Greeting Programs!
I have been using Mikrotik routers for a few years now but haven't delved into the deep end until now. I know it can be a nightmare for a new user, but this is why we have places like this to turn to.
I currently have a hex-s at my home and a x86 RoS instance at my colo. I have an EoIP tunnel configured between the two and I can ping between them. I have not setup routing yet.
I tried do use ipsec with the tunnel but when i disable fastpath in order to use ipsec, the tunnel drops the connection and will not reconnect. My end goal here is to have a few computers at my home use the internet as its normally routed from my isp. I want to have another set routed through the tunnel to use the network at my colo. Not sure whats the best way to do that. I had though about using a vlan but any input is welcomed for this.
Also any idea as to why the tunnel drops out when checking off of fastpath?
Here is the current config from my colo.
feb/17/2019 09:50:59 by RouterOS 6.43.12
software id = P5DA-M6TF
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:0C:29:EC:D5:93
/interface eoip
add local-address=192.254.69.163 mac-address=02:41:B4:08:00:D0 name=
eoip-tunnel-r1 remote-address=24.167.144.134 tunnel-id=5
/interface vlan
add interface=eoip-tunnel-r1 name=vlan1 vlan-id=50
/interface list
add name=WAN
add name=LAN
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.202.2-192.168.202.80
/ip dhcp-server
add address-pool=dhcp disabled=no interface=vlan1 name=dhcp1
/ppp profile
add local-address=dhcp name=profile1 remote-address=dhcp
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface l2tp-server server
set default-profile=profile1 enabled=yes max-mru=1470 max-mtu=1470
/interface list member
add interface=ether1 list=WAN
add list=LAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2
/ip address
add address=192.254.69.163/29 interface=ether1 network=192.254.69.160
add address=172.22.22.1/30 interface=eoip-tunnel-r1 network=172.22.22.0
add address=192.168.201.1/24 interface=ether1 network=192.168.201.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.254.69.164
/ip firewall filter
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=accept chain=srcnat src-address=192.168.201.0/24
/ip route
add distance=1 gateway=192.254.69.161
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ipv6 address
add address=2607:5600:534::600/48 advertise=no interface=ether1
/ipv6 route
add distance=1 gateway=2607:5600:534::1
/ppp secret
add name=matt profile=profile1
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
/tool bandwidth-server
set enabled=no
/tool user-manager database
set db-path=user-managerAnd here is the config from the hex-s at my home
feb/17/2019 09:59:22 by RouterOS 6.42.7
software id = HIH6-FCRR
model = RB760iGS
serial number = 976C09D69279
/interface bridge
add admin-mac=B8:69:F4:05:9B:95 auto-mac=no comment=defconf name=bridge
/interface eoip
add local-address=24.167.144.134 mac-address=02:3F:A1:30:4C:68 name=eoip-tunnel1 remote-address=192.254.69.163 tunnel-id=5
/interface vlan
add interface=bridge name=vlan1 vlan-id=51
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.200.10-192.168.200.100
add name=dhcp_pool1 ranges=192.168.201.2-192.168.201.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan1 name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.200.1/24 comment=defconf interface=bridge network=192.168.200.0
add address=172.22.22.2/30 interface=eoip-tunnel1 network=172.22.22.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=sfp1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.200.0/24 comment=defconf gateway=192.168.200.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.254.69.164
/ip dns static
add address=192.168.200.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
add action=drop chain=input dst-port=53 in-interface=sfp1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=sfp1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=5579 in-interface=sfp1 protocol=tcp to-addresses=192.168.200.201 to-ports=5579
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp1 protocol=tcp to-addresses=192.168.200.222 to-ports=32400
add action=dst-nat chain=dstnat dst-port=40000 in-interface=sfp1 protocol=tcp to-addresses=192.168.200.75 to-ports=32400
add action=dst-nat chain=dstnat dst-port=5000 in-interface=sfp1 protocol=tcp to-addresses=192.168.200.222 to-ports=5000
add action=dst-nat chain=dstnat dst-port=6281 in-interface=sfp1 protocol=tcp to-addresses=192.168.200.222 to-ports=6281
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=
fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes primary-ntp=132.163.96.5 secondary-ntp=132.163.97.5
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN