ping and dns problem on ipsec tunnel

I have two HAP AC2 devices.

• Side #1 is called “lacinet”, it has address 192.168.14.254/24 on BASE (management) vlan.
• Side #2 is called “magnet”, it has 192.168.19.254/24 main address on BASE (management) vlan.
• There are also other networks with different vlans on both sides (10.14.VLAN-SIDE1.X and 10.19.VLAN-SIDE2.Y )
• These routers are connected via ipsec/ike2 tunnel over the internet.

On side1, I have these policies:

/ip ipsec policy
set 0 comment="For l2tp-server"
add dst-address=192.168.19.0/24 group=group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 template=yes
add dst-address=10.19.0.0/16 group=group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 template=yes

On side2, I have these policies:

/ip ipsec policy
set 0 comment="For l2tp-server" dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.14.0/24 peer=not_telling.com proposal=proposal-s2s-ros src-address=192.168.19.0/24 tunnel=yes
add dst-address=192.168.14.0/24 peer=not_telling.com proposal=proposal-s2s-ros src-address=10.19.0.0/16 tunnel=yes

They are active and established:

[gandalf@r01.magnet] /ip ipsec policy> print 
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER           TUNNEL SRC-ADDRESS                                         DST-ADDRESS                                         PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T  * ;;; For l2tp-server
                              0.0.0.0/0                                           0.0.0.0/0                                           all       
 1   A  xyzq.abcd.co   yes    192.168.19.0/24                                     192.168.14.0/24                                     all        encrypt require         59
 2   A  xyzq.abcd.co   yes    10.19.0.0/16                                        192.168.14.0/24                                     all        encrypt require          1

On side1, I have this DNS setting:

/ip dns static
add forward-to=192.168.19.254 regexp=".*\\.magnet" type=FWD
add comment=magzatom-base forward-to=192.168.19.254 regexp=".*\\.19\\.168\\.192.\\in-addr\\.arpa" type=FWD
add comment=magzatom-vlan forward-to=192.168.19.254 regexp=".*\\.19\\.10.\\in-addr\\.arpa" type=FWD

On side2, there are many static addresses, here are some examples:

/ip dns static
add address=192.168.19.254 name=r01.magnet
add address=192.168.19.253 name=r02.magnet
add address=192.168.19.252 name=r03.magnet
add address=10.19.30.10 name=nvr.magnet
add address=10.19.10.101 comment=#DHCP name=nas.magnet. ttl=10m

(Actually, many of them are created by a dhcp lease script but that is not important.)

All right, so I connect a computer on side1 to the network, with DHCP. Let’s say that computer1 has address 192.168.14.106

Then I do this

─$ ping 192.168.19.254                                                                                                                                               130 ↵
PING 192.168.19.254 (192.168.19.254) 56(84) bytes of data.
64 bytes from 192.168.19.254: icmp_seq=1 ttl=63 time=15.7 ms

In other words, I can ping from LAN1 (192.168.14.106) → router1 (192.168.14.254) → ipsec tunnel → router2 (192.168.19.254)

But if try to ping from router1, then this is what happens:

[gandalf@router.lacinet] > /ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                       
    0 192.168.19.254                                          timeout                                                                                                      
    sent=1 received=0 packet-loss=100%

So this one does not work: router1 (192.168.14.254) → ipsec tunnel → router2 (192.168.19.254)

This problem also shows itself with DNS requests. This happens when I want to get the address of a remote machine, specifying the DNS server by hand:

$ host nas.magnet 192.168.19.254
Using domain server:
Name: 192.168.19.254
Address: 192.168.19.254#53
Aliases: 

nas.magnet has address 10.19.10.101

And this happens when I try to use the default DNS server (which is 192.168.14.254, in other words it is router1):

$ host nas.magnet
;; connection timed out; no servers could be reached

Again, this is computer on LAN1 → router1 → ipsec tunnel → router2, just UDP/53 instead of ICMP ping.

This is my input chain on side2:

/ip firewall filter> print chain=input
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Allow UDP 500,4500,1701 for IKE, IPSEC/ESP and L2TP
      chain=input action=accept protocol=udp port=1701,500,4500 

 1    ;;; Allow IPSEC/ESP
      chain=input action=accept protocol=ipsec-esp 

 2    ;;; Accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 3    ;;; Drop invalid
      chain=input action=drop connection-state=invalid 

 4    ;;; Accept ICMP
      chain=input action=accept protocol=icmp 

 5    ;;; CAPsMAN and CAP
      chain=input action=accept src-address-type=local dst-address-type=local 

 6    ;;; Input from BASE mgmt
      chain=input action=accept in-interface-list=BASE 

 7    ;;; SSH input, with brute force protection
      chain=input action=jump jump-target=input_ssh protocol=tcp dst-port=22 

 8    ;;; Input from VLAN
      chain=input action=jump jump-target=input_from_vlan in-interface-list=VLAN 

 9    ;;; Input from L2TP client
      chain=input action=jump jump-target=input_from_l2tp src-address=10.19.200.0/24 

10    ;;; DNS from lacinet udp
      chain=input action=accept protocol=udp src-address=192.168.14.0/24 dst-port=53 

11    ;;; DNS from lacinet tcp
      chain=input action=accept protocol=tcp src-address=192.168.14.0/24 dst-port=53 

12    ;;; Drop
      chain=input action=drop

Rule number 4 should accept all ICMP requests including ping. Rule number 10 and 11 should accept all DNS requests from side1.

I can’t find out what the problem is. How is it possible that ping does not work router1 → router2, but it works computer1 → router1 → router2 ? What am I not seeing?

p.s.: can could send the whole router config but it is sooo long. Both sides have 4-5 vlans, many other firewall rules (I think most of them are not relevant, they are moved to different chains), also NAT rules, L2TP servers etc.

When the router sends an initial packet of some connection (i.e. it does not respond to an incoming packet), if first finds the route to the destination and its gateway interface, and then it sends the packet from the IP address associated to that interface, unless there is a pref-src address set for that route. So since your default route likely uses the WAN gateway, and it likely has no dedicated route to the LAN subnet of the remote IPsec peer, the DNS request is sent to the address of the DNS server but with the IP of the WAN interface as source, and hence the traffic selector of the IPsec policy cannot see it. So add a route to the remote LAN subnet with pref-src=ip.from.local.lan.subnet; the gateway of this route is not really important, it may even be the LAN bridge interface, as the packet will only be actually sent via that gateway if the IPsec tunnel is down.

Hi

sindy’s answer sounds good, but i never tried.

I solved the same situation by creating a output mangle rule and marked these packages. Then in a snat rule i src-nated these packages.

I already have this route added on side1:

add comment="VPN to magnet-base" distance=1 dst-address=192.168.19.0/24 gateway=ipsec pref-src=192.168.14.254
add comment="VPN to magnet-vlan" distance=1 dst-address=10.19.0.0/16 gateway=ipsec pref-src=192.168.14.254

And this one on side 2:

add comment="VPN to lacinet" distance=1 dst-address=192.168.14.0/24 gateway=ipsec pref-src=192.168.19.254

I have other IPSEC clients connected to router1 (lacinet) with different subnets. All of them work, except this one. I can’t figure out why.
The route from 10.19.x.x to * is not added only because I do not need it.

The ipsec gateway is defined as:

/interface bridge
add name=ipsec protocol-mode=none

It way already this way when I did the tests.

BTW I have other IPSEC/IKEv2 clients connected to router1 (lacinet), with different subnets on the remote side. All of them work, except this one. I can’t figure out why.

In this case, the only thing to come to my mind without seeing the complete configurations is that some NAT rule breaks it. But it would have to be a selective one that would only affect connections initiated by Router 1 itself.

When you make the command line window as your screen allows, run /tool sniffer quick ip-protocol=icmp ip-address=192.168.19.254 in it, and run /ping 192.168.19.254 in another command line window, what does the sniffer show?

When I ping router2 (192.168.19.254) from router1 (192.168.14.254), then this is what I see on router 2:

/tool sniffer> quick  ip-protocol=icmp ip-address=192.168.19.254
INTERFACE                            TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS
ether5-wan                          0.758      1 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.254
ether5-wan                          1.754      2 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.254
ether5-wan                          2.757      3 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.254
ether5-wan                          3.759      4 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.254

And this is what I see on router 1:

/tool sniffer> quick  ip-protocol=icmp ip-address=192.168.19.254
INTERFACE                            TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS

E.g. nothing.

When I ping it from 192.168.14.106 (a computer), then this is what I see on router2:

/tool sniffer> quick  ip-protocol=icmp ip-address=192.168.19.254
INTERFACE                            TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS
ether5-wan                         10.852      1 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.106
ether5-wan                         11.864      2 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.106
ether5-wan                         12.862      3 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.106
ether5-wan                         13.875      4 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.106

And router1:

/tool sniffer> quick  ip-protocol=icmp ip-address=192.168.19.254
INTERFACE                            TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS

Nothing again, but somehow the response reaches the computer.

I’m going to post all NAT rules from router1 and router2 below, but it is a bit long.

router1

/ip firewall nat
add action=jump chain=srcnat comment="Src-Nat l2tp laci-vivobook-> any" jump-target=srcnat_laci_l2tp src-address=10.14.200.104
add action=src-nat chain=srcnat comment="Src-Nat BASE->BLUE" out-interface=BLUE_VLAN src-address=192.168.14.0/24 to-addresses=\
    10.14.10.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->RED" out-interface=RED_VLAN src-address=192.168.14.0/24 to-addresses=\
    10.14.30.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->CYAN" out-interface=CYAN_VLAN src-address=192.168.14.0/24 to-addresses=\
    10.14.40.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->HALL" dst-address=10.14.200.0/24 src-address=192.168.14.0/24 \
    to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->LTE-mgmt" out-interface=ether4-lte src-address=192.168.14.0/24 \
    to-addresses=10.14.100.2
add action=src-nat chain=srcnat_laci_l2tp comment="Src-Nat l2tp laci-vivbook->ipsec" out-interface=ipsec to-addresses=\
    192.168.14.254
add action=src-nat chain=srcnat_laci_l2tp comment="Src-Nat l2tp laci-vivobook->l2tp (inter-l2tp)" dst-address=10.14.200.0/24 \
    to-addresses=10.14.200.1
add action=dst-nat chain=dstnat comment="postgres kali-homok slave backup.not_tellig_.hu->lacinet->forgach-vpn" dst-port=54321 \
    in-interface=ether5-wan protocol=tcp src-address=164.1.2.3 to-addresses=10.14.10.105 to-ports=5432
add action=src-nat chain=srcnat comment="stonemining slave/vnc htpc->stonemining" dst-address=10.14.200.107 dst-port=5432,5900 \
    protocol=tcp src-address=10.14.10.105 to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="kalihomok slave/vnc htpc->forgach" dst-address=10.14.200.101 dst-port=5432,5900 \
    protocol=tcp src-address=10.14.10.105 to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="kavicsbanya slave htpc->borika-pc" dst-address=192.168.18.199 dst-port=5432,5900 \
    protocol=tcp src-address=10.14.10.105 to-addresses=192.168.14.254
add action=src-nat chain=srcnat comment="Src-Nat htpc->visznet all" dst-address=192.168.5.0/24 src-address=10.14.10.105 \
    to-addresses=192.168.14.254
add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat_laci_l2tp comment="Src-Nat l2tp laci-vivobook->blue" dst-address=10.14.10.0/24 to-addresses=\
    10.14.10.1

router2

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="scr-nat lacinet->RED" out-interface=RED_VLAN src-address=192.168.14.0/24 to-addresses=\
    10.19.30.1
add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->base-magnet" out-interface=BASE_VLAN src-address=192.168.14.0/24 \
    to-addresses=192.168.19.254
add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->hall-magnet" dst-address=10.19.200.0/24 src-address=\
    192.168.14.0/24 to-addresses=10.19.200.1
add action=src-nat chain=srcnat comment="Src-Nat l2tp viktornas->nas" dst-address=10.19.10.101 src-address=10.19.200.102 \
    to-addresses=10.19.200.1

5 minutes later, I tried again and now it works.

[gandalf@router.lacinet] /ip firewall nat> /ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                             56  64 25ms
    1 192.168.19.254                             56  64 29ms
    2 192.168.19.254                             56  64 12ms
    3 192.168.19.254                             56  64 14ms
    4 192.168.19.254                             56  64 18ms
    sent=5 received=5 packet-loss=0% min-rtt=12ms avg-rtt=19ms max-rtt=29ms

But I did not change anything on any side. I was just trying different sniffer settings.

This seems to be an intermittent problem. Sometimes is works, sometimes not. But how it is possible?

I’m going to make more tests later, and see if it works or not.

The reason why you can see the icmp packets from 192.168.14.254 to 192.168.19.254 at the destination router but not at the source one is that payload packets decrypted from received IPsec transport ones are shown in the sniff, but the sent payload packets before getting encrypted into the IPsec transport ones are not.

If they would have been shown at the source router, it would have meant that they have evaded any IPsec policy; as you can not see them there but you can see them at router 2 means no NAT rule has modified them at Router 1 and they did match the policy.

The input filter rules at router 2 accept icmp no matter where it comes from, so it is not an issue. So either a rp-filter at router 2, or some overlapping IPsec policy may drop them for “arriving via wrong door”, or the response is not routed properly, or something at router1 doesn’t let them in.

What surprises me a lot and suggests a more complex problem is that when you ping 192.168.19.254 from 192.168.14.106, you cannot see the responses at Router 1. This suggests that the responses bypass Router 1 somehow, but theoretically it may be a glitch of the sniffing of the decapsulated IPsec payload. To be sure, place the following rule as the very first static one to mangle chain prerouting at router 1:
src-address=192.168.19.254 dst-address=192.168.19.254 protocol=icmp action=passthrough comment=x
Then, run /ip firewall mangle print stats interval=1s where comment=x and start pinging 192.168.19.254 from 192.168.14.106 again. If you can see the rule to count, it means the sniffing is broken; if you cannot, the ICMP responses arrive to the comupter some other way than via router 1.

This was given on both sides:

/ip settings
set rp-filter=strict

Changed to rp-filter=no but it still doesn’t work.

