name="2GHz Channel 1"
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name="2GHz Channel 6"
/interface l2tp-server

add name=l2tp-in-Nexus user=Nexus
/interface bridge
add arp=proxy-arp comment=defconf name=bridge
add name=guest-bridge
/interface ethernet
set [ find default-name=ether1 ] comment=VirginMedia speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] comment="Black Router" speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
# managed by CAPsMAN
# channel: 2437/20/gn(14dBm), SSID: MYSSID, CAPsMAN forwarding
set [ find default-name=wlan1 ] antenna-gain=6 band=2ghz-g/n country=\
    "united kingdom" distance=indoors frequency=2447 installation=indoor \
    mode=ap-bridge name=wlan1-2G-MYSSID ssid=MYSSID wireless-protocol=802.11 \
    wps-mode=disabled
# managed by CAPsMAN
# channel: 5500/20-Ceee/ac/DP(24dBm), SSID: MYSSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] antenna-gain=3 band=5ghz-a/n/ac country=\
    "united kingdom" distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge name=wlan2-5G-MYSSID ssid=MYSSID wireless-protocol=802.11 \
    wps-mode=disabled
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
    main-datapath
add bridge=guest-bridge name=guest-datapath
/caps-man security
add authentication-types=wpa2-psk name=CAPsMAN_security1
add authentication-types=wpa2-psk name=guest-security
/caps-man configuration
add channel="5Ghz - Channel 36" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 36" security=CAPsMAN_security1 ssid=MYSSID
add channel="5Ghz - Channel 153" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 153" security=CAPsMAN_security1 ssid=MYSSID
add channel="5Ghz - Channel 52" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 52" security=CAPsMAN_security1 ssid=MYSSID
add channel="5Ghz - Channel 100" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 100" security=CAPsMAN_security1 ssid=MYSSID
add channel="5Ghz - Channel 116" country="united kingdom" datapath=\
    main-datapath hide-ssid=no installation=indoor mode=ap name=\
    "Master-5GHz - Channel 116" security=CAPsMAN_security1 ssid=MYSSID
add channel="5Ghz - Channel 132" country="united kingdom" datapath=\
    main-datapath distance=indoors hide-ssid=no installation=indoor mode=ap \
    name="Master-5GHz - Channel 132" security=CAPsMAN_security1 ssid=MYSSID
add channel="2GHz Channel 1" country="united kingdom" datapath=main-datapath \
    hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 1" \
    security=CAPsMAN_security1 ssid=MYSSID
add channel="2GHz Channel 6" country="united kingdom" datapath=main-datapath \
    hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 6" \
    security=CAPsMAN_security1 ssid=MYSSID
add channel="2GHz Channel 11" country="united kingdom" datapath=main-datapath \
    hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 11" \
    security=CAPsMAN_security1 ssid=MYSSID
add comment="Guest Wifi" datapath=guest-datapath name=guest security=\
    guest-security ssid=MYSSID-guest
add comment=5G datapath=main-datapath name=Down5 security=CAPsMAN_security1 \
    ssid=MYSSID-down5
add datapath=main-datapath name=Up5 security=CAPsMAN_security1 ssid=\
    MYSSID-up5
add datapath=main-datapath name=Up2 security=CAPsMAN_security1 ssid=\
    MYSSID-up2
add datapath=main-datapath name=Down2 security=CAPsMAN_security1 ssid=\
    MYSSID-down2
add datapath=main-datapath name=UpUp2 security=CAPsMAN_security1 ssid=\
    MYSSID-upup2
add datapath=main-datapath name=UpUp5 security=CAPsMAN_security1 ssid=\
    MYSSID-upup5
add datapath=main-datapath name=newone5 security=CAPsMAN_security1 ssid=\
    MYSSID-new5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
    sha512 name=profile_1
/ip ipsec peer
add address=FRANCE-WAN-IP/32 comment=FRANCELondon exchange-mode=ike2 \
    local-address=LONDON-WAN-IP name=peerFRANCE profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.64.2-192.168.64.100
add name=vpn-pool ranges=192.168.64.101-192.168.64.150
add name=dhcp-pool-guest ranges=192.168.66.10-192.168.66.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=30m name=\
    "Default DHCP Server"
add address-pool=dhcp-pool-guest disabled=no interface=guest-bridge name=\
    guest-dhcp
/ppp profile
set *0 local-address=192.168.64.1 remote-address=vpn-pool
set *FFFFFFFE local-address=192.168.64.1 remote-address=vpn-pool
/system logging action
set 3 remote=192.168.64.6
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment=Down2G master-configuration=\
    "Master-2GHz - Channel 6" name-format=prefix-identity name-prefix=Down2G \
    radio-mac=CC:2D:E0:E8:07:49 slave-configurations=guest,Down2
add action=create-dynamic-enabled comment=UpUp2G master-configuration=\
    "Master-2GHz - Channel 11" name-format=prefix-identity name-prefix=UpUp2G \
    radio-mac=CC:2D:E0:EB:1D:7E slave-configurations=guest,UpUp2
add action=create-dynamic-enabled comment=UpUp5G master-configuration=\
    "Master-5GHz - Channel 132" name-format=prefix-identity name-prefix=\
    UpUp5G radio-mac=CC:2D:E0:EB:1D:7F slave-configurations=guest,UpUp5
add action=create-dynamic-enabled comment=Down5G master-configuration=\
    "Master-5GHz - Channel 100" name-format=prefix-identity name-prefix=\
    Down5G radio-mac=CC:2D:E0:E8:07:48 slave-configurations=guest,Down5
add action=create-dynamic-enabled comment=Up5G master-configuration=\
    "Master-5GHz - Channel 36" name-format=prefix-identity name-prefix=Up5G \
    radio-mac=64:D1:54:04:7E:1A slave-configurations=guest,Up5
add action=create-dynamic-enabled comment=Up2G master-configuration=\
    "Master-2GHz - Channel 1" name-format=prefix-identity name-prefix=Up2G \
    radio-mac=64:D1:54:04:7E:1B slave-configurations=guest,Up2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1-2G-MYSSID
add bridge=bridge comment=defconf interface=wlan2-5G-MYSSID
add bridge=bridge interface=LAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

add interface=guest-bridge list=LAN
/interface wireless cap
# 
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=\
    wlan2-5G-MYSSID,wlan1-2G-MYSSID
/ip address
add address=192.168.64.1/24 comment="defconf - need to change to 64" \
    interface=ether2 network=192.168.64.0
add address=192.168.66.1/24 interface=guest-bridge network=192.168.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server alert
add disabled=no interface=bridge on-alert="/tool e-mail send to=xxx subject=\"\$[/system identity get name] Rogue DHCP Server Foun\
    d \$[/system time get date]\"" valid-server=CC:2D:E0:E8:07:49

/ip dhcp-server network
add address=192.168.64.0/24 comment=defconf gateway=192.168.64.1 netmask=24
add address=192.168.66.0/24 comment="Guest Network" gateway=192.168.66.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.64.1 name=router.lan
/ip firewall address-list
add address=216.218.206.0/24 comment=myList list=blacklist
add address=1.10.16.0/20 comment=spamhaus list=blacklist

add address=185.153.199.0/24 comment=dshield list=blacklist
add address=197.242.100.0/22 comment=edrop list=blacklist
add address=197.242.104.0/21 comment=edrop list=blacklist
add address=197.242.112.0/23 comment=edrop list=blacklist
/ip firewall filter
add action=log chain=forward disabled=yes log=yes log-prefix="From France" \
    src-address=192.168.65.202
add action=accept chain=forward disabled=yes dst-address=192.168.64.6 \
    dst-port=23 log=yes log-prefix="Allow Telnet  to Synology" protocol=tcp
add action=drop chain=forward disabled=yes dst-port=443 log=yes log-prefix=\
    "Drop Facebook" protocol=tcp tls-host=*facebook.com
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related dst-address=!192.168.65.192/28 \
    src-address=!192.168.65.192/28
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "Stop access to Synology except from 64 65 AllowAccesstoBlackSyno" \
    disabled=yes dst-address=192.168.64.6 log=yes log-prefix=\
    "CH_Track Access To Black Synology" src-address-list=\
    !AllowedAccessToBlackSynology
add action=drop chain=forward comment="Camera Out" log=yes log-prefix=\
    "Camera out:" out-interface-list=WAN src-address-list=Camera
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="CH_Track invalid"
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN ipsec-policy=in,none log=yes log-prefix="CH_Track !public" \
    src-address-list=not_in_internet
add action=drop chain=input comment="Drop input from blacklist" log-prefix=\
    "CH_Track Drop input from blacklist" src-address-list=blacklist
add action=drop chain=forward comment="Drop from Blacklist sites" log=yes \
    log-prefix="CH_Track forward from Blacklist In:" src-address-list=\
    blacklist
add action=drop chain=forward comment="Drop to Blacklist sites" \
    dst-address-list=blacklist log=yes log-prefix=\
    "CH_Track forward to Blacklist"
add action=drop chain=output comment="Drop from Router to blacklist sites" \
    dst-address-list=blacklist log=yes log-prefix=\
    "CH_Track blacklist out from router"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN ipsec-policy=in,none
add action=drop chain=forward comment="TCP flags and Port 0 attacks" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward comment=\
    "Block from Guest Network to Main Network" dst-address-list=MainNetwork \
    src-address-list=GuestNetwork
add action=drop chain=input comment="Block from Guest Network to Main Router" \
    dst-address=192.168.64.1 src-address-list=GuestNetwork
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" protocol=\
    ipsec-esp
add action=accept chain=input comment="ICMP Ping" protocol=icmp
add action=accept chain=input comment=\
    "accept input established,related,untracked" connection-state=\
    established,related,untracked log-prefix=\
    "accept input established,related,untracked"
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=passthrough chain=input in-interface-list=!LAN
add action=drop chain=input comment=\
    "Drop everything else that has got through" in-interface-list=WAN \
    log-prefix="Last rule: Input"
add action=drop chain=forward comment=\
    "Drop everything else that has got through" in-interface-list=WAN \
    ipsec-policy=in,none log=yes log-prefix="Last Rule: Forward: Drop"
/ip firewall nat

