My first config Mikrotik

Hello everyone…

It’s my first mikrotik (hAP ax3) and I’m a little saturated with so much information.

I would like to know what I need to add or what I should change…

Wireguard
I can ping from the router to the mobile and from the mobile to the router
I can scan the network from my mobile with Network Analyzer
I can’t ping from PC to mobile

I want Wireguard to have access to the LiteBeam 5AC Gen2 antennas…but I don’t want the antennas to have an Internet connection…only LAN…is it possible?

I would also like help with the Firewall…because there are many places to download rules but I don’t trust it very much and I prefer to ask here


Greetings and thank you very much.


This is my net
ISP router in mode ONT — hAP ax3 — LiteBeam 5AC Gen2 → LiteBeam 5AC Gen2 — LiteBeam 5AC Gen2 → LiteBeam 5AC Gen2 — 2x Redmi Router AC2100 (OpenWRT)

— ethernet conection
→ wifi conection

LiteBeam 5AC Gen2 are in mode Bridge
Redmi Router AC2100 are in mode dumb AP

#############################
# 2024-03-13 08:19:59 by RouterOS 7.14
# software id = XEMU-N0CS
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
#############################
# Backup
#
# 00_identity_services_NTP.rsc
#############################

/ip service
set api disabled=yes
set api-ssl disabled=yes
set ftp address=192.168.1.0/24 disabled=yes port=**
set ssh address=192.168.1.0/24 port=**
set telnet address=192.168.1.0/24 disabled=yes port=**
set winbox address=192.168.1.0/24 port=**
set www address=192.168.1.0/24 port=**
set www-ssl disabled=yes

/system clock
set time-zone-name=Europe/Madrid

/system identity
set name=Casa_Router

/system note
set show-at-login=no

/system ntp server
set broadcast=yes broadcast-addresses=192.168.1.255 enabled=yes


#############################
# Backup
#
# 01_Internet_Jazztel.rsc
#############################

/interface bridge
add comment="Bridge LAN" name=bridge_lan

/interface bridge port
add bridge=bridge_lan comment="Ports LAN" interface=ether2
add bridge=bridge_lan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=wifi1
add bridge=bridge_lan interface=wifi2

/interface ethernet
set [ find default-name=ether1 ] comment="Red WAN" name=ether1_wan
set [ find default-name=ether2 ] comment="Red LAN"

/interface list
add name=WAN
add name=LAN

/interface list member
add comment="Interface List WAN" interface=ether1_wan list=WAN
add comment="Interface List LAN" interface=bridge_lan list=LAN

/interface vlan
add comment="VLAN Internet" interface=ether1_wan name=Internet_Jazztel vlan-id=1074

/ip address
add address=192.168.1.1/24 comment="Address LAN" interface=bridge_lan network=192.168.1.0

/ip dhcp-client
add comment="DHCP Client Jazztel" interface=Internet_Jazztel use-peer-dns=no

/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=1.1.1.1,8.8.8.8

/ip pool
add comment="Pool Casa" name=dhcp_casa_pool0 ranges=192.168.1.240-192.168.1.254

/ip dhcp-server
add address-pool=dhcp_casa_pool0 comment="DHCP Server Casa" interface=bridge_lan name=dhcp_casa

/ip dhcp-server network
add address=192.168.1.0/24 comment="Networks Casa" dns-server=192.168.1.1 gateway=192.168.1.1

/ip dhcp-server lease
add address=192.168.1.12 comment="Leases Casa" lease-time=1d mac-address=00:1E:5F:2F:B9:93 server=dhcp_casa
add address=192.168.1.92 comment="Leases Mateo" lease-time=1d mac-address=00:1E:B1:2C:B1:87 server=dhcp_casa
add address=192.168.1.111 comment="Leases Campo" lease-time=1d mac-address=00:1E:27:48:59:0E server=dhcp_casa

/ip firewall filter
add action=accept chain=input comment="Filter Rules permitir ICMP" protocol=icmp
add action=accept chain=forward comment="Filter Rules permitir established and related connections" connection-state=established,related
add action=drop chain=input comment="Filter Rules denegar invalid connections" in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Internet" out-interface=Internet_Jazztel