I think there are no overlapping ipsec policies. Here are the policies on router 1, public IPs replaced with dummy ones:

[gandalf@router.lacinet] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #      PEER  TUN SRC-ADDRESS                                    DST-ADDRESS                                    PROTOCOL   ACTION
 0 T  * ;;; For l2tp-server
                  ::/0                                           ::/0                                           all
 1   DA  l2t.. no  17.17.17.17/32                               1.2.3.4/32                              udp        encrypt
 2   DA  l2t.. no  17.17.17.17/32                               5.6.7.8/32                               all        encrypt
 3   DA  l2t.. no  17.17.17.17/32                               9.10.11.12/32                               udp        encrypt
 4   DA  l2t.. no  17.17.17.17/32                               13.14.15.16/32                                udp        encrypt
 5 T    ;;; office.not_telling3.com
                  192.168.14.0/24                                192.168.5.0/24                                 all
 6   DA  pee.. yes 192.168.14.0/24                                192.168.5.0/24                                 all        encrypt
 7 T    ;;; office.not_telling.com
                  192.168.14.0/24                                192.168.13.0/24                                all
 8   DA  pee.. yes 192.168.14.0/24                                192.168.13.0/24                                all        encrypt
 9 T    ;;; kavicsbanya.not_telling.com
                  192.168.14.0/24                                192.168.18.0/24                                all
10   DA  pee.. yes 192.168.14.0/24                                192.168.18.0/24                                all        encrypt
11 T    ;;; office.not_telling2.com
                  192.168.14.0/24                                192.168.19.0/24                                all
12   DA  pee.. yes 192.168.14.0/24                                192.168.19.0/24                                all        encrypt
13 T    ;;; office.not_telling2.com-vlan
                  192.168.14.0/24                                10.19.0.0/16                                   all
14   DA  pee.. yes 192.168.14.0/24                                10.19.0.0/16                                   all        encrypt

These are for router2:

[gandalf@r01.magnet] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #      PEER  TUN SRC-ADDRESS                                    DST-ADDRESS                                    PROTOCOL   ACTION
 0 T  * ;;; For l2tp-server
                  0.0.0.0/0                                      0.0.0.0/0                                      all
 1   A  lac.. yes 192.168.19.0/24                                192.168.14.0/24                                all        encrypt
 2   A  lac.. yes 10.19.0.0/16                                   192.168.14.0/24                                all        encrypt

I did this on router 1:

/ip firewall mangle add src-address=192.168.19.254 dst-address=192.168.19.254 protocol=icmp action=passthrough comment=x chain=prerouting place-before=1
/ip firewall mangle print stats interval=1s

Then I started to ping 192.168.19.254 from 192.168.19.106 and this happened on router one:

[gandalf@router.lacinet] /ip firewall mangle>  /ip firewall mangle print stats interval=1s where comment=x
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                ACTION                            BYTES         PACKETS
 0    ;;; x
      prerouting                                                           passthrough                           0               0

I was socked when I saw this on the computer:

Microsoft Windows [Version 10.0.19042.1466]
(c) Microsoft Corporation. Minden jog fenntartva.

C:\Users\nagyl>ping 192.168.19.254

Pinging 192.168.19.254 with 32 bytes of data:
Reply from 192.168.19.254: bytes=32 time=25ms TTL=63
Request timed out.
Reply from 192.168.19.254: bytes=32 time=143ms TTL=63
Reply from 192.168.19.254: bytes=32 time=28ms TTL=63

Ping statistics for 192.168.19.254:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 143ms, Average = 65ms

It was the first time I could catch that this is an intermittent problem. Usually it either works for an hour, then doesn’t work for half a day.

If you can see the rule to count, it means the sniffing is broken; if you cannot, the ICMP responses arrive to the comupter some other way than via router 1.

Now that it totally impossible. Both routers connect to a local ISP. They have the whole internet between them. Even if a packet could leak out to the ISP’s router, it would be impossible to route it. Moreover, I have some guardians to prevent leaking:

/ip route
add comment="EKKE Telekom Mobil/LTE" distance=2 gateway=10.14.100.1
add comment="Prevent package leak RFC1918 class A" distance=1 dst-address=10.0.0.0/8 type=unreachable
add comment="VPN to magnet-vlan" distance=1 dst-address=10.19.0.0/16 gateway=ipsec pref-src=192.168.14.254
add comment="Prevent package leak RFC1918 class B" distance=1 dst-address=172.16.0.0/12 type=unreachable
add comment="Prevent package leak RFC1918 class C" distance=1 dst-address=192.168.0.0/16 type=unreachable
add comment="VPN to visznet" distance=1 dst-address=192.168.5.0/24 gateway=ipsec pref-src=192.168.14.254
add comment="VPN to sznet" distance=1 dst-address=192.168.13.0/24 gateway=ipsec pref-src=192.168.14.254
add comment="VPN to kavicsnet" distance=1 dst-address=192.168.18.0/24 gateway=ipsec pref-src=192.168.14.254
add comment="VPN to magnet-base" distance=1 dst-address=192.168.19.0/24 gateway=ipsec pref-src=192.168.14.254