add action=dst-nat chain=dstnat disabled=yes dst-port=23 log=yes log-prefix=\
    Telnet protocol=tcp to-addresses=192.168.64.6 to-ports=23
add action=accept chain=srcnat comment=FRANCELondon dst-address=\
    192.168.65.0/24 src-address=192.168.64.0/24
add action=accept chain=dstnat comment=FRANCELondon dst-address=\
    192.168.64.0/24 src-address=192.168.65.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=\
    192.168.65.0/24
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=\
    192.168.64.0/24
/ip ipsec identity
add peer=peerFRANCE
/ip ipsec policy
add comment=FRANCELondon-Laptop dst-address=192.168.65.192/28 peer=peerFRANCE \
    sa-dst-address=FRANCE-WAN-IP sa-src-address=LONDON-WAN-IP src-address=\
    0.0.0.0/0 tunnel=yes
add comment=FRANCELondon dst-address=192.168.65.0/24 peer=peerFRANCE \
    sa-dst-address=FRANCE-WAN-IP sa-src-address=LONDON-WAN-IP src-address=\
    192.168.64.0/24 tunnel=yes
/ip route
add comment=FRANCELondon distance=1 dst-address=192.168.65.0/24 gateway=ether1 \
    pref-src=192.168.64.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=\
    remote
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.64.10 version=5
/ppp secret

add name=Nexus service=l2tp

/system clock
set time-zone-name=Europe/London
/system identity
set name=Down
/system logging
set 0 disabled=yes
add topics=firewall
add disabled=yes topics=e-mail
add topics=account
add disabled=yes topics=dhcp,info
add topics=script
add topics=ipsec,info
add topics=l2tp,info
add topics=ppp,info
add topics=ssh,info
add topics=interface
add topics=system,info
add action=remote disabled=yes topics=script,warning
add disabled=yes topics=l2tp
add disabled=yes topics=ppp
add disabled=yes topics=wireless,debug

/system scheduler
add disabled=yes interval=1h name="Update Time" on-event=\
    "/ip cloud set update-time=yes" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    aug/22/2017 start-time=23:38:00
add interval=1d name="Update Blacklists" on-event=RenewBlacklists policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/09/2017 start-time=01:30:00
add disabled=yes interval=1d name=UsageReport on-event=Usage2 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/10/2017 start-time=03:00:00
add comment="sep/29/2018 10:52:34" disabled=yes interval=30m name=\
    VPN_Connections on-event=VPN_Connections policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/17/2017 start-time=16:36:00
add disabled=yes interval=1m name=ipsec-peer-update-FRANCELondon on-event=\
    "/system script run ipsec-peer-update-FRANCELondon" policy=read,write \
    start-date=aug/06/2018 start-time=22:06:53
add disabled=yes interval=10m name=ip-cloud-forceupdate on-event=\
    "/ip cloud force-update" policy=read,write start-date=aug/06/2018 \
    start-time=22:06:59
add comment=20200314172325 interval=30m name=LogMonitor on-event=LogMonitor \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/17/2018 start-time=22:23:25
add disabled=yes interval=15m name=MittensPing on-event=MittensPing policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/17/2018 start-time=15:44:14
add interval=1d name="Update Software" on-event=UpdateSoftwareScript policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/09/2019 start-time=05:00:00
add interval=1d name="Update Firmware" on-event=UpdateFirmwareScript policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/09/2019 start-time=05:15:00
/system script