/ip neighbor discovery-settings
set discover-interface-list=static


#############################
# Backup
#
# 02_Wifi.rsc
#############################

/interface wifi channel
add band=2ghz-n comment="Channel WIFI" disabled=no frequency=2412-2472 name=Casa2 skip-dfs-channels=disabled width=20/40mhz
add band=5ghz-ac disabled=no frequency=5180-5825 name=Casa5 skip-dfs-channels=disabled width=20/40/80mhz

/interface wifi security
add comment="Security WIFI" disabled=no name=Casa

/interface wifi configuration
add channel=Casa2 comment="Configuracion WIFI" disabled=no mode=ap name=Casa2 security=Casa ssid=Casa
add channel=Casa5 disabled=no mode=ap name=Casa5 security=Casa ssid=Casa

/interface wifi
set [ find default-name=wifi2 ] channel=Casa2 channel.frequency=2412-2472 comment="Red WIFI" configuration=Casa2 configuration.mode=ap disabled=no name=Casa2 security=Casa
set [ find default-name=wifi1 ] channel=Casa5 configuration=Casa5 configuration.mode=ap disabled=no name=Casa5 security=Casa


#############################
# Backup
#
# 03_redireccionar_IPs.rsc
#############################

/routing table
add fib name=sin_internet

/ip route
add blackhole comment="Route List sin internet" disabled=no distance=1 dst-address=0.0.0.0/0 gateway="" pref-src="" routing-table=sin_internet scope=30 suppress-hw-offload=no target-scope=10

/ip firewall address-list
add address=192.168.1.5 comment="Address Lists Antenas" list=ips_redireccionadas
add address=192.168.1.6 list=ips_redireccionadas
add address=192.168.1.7 list=ips_redireccionadas
add address=192.168.1.8 list=ips_redireccionadas
add address=192.168.1.90 list=ips_redireccionadas
add address=192.168.1.100 list=ips_redireccionadas

add address=192.168.1.12 comment="Address Lists SAT" disabled=yes list=ips_redireccionadas
add address=192.168.1.92 disabled=yes list=ips_redireccionadas
add address=192.168.1.111 disabled=yes list=ips_redireccionadas

add address=192.168.1.13 comment="Address Lists Casa TV" list=ips_redireccionadas
add address=192.168.1.14 list=ips_redireccionadas

add address=192.168.1.105 comment="Address Lists Campo Router OpenWRT" list=ips_redireccionadas

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mangle IPs redireccionadas" new-routing-mark=sin_internet passthrough=yes src-address-list=ips_redireccionadas

/ip cloud
set ddns-enabled=yes ddns-update-interval=1m

/ip firewall filter
add action=accept chain=input comment="Filter Rules permitir Mikrotik desde Internet" dst-port=** protocol=tcp

/ip firewall nat
add action=dst-nat chain=dstnat comment="NAT eMule" dst-port=48000 protocol=tcp to-addresses=192.168.1.10 to-ports=48000
add action=dst-nat chain=dstnat dst-port=48001 protocol=udp to-addresses=192.168.1.10 to-ports=48001
add action=dst-nat chain=dstnat comment="NAT qBitorrent" dst-port=48002 protocol=tcp to-addresses=192.168.1.10 to-ports=48002


#############################
# Backup
#
# 04_Wireguard.rsc
#############################

/interface wireguard
add comment="Wireguard Casa" listen-port=13231 mtu=1420 name=wireguard_casa

/interface wireguard peers
add allowed-address=192.168.10.15/32 comment="Peer Movil" interface=wireguard_casa public-key="**"

/ip firewall filter
add action=accept chain=input comment="Filter Rules permitir WireGuard UDP" dst-port=13231 protocol=udp
add action=accept chain=forward comment="Filter Rules permitir WireGuard to LAN" in-interface=wireguard_casa out-interface-list=LAN
add action=accept chain=forward comment="Filter Rules permitir LAN to WireGuard" in-interface-list=LAN out-interface=wireguard_casa