The very first rule belongs to an alternate ISP connection, but it is not used. (The default route is added by dhcp-client with distance=1.) There are rules called “Prevent package leak…”. Just to be sure, I have disabled that rule and here is the full actual list, with public IPs changed:

 /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          17.17.255.254            1
 1 X S  ;;; EKKE Telekom Mobil/LTE
        0.0.0.0/0                          10.14.100.1               2
 2 A SU ;;; Prevent package leak RFC1918 class A
        10.0.0.0/8                                                   1
 3 ADC  10.14.10.0/24      10.14.10.1      BLUE_VLAN                 0
 4 ADC  10.14.20.0/24      10.14.20.1      GREEN_VLAN                0
 5 ADC  10.14.30.0/24      10.14.30.1      RED_VLAN                  0
 6 ADC  10.14.40.0/24      10.14.40.1      CYAN_VLAN                 0
 7 ADC  10.14.100.0/24     10.14.100.2     ether4-lte                0
 8 ADC  10.14.200.0/24     10.14.200.1     HALL_VLAN                 0
 9 ADC  10.14.200.105/32   10.14.200.1     <l2tp-kardirex>           0
10 ADC  10.14.200.106/32   10.14.200.1     <l2tp-szek>               0
11 ADC  10.14.200.113/32   10.14.200.1     <l2tp-backupmes...        0
12 A S  ;;; VPN to magnet-vlan
        10.19.0.0/16       192.168.14.254  ipsec                     1
13 ADC  17.17.240.0/20    17.17.249.35   ether5-wan                0
14 A SU ;;; Prevent package leak RFC1918 class B
        172.16.0.0/12                                                1
15 A SU ;;; Prevent package leak RFC1918 class C
        192.168.0.0/16                                               1
16 A S  ;;; VPN to visznet
        192.168.5.0/24     192.168.14.254  ipsec                     1
17 A S  ;;; VPN to sznet
        192.168.13.0/24    192.168.14.254  ipsec                     1
18 ADC  192.168.14.0/24    192.168.14.254  BASE_VLAN                 0
19 A S  ;;; VPN to kavicsnet
        192.168.18.0/24    192.168.14.254  ipsec                     1
20 A S  ;;; VPN to magnet-base
        192.168.19.0/24    192.168.14.254  ipsec                     1

Any rules in /ip firewall raw? Use print, not export.

Also tried traceroute from the computer:

C:\Users\nagyl>tracert 192.168.19.254

Tracing route to r01.magnet [192.168.19.254]
over a maximum of 30 hops:

  1     3 ms    <1 ms    <1 ms  router.lacinet [192.168.14.254]
  2    30 ms    34 ms    20 ms  r01.magnet [192.168.19.254]

Trace complete.

I think it is next to impossible that this went through on anything but the ipsec tunnel.

It also works for the remote VLAN 10.19.10.0/24

C:\Users\nagyl>tracert 10.19.10.101

Tracing route to 10.19.10.101 over a maximum of 30 hops

  1     2 ms     4 ms    <1 ms  router.lacinet [192.168.14.254]
  2    15 ms    14 ms    20 ms  r01.magnet [192.168.19.254]
  3    16 ms    15 ms    29 ms  10.19.10.101

Trace complete.

Notice how the hostname was found for r01.magnet in the above trace, but not for 10.19.10.101 (nas.magnet). It also shows the intermittency of this problem. Some DNS requests go through, but some don’t.

If I try to ping the same IPs from router1, then I see this:

[gandalf@router.lacinet] /ip settings> /ping 10.19.10.101
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 10.19.10.101                               56  63 19ms
    1 10.19.10.101                               56  63 17ms
    sent=2 received=2 packet-loss=0% min-rtt=17ms avg-rtt=18ms max-rtt=19ms

[gandalf@router.lacinet] /ip settings> /ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                                          timeout
    1 192.168.19.254                                          timeout
    2 192.168.19.254                                          timeout
    sent=3 received=0 packet-loss=100%

But again, SOMETIMES both work correctly.

I think your mangle rule was mistype, if I use this:

chain=prerouting action=passthrough protocol=icmp src-address=192.168.19.254 dst-address=192.168.14.0/24

then I see counters increasing. They are also increasing when I try to ping router2 from router1. First I reset counters, then I do this:

[gandalf@router.lacinet] /ip route> /ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                                          timeout
    1 192.168.19.254                                          timeout
    2 192.168.19.254                                          timeout
    3 192.168.19.254                                          timeout
    4 192.168.19.254                                          timeout
    5 192.168.19.254                                          timeout
    6 192.168.19.254                                          timeout
    7 192.168.19.254                                          timeout

And the counters changed to:

[gandalf@router.lacinet] /ip firewall mangle> /ip firewall mangle print stats interval=1s where comment=x
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                ACTION                            BYTES         PACKETS
 0    ;;; x
      prerouting                                                           passthrough                         448               8

All ICMP responses arrived back (sent=8, received=8). But then they are lost somehow. (?)