add dont-require-permissions=no name=ipsec-peer-update-FRANCELondon owner=\
    admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local peerid    \"FRANCELondon\"\
    \n:local peerhost  \"FRANCE DDNS\"\
    \n:local peerip    [:resolve \$peerhost]\
    \n:local wanIP [/ip address get [find interface=\"ether1\"] address]\
    \n:set wanIP [:pick \$wanIP 0 [:find \$wanIP \"/\"]]\
    \n#########################################\
    \n# Change Peer address if different\
    \n#########################################\
    \n:local peeruid \"Address\"\
    \n:set peeruid     [/ip ipsec peer   find comment=\"\$peerid\" and address\
    !=\"\$peerip/32\"]\
    \n#\
    \n:if (\$peeruid != \"\") do={\
    \n  /ip ipsec peer set \$peeruid address=\"\$peerip/32\"\
    \n  :log info \"Script ipsec-peer-update updated peer '\$peerid' with addr\
    ess '\$peerip'\"\
    \n}\
    \n#########################################\
    \n# Change Peer local-address if different\
    \n#########################################\
    \n:local peerlocaluid \"Local Address\"\
    \n:set peerlocaluid   [/ip ipsec peer find comment=\"\$peerid\" and local-\
    address!=\"\$wanIP\"]\
    \n#\
    \n:if (\$peerlocaluid != \"\") do={\
    \n  /ip ipsec peer set \$peerlocaluid local-address=\"\$wanIP\"\
    \n  :log info \"Script ipsec-peer-update updated peer '\$peerid' with loca\
    l-address '\$wanIP'\"\
    \n}\
    \n#\
    \n#########################################\
    \n# Change Policy - NOT NEEDED since 6.44\
    \n#########################################\
    \n#:global policyuid\
    \n#:set policyuid   [/ip ipsec policy find comment=\"\$peerid\" and sa-dst\
    -address!=\"\$peerip\"]\
    \n#\
    \n#:if (\$policyuid != \"\") do={\
    \n#  /ip ipsec policy set \$policyuid sa-dst-address=\"\$peerip\"\
    \n#  :log info \"Script ipsec-peer-update updated policy '\$peerid' with d\
    st address '\$peerip'\"\
    \n#}"

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=ipsec-peer-update-FRANCELondon down-script="/system scheduler enabl\
    e ipsec-peer-update-FRANCELondon\
    \n/system scheduler enable ip-cloud-forceupdate" host=192.168.65.1 \
    up-script="/system scheduler disable ip-cloud-forceupdate\
    \n/system scheduler disable ipsec-peer-update-FRANCELondon"
/tool sniffer
set filter-ip-address=192.168.64.11/32

Here is the French one.

# may/04/2020 13:27:46 by RouterOS 6.46.6
# software id = 65FW-3KRA
#
# model = 2011UiAS-2HnD
# serial number = 
/interface l2tp-server
add name=l2tp-in-Nexus user=Nexus
/interface bridge
add admin-mac=4C:5E:0C:B8:9D:92 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united kingdom" \
    disabled=no distance=indoors frequency=2462 installation=indoor l2mtu=\
    1598 mode=ap-bridge name=wlan1-2G-MYSSID ssid=MYSSID wireless-protocol=\
    802.11 wps-mode=disabled
add mac-address=4E:5E:0C:B8:9D:9B master-interface=wlan1-2G-MYSSID name=\
    wlan1-virtual-MYSSID-UK ssid=MYSSID-UK wds-default-bridge=bridge \
    wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
    sha512 name=profile_1
/ip ipsec peer
add address=UK-WAN-IP/32 comment=FRANCELondon exchange-mode=ike2 name=peer2 \
    profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.65.2-192.168.65.100