/ip address
add address=192.168.10.1/24 comment="Address Wireguard" interface=wireguard_casa network=192.168.10.0


#############################
# Backup
#
# 05_Pi-hole.rsc
#############################

/interface veth
add address=192.168.1.2/24 comment="VETH Dockers" gateway=192.168.1.1 name=pi-hole

/interface bridge port
add bridge=bridge_lan comment="Ports Pi-hole" interface=pi-hole

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Pi-hole" src-address=192.168.1.0/24

/container envs
add comment="Envs Pi-hole" key=TZ name=pihole_envs value=Europe/Madrid
add key=WEBPASSWORD name=pihole_envs value=**
add key=DNSMASQ_USER name=pihole_envs value=**

/container mounts
add comment="Mounts Pi-hole" dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/usb1/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1/etc

/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1/pull

/container
add comment="Container Pi-hole" envlist=pihole_envs interface=pi-hole logging=yes mounts=etc_pihole,dnsmasq_pihole root-dir=usb1/pihole start-on-boot=yes


# Despues de iniciar Pi-hole
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=192.168.1.2


#############################

And so you invite more input? Metcalfe help you!

I can’t ping from PC to mobile

Presuming you could before — it’s common enough for “client” type devices/OSes to block pings — then I would guess it’s because you’ve dropped the “untracked” qualifier from the first defconf rule described here.

You’ve nuked the similar input chain rule for no obvious reason, too. Why are you second-guessing our wise benefactors at MikroTik?

I advocate not for blind obedience but for reasoned objection, where that is possible. Make a good case, and I’ll accept it. Otherwise, I must question your departure from long-established defaults.

I would also like help with the Firewall…because there are many places to download rules but I don’t trust it very much and I prefer to ask here

You can’t go far wrong with the default configuration. Grok that, then come back if you want to expand from there, with a specific goal in mind.

/system ntp server set broadcast=yes…

Does that work with all your clients?

Me, I’d set it up for unicast and then configure dhcp-server with ntp-server=192.168.1.1. I doubt there’s anything with a 32-bit or better CPU that speaks DHCP that does not understand that. I can believe there are 8-bit embedded systems that won’t, but they won’t understand broadcast NTP, either.

/interface bridge port add bridge=bridge_lan comment=“Ports LAN” interface=ether2

I don’t think you want that comment on a single port. It goes on the bridge itself.

/interface wifi channel
add band=2ghz-n comment=“Channel WIFI” disabled=no frequency=2412-2472 name=Casa2 skip-dfs-channels=disabled width=20/40mhz
add band=5ghz-ac disabled=no frequency=5180-5825 name=Casa5 skip-dfs-channels=disabled width=20/40/80mhz
/interface wifi configuration
add channel=Casa2 comment=“Configuracion WIFI” disabled=no mode=ap name=Casa2 security=Casa ssid=Casa
add channel=Casa5 disabled=no mode=ap name=Casa5 security=Casa ssid=Casa

Per the DRY principle, move the common configuration elements into a single “configuration,” then refer to it from both, like this.

/ip firewall nat
add action=dst-nat chain=dstnat comment=“NAT eMule” dst-port=48000 protocol=tcp to-addresses=192.168.1.10 to-ports=48000
add action=dst-nat chain=dstnat dst-port=48001 protocol=udp to-addresses=192.168.1.10 to-ports=48001
add action=dst-nat chain=dstnat comment=“NAT qBitorrent” dst-port=48002 protocol=tcp to-addresses=192.168.1.10 to-ports=48002
/ip firewall filter
add action=accept chain=input comment=“Filter Rules permitir WireGuard UDP” dst-port=13231 protocol=udp

You should add something like in-interface-list=WAN or similar to these rules, presuming they’re meant to allow inbound connections from the Internet. Without that, they’ll affect outbound traffic on those same ports, bouncing it back inside. That can cause random hard-to-debug failures down the line.

/ip dhcp-server network
add address=192.168.1.0/24 comment=“Networks Casa” dns-server=192.168.1.1 gateway=192.168.1.1

Shouldn’t dns-server point to your PiHole? And likewise, why run a local caching DNS server and PiHole?

thanks