/ip firewall raw is totally empty on both sides.

Yes, same src-address and dst-address in the passthrough rule were a copy-paste error.

Another reason why sniffing doesn’t show the responses may be that you have hw=yes on the /interface bridge port row for the port to which the PC is connected, or maybe even the WAN port is a member port of a bridge? It makes no logical sense as the packets in question are sent to the port from the CPU so hardware-assisted L2 forwarding is not involved, but that’s how it behaves.

Again, all these questions and assumptions would be unnecessary if you posted the complete configurations.

When packets are dropped by rp-filter or IPsec policy matching, I hazily remember they are dropped between prerouting and the filter chains (because that’s where routing takes place). So keep the passthrough rule in mangle/prerouting, remove dst-address from it, add the same rule as the first static one to chain input of filter, and try pinging from Router 1 itself again, watching for the rules to count.

Here goes the complete configuration. I was recultant to send it all, because it is quite long, and I’m not sure if I could replace all sensitive information.

router 1:

# jan/16/2022 12:46:02 by RouterOS 6.48.5
# software id = R847-LG5N
#
# model = RBD52G-5HacD2HnD
# serial number = *************
/caps-man channel
add band=2ghz-onlyn extension-channel=XX frequency="" name=channels-2.4 \
    secondary-frequency="" tx-power=-10
add band=5ghz-onlyac extension-channel=XXXX frequency="" name=channels-5 \
    secondary-frequency="" skip-dfs-channels=yes tx-power=15
add band=2ghz-onlyn extension-channel=XX frequency=2412 name=c24-1 tx-power=\
    -10
add band=2ghz-onlyn extension-channel=XX frequency=2437 name=c24-6 tx-power=\
    -10
add band=2ghz-onlyn extension-channel=XX frequency=2462 name=c24-11 tx-power=\
    -10
/caps-man datapath
add local-forwarding=yes name=datapath-blue vlan-id=10 vlan-mode=use-tag
add local-forwarding=yes name=datapath-green vlan-id=20 vlan-mode=use-tag
add local-forwarding=yes name=datapath-red vlan-id=30 vlan-mode=use-tag
add local-forwarding=yes name=datapath-cyan vlan-id=40 vlan-mode=use-tag
add local-forwarding=yes name=datapath-base vlan-id=99 vlan-mode=use-tag
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BR1 \
    vlan-filtering=yes
add name=ipsec protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether2 ] name=ether2-gray
set [ find default-name=ether3 ] name=ether3-gray
set [ find default-name=ether4 ] name=ether4-lte
set [ find default-name=ether5 ] name=ether5-wan
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-Ce/gn(-13dBm), SSID: base, local forwarding
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    amsdu-limit=4096 band=2ghz-onlyn basic-rates-a/g=12Mbps basic-rates-b="" \
    country=hungary disabled=no distance=indoors frequency=2437 mode=\
    ap-bridge rate-set=configured ssid=lacinet_24 station-roaming=enabled \
    supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    supported-rates-b="" tx-power-mode=all-rates-fixed wireless-protocol=\
    802.11 wps-mode=disabled
# managed by CAPsMAN
# channel: 5300/20-eeCe/ac/DP(12dBm), SSID: base, local forwarding
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    amsdu-limit=4096 band=5ghz-onlyac basic-rates-a/g=12Mbps,36Mbps,48Mbps \
    channel-width=20/40mhz-Ce country=hungary disabled=no distance=indoors \
    mode=ap-bridge ssid=lacinet_5 station-roaming=enabled \
    supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=CYAN_VLAN vlan-id=40
add interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=HALL_VLAN vlan-id=200
add interface=BR1 name=RED_VLAN vlan-id=30
/caps-man rates
add basic=12Mbps name=rates-2.4 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic=12Mbps name=rates-5 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-blue
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-green
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-cyan
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-red
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-base
/caps-man configuration
add channel=channels-5 country=hungary datapath=datapath-blue installation=\
    any name=caps-blue-5 rates=rates-5 security=security-blue ssid=blue
add channel=channels-2.4 country=hungary datapath=datapath-blue installation=\
    any name=caps-blue-2.4 rates=rates-2.4 security=security-blue ssid=blue
add channel=channels-2.4 country=hungary datapath=datapath-green \
    installation=any name=caps-green-2.4 rates=rates-2.4 security=\
    security-green ssid=green
add channel=channels-5 country=hungary datapath=datapath-green installation=\
    any name=caps-green-5 rates=rates-5 security=security-green ssid=green
add channel=channels-5 country=hungary datapath=datapath-red installation=any \
    name=caps-red-5 rates=rates-5 security=security-red ssid=red
add channel=channels-2.4 country=hungary datapath=datapath-red installation=\