add name=vpn-pool ranges=192.168.65.101-192.168.65.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name=\
    "Default DHCP Server"
/ppp profile
set *0 local-address=192.168.65.1 remote-address=vpn-pool
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1-2G-MYSSID
add bridge=bridge interface=*13
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=wlan1-virtual-MYSSID-UK
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=l2tp-in-CharlieW10 list=LAN
add list=LAN
add interface=wlan1-2G-MYSSID list=discover
add interface=sfp1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/interface wireless access-list
add mac-address=94:9F:3E:18:18:5E
add mac-address=B8:E9:37:5E:50:BA
/ip address
add address=192.168.65.1/24 comment=defconf interface=bridge network=\
    192.168.65.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server lease
add address=192.168.65.94 comment=Efergy mac-address=00:04:A3:4D:B0:85 \
    server="Default DHCP Server"
add address=192.168.65.95 client-id=1:0:1e:c0:9a:87:ed comment=\
    "Heatmiser Neo-hub" mac-address=00:1E:C0:9A:87:ED server=\
    "Default DHCP Server"
add address=192.168.65.100 client-id=1:10:2:b5:37:b9:e6 comment="Evie Laptop" \
    mac-address=10:02:B5:37:B9:E6 server="Default DHCP Server"
add address=192.168.65.98 comment=OldPi mac-address=B8:27:EB:62:01:F5 server=\
    "Default DHCP Server"
add address=192.168.65.91 comment=CameraPi mac-address=00:0F:55:A8:B2:E6 \
    server="Default DHCP Server"
add address=192.168.65.88 client-id=1:0:2a:2a:3b:9:ab comment=\
    "Outside Camera" mac-address=00:2A:2A:3B:09:AB server=\
    "Default DHCP Server"
add address=192.168.65.93 client-id=1:28:ed:e0:20:a6:d3 comment=R4 \
    mac-address=28:ED:E0:20:A6:D3 server="Default DHCP Server"
add address=192.168.65.83 client-id=1:0:11:32:3b:11:13 comment=Twister \
    mac-address=00:11:32:3B:11:13 server="Default DHCP Server"
add address=192.168.65.202 client-id=1:e8:f2:e2:70:49:f2 comment=TV \
    mac-address=E8:F2:E2:70:49:F2 server="Default DHCP Server"
add address=192.168.65.204 client-id=1:b4:ae:2b:d2:96:82 comment=Surface \
    mac-address=B4:AE:2B:D2:96:82 server="Default DHCP Server"
add address=192.168.65.201 client-id=1:24:ee:9a:7c:fe:b1 comment=\
    "Charlie's L390" mac-address=24:EE:9A:7C:FE:B1 server=\
    "Default DHCP Server"
add address=192.168.65.203 client-id=1:5e:d5:e7:a8:7b:ee comment="Pixel 4" \
    mac-address=5E:D5:E7:A8:7B:EE server="Default DHCP Server"
add address=192.168.65.81 client-id=1:14:c2:13:eb:9d:99 mac-address=\
    14:C2:13:EB:9D:99 server="Default DHCP Server"
add address=192.168.65.80 client-id=1:d8:1c:79:e0:b9:83 mac-address=\
    D8:1C:79:E0:B9:83 server="Default DHCP Server"
add address=192.168.65.78 client-id=1:18:1d:ea:fe:82:c4 comment=\
    "Lucy Silver Laptop" mac-address=18:1D:EA:FE:82:C4 server=\
    "Default DHCP Server"
add address=192.168.65.77 client-id=1:2c:54:cf:e3:be:96 comment="Old Pixel" \
    mac-address=2C:54:CF:E3:BE:96 server="Default DHCP Server"
add address=192.168.65.205 client-id=1:bc:a8:a6:ac:9b:17 comment="IBM Laptop" \
    mac-address=BC:A8:A6:AC:9B:17 server="Default DHCP Server"
/ip dhcp-server network
add address=192.168.65.0/24 comment=defconf gateway=192.168.65.1 netmask=24
/ip dns
set servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.65.1 name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet

/ip firewall filter
add action=passthrough chain=forward disabled=yes log=yes log-prefix=\
    "To London" src-address=192.168.65.202
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related dst-address=!192.168.65.192/28 \
    src-address=!192.168.65.192/28
add action=drop chain=forward comment="Drops everything from OutsideCamera goi\
    ng to OutsideNotAllowed List. Prefix is OutsideDroptoBad" \
    dst-address-list=OutsideNotAllowed log-prefix=OutsideDroptoBad \
    src-address=192.168.65.88
add action=add-dst-to-address-list address-list=OutsideDestination \
    address-list-timeout=none-static chain=forward comment=\
    "Puts address from .88 onto OutsideDestination address list" \
    dst-address-list=!CameraAllowed src-address=192.168.65.88
add action=add-dst-to-address-list address-list=InsideDestination \
    address-list-timeout=none-static chain=forward dst-address-list=\
    !CameraAllowed src-address=192.168.65.93
add action=drop chain=forward comment=DropInsideCamera dst-address-list=\
    !CameraAllowed log-prefix=DropInside src-address=192.168.65.93
add action=drop chain=forward comment="Drops activity from OutsideCamera going\
    \_to anywhere apart from CameraAllowed list. Has DropOutsideCamera prefix" \
    dst-address-list=!CameraAllowed log-prefix=DropOutsideCamera src-address=\
    192.168.65.88
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked log-prefix=Previous
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="CH_Track invalid"
add action=drop chain=input comment=\
    "Drop incoming to router from my Blacklist" in-interface-list=WAN log=yes \
    log-prefix="CH_Track Blacklist Input from:" src-address-list=blacklist
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface-list=\
    WAN log=yes log-prefix="CH_Track !public" src-address-list=\
    not_in_internet
add action=drop chain=forward comment="Drop incoming from Blacklist site" \
    in-interface-list=WAN log=yes log-prefix="CH_Track Blacklist fwd from:" \
    src-address-list=blacklist
add action=drop chain=forward comment=\
    "To stop things getting out to Blacklist sites" dst-address-list=\
    blacklist log=yes log-prefix="CH_Track Blacklist fwd to:" \
    out-interface-list=WAN
add action=drop chain=output comment="Drop from Router to Blacklist sites" \
    dst-address-list=blacklist log=yes log-prefix=\
    "CH_Track Blacklist output to:" out-interface=ether1
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "defconf:  drop all from WAN not DSTNATed"
add action=drop chain=forward comment="TCP flags and Port 0 attacks" log=yes \
    log-prefix="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!ack
add action=drop chain=forward comment="TCP Flag1" log=yes log-prefix=\
    "TCP Flag1" protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward comment="TCP Flag2" log=yes log-prefix=\
    "TCP Flag1" protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward comment="TCP Flag3" log=yes log-prefix=\
    "TCP Flag3" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward comment="TCP Flag4" log=yes log-prefix=\
    "TCP Flag4" protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward log=yes log-prefix="TCP Flag5" protocol=tcp \
    tcp-flags=syn,rst
add action=drop chain=forward log=yes log-prefix="TCP Flag 6:" protocol=tcp \
    tcp-flags=rst,urg
add action=drop chain=forward log=yes log-prefix="TCP Flag 7:" protocol=tcp \
    src-port=0
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=Ping: \
    protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related,untracked log-prefix=Flag8:
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN log-prefix=\
    "CH_Track input not from LAN"
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix="Flag 8:"
add action=drop chain=input comment=\
    "Drop everything else that has got through" in-interface-list=WAN \
    log-prefix="Last rule"
add action=drop chain=forward in-interface-list=WAN log=yes log-prefix=\
    "Final Fwd Drop:"
add action=accept chain=forward log-prefix="Last Rule: Accept"
/ip firewall nat
add action=src-nat chain=srcnat comment=NTP disabled=yes dst-port=25 log=yes \
    log-prefix="scrnat SMTP" protocol=tcp src-address=192.168.65.88 to-ports=\
    465
add action=accept chain=srcnat comment=\
    "Send this range 192.168.65.200/28 through London (IP 193 to 206)" \
    disabled=yes src-address=192.168.65.192/28
add action=accept chain=srcnat comment=FRANCELondon dst-address=\
    192.168.64.0/24 src-address=192.168.65.0/24
add action=accept chain=dstnat comment=FRANCELondon dst-address=\
    192.168.65.0/24 src-address=192.168.64.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=\
    192.168.64.0/24
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=\
    192.168.65.0/24
/ip ipsec identity
add peer=peer2
/ip ipsec policy
add comment="for machines that go via London" dst-address=0.0.0.0/0 peer=\
    peer2 sa-dst-address=UK-WAN-IP sa-src-address=192.168.1.38 src-address=\
    192.168.65.192/28 tunnel=yes
add comment=FRANCELondon dst-address=192.168.64.0/24 sa-dst-address=\
    UK-WAN-IP sa-src-address=0.0.0.0 src-address=192.168.65.0/24 tunnel=yes
/ip route
add comment=FRANCELondon distance=1 dst-address=192.168.64.0/24 gateway=ether1 \
    pref-src=192.168.65.1
add distance=1 dst-address=192.168.64.1/32 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=\
    remote
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.65.98 version=5
/lcd
set time-interval=hour
/ppp secret
add name=Nexus
/system clock
set time-zone-autodetect=no time-zone-name=GMT
/system identity
set name="Red MikroTik"
/system logging
add topics=firewall
add disabled=yes topics=e-mail
add topics=account
add disabled=yes topics=dhcp,info
add topics=script
add topics=ipsec,info
add topics=l2tp,info
add topics=ppp,info
add topics=ssh,info
add topics=interface
add topics=system,info
/system ntp client
set enabled=yes primary-ntp=80.86.38.193 secondary-ntp=108.61.73.243
/system ntp server
set enabled=yes
/system scheduler
add disabled=yes interval=1h name="Update Time" on-event=\
    "/ip cloud set update-time=yes" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    aug/22/2017 start-time=23:38:00
add interval=1d name="Update Blacklists" on-event=RenewBlacklists policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/09/2017 start-time=01:30:00
add disabled=yes interval=1d name=UsageReport on-event=Usage2 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/10/2017 start-time=03:00:00
add comment="sep/29/2018 10:51:26" disabled=yes interval=30m name=\
    VPN_Connections on-event=VPN_Connections policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/17/2017 start-time=16:36:00
add interval=1m name=ipsec-peer-update-FRANCELondon on-event=\
    "/system script run ipsec-peer-update-FRANCELondon" policy=read,write \
    start-date=aug/06/2018 start-time=23:34:17
add interval=10m name=ip-cloud-forceupdate on-event="/ip cloud force-update" \
    policy=read,write start-date=aug/06/2018 start-time=23:34:34
add disabled=yes interval=30m name=SMTP_HostNames on-event=resolvehostnames \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/02/2018 start-time=17:42:29
add comment=20181231030843 interval=30m name=LogMonitor on-event=LogMonitor \
    policy=ftp,reboot,read,write,policy,test,password,sniff start-date=\
    sep/19/2018 start-time=21:08:43
add interval=1d name="Update Software" on-event=UpdateSoftwareScript policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/03/2019 start-time=06:00:00
add interval=1d name="Update Firmware" on-event=UpdateFirmwareScript policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/03/2019 start-time=06:15:00
/system script