    any name=caps-red-2.4 rates=rates-2.4 security=security-red ssid=red
add channel=channels-2.4 country=hungary datapath=datapath-cyan installation=\
    any name=caps-cyan-2.4 rates=rates-2.4 security=security-cyan ssid=cyan
add channel=channels-5 country=hungary datapath=datapath-cyan installation=\
    any name=caps-cyan-5 rates=rates-5 security=security-cyan ssid=cyan
add channel=channels-2.4 country=hungary datapath=datapath-base hide-ssid=yes \
    installation=any name=caps-base-2.4 rates=rates-2.4 security=\
    security-base ssid=base
add channel=channels-5 country=hungary datapath=datapath-base hide-ssid=yes \
    installation=any name=caps-base-5 rates=rates-5 security=security-base \
    ssid=base
/caps-man interface
add channel=c24-11 configuration=caps-base-2.4 disabled=no l2mtu=2026 \
    mac-address=48:8F:5A:A1:AB:30 master-interface=none name=orange.lacinet-1 \
    radio-mac=48:8F:5A:A1:AB:30 radio-name=488F5AA1AB30
add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:30 master-interface=orange.lacinet-1 name=\
    orange.lacinet-1-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB30
add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:31 master-interface=orange.lacinet-1 name=\
    orange.lacinet-1-2 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB31
add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:32 master-interface=orange.lacinet-1 name=\
    orange.lacinet-1-3 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB32
add configuration=caps-cyan-2.4 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:33 master-interface=orange.lacinet-1 name=\
    orange.lacinet-1-4 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB33
add channel.extension-channel=XXXX channel.frequency=5200 comment=ch40 \
    configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\
    48:8F:5A:A1:AB:31 master-interface=none name=orange.lacinet-2 radio-mac=\
    48:8F:5A:A1:AB:31 radio-name=488F5AA1AB31
add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:34 master-interface=orange.lacinet-2 name=\
    orange.lacinet-2-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB34
add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:35 master-interface=orange.lacinet-2 name=\
    orange.lacinet-2-2 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB35
add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:36 master-interface=orange.lacinet-2 name=\
    orange.lacinet-2-3 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB36
add configuration=caps-cyan-5 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:37 master-interface=orange.lacinet-2 name=\
    orange.lacinet-2-4 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB37
add channel=c24-6 configuration=caps-base-2.4 disabled=no l2mtu=1600 \
    mac-address=B8:69:F4:09:BE:FA master-interface=none name=router.lacinet-1 \
    radio-mac=B8:69:F4:09:BE:FA radio-name=B869F409BEFA
add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FA master-interface=router.lacinet-1 name=\
    router.lacinet-1-1 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFA
add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FB master-interface=router.lacinet-1 name=\
    router.lacinet-1-2 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFB
add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FC master-interface=router.lacinet-1 name=\
    router.lacinet-1-3 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFC
add configuration=caps-cyan-2.4 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FD master-interface=router.lacinet-1 name=\
    router.lacinet-1-4 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFD
add channel=channels-5 channel.extension-channel=XXXX channel.frequency=5300 \
    comment=ch40 configuration=caps-base-5 disabled=no l2mtu=1600 \
    mac-address=B8:69:F4:09:BE:FB master-interface=none name=router.lacinet-2 \
    radio-mac=B8:69:F4:09:BE:FB radio-name=B869F409BEFB
add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FE master-interface=router.lacinet-2 name=\
    router.lacinet-2-1 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFE
add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FF master-interface=router.lacinet-2 name=\
    router.lacinet-2-2 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFF
add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BF:00 master-interface=router.lacinet-2 name=\
    router.lacinet-2-3 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BF00
add configuration=caps-cyan-5 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BF:01 master-interface=router.lacinet-2 name=\
    router.lacinet-2-4 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BF01
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip dhcp-server option
add code=119 name=domain-search-option value="'lacinet.'"
/ip ipsec policy group
add name=group-viszfuvar
add name=group-kavicsbanya