add dont-require-permissions=no name=ipsec-peer-update-FRANCELondon owner=\
    admin policy=read,write source=":local peerid    \"FRANCELondon\"\
    \n:local peerhost  \"LONDON.DDNS\"\
    \n:local peerip    [:resolve \$peerhost]\
    \n:local peeruid\
    \n:set peeruid     [/ip ipsec peer   find comment=\"\$peerid\" and address\
    !=\"\$peerip/32\"]\
    \n:local policyuid\
    \n:set policyuid   [/ip ipsec policy find comment=\"\$peerid\" and sa-dst-\
    address!=\"\$peerip\"]\
    \n:if (\$peeruid != \"\") do={\
    \n  /ip ipsec peer set \$peeruid address=\"\$peerip/32\"\
    \n  :log info \"Script ipsec-peer-update updated peer '\$peerid' with addr\
    ess '\$peerip'\"\
    \n}\
    \n:if (\$policyuid != \"\") do={\
    \n  /ip ipsec policy set \$policyuid sa-dst-address=\"\$peerip\"\
    \n  :log info \"Script ipsec-peer-update updated policy '\$peerid' with ad\
    dress '\$peerip'\"\
    \n}"


/tool graphing interface
add interface=ether1
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool netwatch
add comment=ipsec-peer-update-FRANCELondon down-script="/system scheduler enabl\
    e ipsec-peer-update-FRANCELondon\
    \n/system scheduler enable ip-cloud-forceupdate" host=192.168.64.1 \
    up-script="/system scheduler disable ip-cloud-forceupdate\
    \n/system scheduler disable ipsec-peer-update-FRANCELondon"

In the 4011 configuration,
/ip cloud
set ddns-enabled=yes
is missing. So the periodic /ip cloud force-update enabled by the netwatch tracking the transparency of the tunnel doesn’t work.

It is quite likely that when you disconnect the 962 and connect the 4011 instead, the ISP gives it a different public IP than the 962 had - at least because the lease for the 962’s MAC address is still valid so the same public IP cannot be leased to a client with another MAC address.

That’s a good thought, but I use the DDNS from my Synology box behind the router so I don’t have to change the DDNS name in France if I change the router (ie the dedicated DDNS name would change when I changed the router).

This is what I see in the RB4011 lg file

18:34:31 ipsec ike2 starting for: FRANCE-WAN-IP 
18:34:31 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
18:34:31 ipsec,debug => (size 0x1c) 
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:34:31 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
18:34:31 ipsec,debug => (size 0x1c) 
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:34:31 ipsec adding payload: NONCE 
18:34:31 ipsec,debug => (size 0x1c) 
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
18:34:31 ipsec adding payload: KE 
18:34:31 ipsec,debug => (first 0x100 of 0x208) 
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
18:34:31 ipsec adding payload: SA 
18:34:31 ipsec,debug => (size 0x44) 
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
18:34:31 ipsec,debug xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:34:31 ipsec,debug 04000010 
18:34:31 ipsec <- ike2 request, exchange: SA_INIT:0 FRANCE-WAN-IP[4500] 3c98d1adb11e4ce9:0000000000000000 
18:34:31 ipsec,debug ===== sending 700 bytes from LONDON-WAN-IP[4500] to FRANCE-WAN-IP[4500] 
18:34:31 ipsec,debug 1 times of 704 bytes message will be sent to FRANCE-WAN-IP[4500] 
18:34:36 ipsec ike2 init retransmit 
18:34:36 ipsec,debug ===== sending 700 bytes from LONDON-WAN-IP[4500] to FRANCE-WAN-IP[4500] 
18:34:36 ipsec,debug 1 times of 704 bytes message will be sent to FRANCE-WAN-IP[4500] 
18:34:41 ipsec ike2 init retransmit 
18:34:41 ipsec,debug ===== sending 700 bytes from LONDON-WAN-IP[4500] to FRANCE-WAN-IP[4500] 
18:34:41 ipsec,debug 1 times of 704 bytes message will be sent to FRANCE-WAN-IP[4500] 
18:34:46 ipsec ike2 init retransmit 
18:34:46 ipsec,debug ===== sending 700 bytes from LONDON-WAN-IP[4500] to FRANCE-WAN-IP[4500] 
18:34:46 ipsec,debug 1 times of 704 bytes message will be sent to FRANCE-WAN-IP[4500] 
18:34:51 ipsec ike2 init timeout

The log shows that the initial packet either doesn’t make it to France or that France ignores it. Can you double-check that the DDNS record matches the actual IP you get on ether1?

No, I checked that for both the UK and France. I look on Winbox quick set and it says the wan address.

How much time do you give the dwarfs to settle down after swapping the routers?

If you mean DDNS (not dwarfs ), quite a while. I checked the DNS using mxtoolbox and it found the same IP address. Also, I have left the RB4011 in for hours and it still doesn’t connect.

Do you think it could be something about not setting the Policy sa-src-address or the Peer local-address?. I set the VPN up before v6.44 and I see “unknown” on the Policy (I think). You mentioned it in another post.

I did mean all those dwarfs which carry the bits around, i.e. all the processes with various timeouts which must all do their job so that the box in France would notice the change of the London address.

If you gave it hours, impatience is not the reason.

At this stage, I’d permit SSH on the French router, connect there from London, and watch what’s going on there while the 4011 is trying to connect.

Ah, never heard them called dwarfs before.

I did wait overnight, but no change.

I then ssh’d into the french router and found the Peer ip for London had not been updated (so I changed it). I also stopped London initiating the link because France is doing that.

Now, the “FRANCELondon-Laptop” link has been established BUT the main one has not. The error in the log in France says the following, including “peer not set”

Getting nearer…

08:40:09 ipsec create child: respond
08:40:09 ipsec processing payloads: NOTIFY (none found)
08:40:09 ipsec processing payloads: NOTIFY (none found)
08:40:09 ipsec peer wants tunnel mode
08:40:09 ipsec processing payload: CONFIG (not found)
08:40:09 ipsec processing payload: TS_I
08:40:09 ipsec 192.168.64.0/24
08:40:09 ipsec processing payload: TS_R
08:40:09 ipsec 192.168.65.0/24
08:40:09 ipsec canditate selectors: 192.168.65.0/24 <=> 192.168.64.0/24
08:40:09 ipsec processing payload: SA
08:40:09 ipsec IKE Protocol: ESP
08:40:09 ipsec  proposal #1
08:40:09 ipsec   enc: aes256-cbc
08:40:09 ipsec   enc: aes192-cbc
08:40:09 ipsec   enc: aes128-cbc
08:40:09 ipsec   enc: 3des-cbc
08:40:09 ipsec   auth: sha512
08:40:09 ipsec   auth: sha256
08:40:09 ipsec   auth: sha1
08:40:09 ipsec   dh: modp1024
08:40:09 ipsec searching for policy for selector: 192.168.65.0/24 <=> 192.168.64.0/24
08:40:09 ipsec exact policy with different endpoint addresses exists:
08:40:09 ipsec 192.168.65.0/24 <=> 192.168.64.0/24
08:40:09 ipsec,error no policy found/generated
08:40:09 ipsec adding notify: TS_UNACCEPTABLE
08:40:09 ipsec,debug => (size 0x8)
08:40:09 ipsec,debug 00000008 00000026
08:40:09 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:147 LONDON.IP[4500] 7dc2e054b0688972:85b54aab0d30b2f2
08:40:09 ipsec,debug ===== sending 272 bytes from FRANCE.IP[4500] to LONDON.IP[4500]
08:40:09 ipsec,debug 1 times of 276 bytes message will be sent to LONDON.IP[4500]

[admin@Red MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #     PEER TUN SRC-ADDRESS                                   DST-ADDRESS                                   PROTOCOL   ACTION
 0 T *          ::/0                                          ::/0                                          all
 1  A  ;;; for machines that go via London
       pe.. yes 192.168.65.192/28                             0.0.0.0/0                                     all        encrypt
 2     ;;; FRANCElLondon
       ;;; peer not set
            yes 192.168.65.0/24                               192.168.64.0/24                               all        encrypt

That’s the different cultural background Here we use this to express that the speaker doesn’t understand deeply what exactly is going on inside but doesn’t care much as long as the outcome is the expected one.

So it was a DDNS issue after all, but a different process in the chain failed - namely, the script which keeps track of the actual address and updates the peer?
The good news is that the script has not been necessary since quite a couple of RouterOS versions ago - you can just use the fqdn as the peer’s address parameter, and RouterOS resolves it every time the DNS response validity lifetime expires, and re-initiates the connection if the IP number changes.

That’s not a big deal, IPsec handles well the case where both peers listen at public IP and both initiate the connection.

Strictly speaking, peer not set is not the error in the log but a configuration warning, and you should fix it manually, by setting the peer for that policy.

The actual error in the log is

08:40:09 ipsec exact policy with different endpoint addresses exists:
08:40:09 ipsec 192.168.65.0/24 <=> 192.168.64.0/24
08:40:09 ipsec,error no policy found/generated
Which means to me that this policy, which is defined the old way, i.e. using sa-src-address and sa-dst-address rather than using the peer parameter, is considered unusable for the 4011’s public IP which is different from the policy’s sa-dst-address. By setting the peer parameter of the policy as said above you will make the peer’s properties (local-address, address) supersede the manually configured sa-src-address and sa-dst-address parameters of the policy, so the policy will track the changes of the peer. Maybe you have to set both to 0.0.0.0 to make this work but I doubt so.

I didn’t care about this because I’ve expected that the script was updating both the peer’s address and policy’s sa-dst-address properly, but it obviously didn’t all that time, and it was pure luck that the 962 kept getting the same public IP all the time since 2018.

So, I am connected!! Brilliant!!!

In France and London

• I used the fqdn in the Peer address and left the local-address blank
• Disabled the scripts that previously update them (or not, in France!!!)
  In France:
• I updated the Policy to use the right Peer

I have learned:

1. I now have a back door via ssh to France. If I mess something up, I can correct it. It is behind a second router, so I can use that so I don’t have that port open the whole time.
2. I can use a fqdn rather than have a complicated script!
3. I was extremely lucky that the London IP address didn’t change!
4. Dwarfs!

Thank you very much for your time and knowledge. As ever, you are very generous with it.

Charles