add name=group-office
add name=group-magzatom
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 name=\
    profile_l2tp
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name=profile-s2s-ros proposal-check=strict
/ip ipsec peer
add comment="IKE2 default" exchange-mode=ike2 name=peer_ike2 passive=yes \
    profile=profile-s2s-ros send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 comment=\
    "For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal-s2s-ros \
    pfs-group=modp2048
/ip pool
add name=BLUE_POOL ranges=10.14.10.100-10.14.10.200
add name=GREEN_POOL ranges=10.14.20.100-10.14.20.200
add name=RED_POOL ranges=10.14.30.100-10.14.30.200
add name=BASE_POOL ranges=192.168.14.100-192.168.14.200
add name=CYAN_POOL ranges=10.14.40.100-10.14.40.200
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN lease-script=\
    onDhcpLease name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=CYAN_POOL disabled=no interface=CYAN_VLAN name=CYAN_DHCP
/ppp profile
add dns-server=10.14.200.1,1.1.1.3 local-address=10.14.200.1 name=l2tp_vpn
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=BASE_VLAN
/caps-man provisioning
add action=create-enabled hw-supported-modes=ac master-configuration=\
    caps-base-5 name-format=identity slave-configurations=\
    caps-blue-5,caps-green-5,caps-red-5,caps-cyan-5
add action=create-enabled master-configuration=caps-base-2.4 name-format=\
    identity slave-configurations=\
    caps-blue-2.4,caps-green-2.4,caps-red-2.4,caps-cyan-2.4
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1-trunk
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2-gray pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3-gray pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 comment=Base tagged=BR1,ether1-trunk untagged=\
    ether2-gray,ether3-gray vlan-ids=99
add bridge=BR1 comment=Cyan/IOT tagged=BR1,ether1-trunk vlan-ids=40
add bridge=BR1 comment=Blue tagged=BR1,ether1-trunk vlan-ids=10
add bridge=BR1 comment=Green/Guest tagged=BR1,ether1-trunk vlan-ids=20
add bridge=BR1 comment=Red tagged=BR1,ether1-trunk vlan-ids=30
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_vpn enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether5-wan list=WAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=CYAN_VLAN list=VLAN
add interface=ether4-lte list=WAN
/interface wireless cap
# 
set bridge=BR1 certificate=request discovery-interfaces=BASE_VLAN enabled=yes \
    interfaces=wlan1,wlan2
/ip address
add address=192.168.14.254/24 interface=BASE_VLAN network=192.168.14.0
add address=10.14.10.1/24 interface=BLUE_VLAN network=10.14.10.0
add address=10.14.20.1/24 interface=GREEN_VLAN network=10.14.20.0
add address=10.14.30.1/24 interface=RED_VLAN network=10.14.30.0
add address=10.14.40.1/24 interface=CYAN_VLAN network=10.14.40.0
add address=10.14.200.1/24 interface=HALL_VLAN network=10.14.200.0
add address=10.14.100.2/24 interface=ether4-lte network=10.14.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip dhcp-client
add disabled=no interface=ether5-wan
/ip dhcp-server lease
add address=10.14.10.105 client-id=1:80:e8:2c:e:ef:d2 mac-address=\
    80:E8:2C:0E:EF:D2 server=BLUE_DHCP
add address=10.14.10.10 client-id=1:ac:12:3:3c:c:c6 mac-address=\
    AC:12:03:3C:0C:C6 server=BLUE_DHCP
add address=192.168.14.101 comment=brocade mac-address=00:27:F8:98:F7:60 \
    server=BASE_DHCP
add address=192.168.14.100 client-id=1:4:d9:f5:f7:79:a7 mac-address=\
    04:D9:F5:F7:79:A7 server=BASE_DHCP
add address=192.168.14.201 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:81:6e:af:75:4d:19:27:61 mac-address=\
    08:00:27:30:C8:89 server=BASE_DHCP
add address=192.168.14.202 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:f9:f8:2a:df:10:8c:52:0 mac-address=\
    08:00:27:CB:B4:BE server=BASE_DHCP
add address=192.168.14.203 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:4:79:e:30:c2:fc:ea:75 mac-address=\
    08:00:27:7B:36:DB server=BASE_DHCP
add address=192.168.14.205 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:ea:d4:c5:c8:e3:a4:72:73 mac-address=\
    08:00:27:48:6E:15 server=BASE_DHCP
add address=192.168.14.204 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:de:60:b5:f7:9c:52:91:67 mac-address=\
    08:00:27:C6:DA:2E server=BASE_DHCP
/ip dhcp-server network
add address=10.14.10.0/24 dns-server=192.168.14.254 domain=lacinet. gateway=\
    10.14.10.1
add address=10.14.20.0/24 dns-server=192.168.14.254 domain=pubnet. gateway=\
    10.14.20.1
add address=10.14.30.0/24 dns-server=192.168.14.254 gateway=10.14.30.1
add address=10.14.40.0/24 dns-server=192.168.14.254 gateway=10.14.40.1
add address=192.168.14.0/24 dns-server=192.168.14.254 gateway=192.168.14.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2
/ip dns static
add address=192.168.14.254 name=router.lacinet
add address=192.168.14.253 name=poe-switch.lacinet
add address=192.168.14.252 name=orange.lacinet
add address=10.14.100.1 name=lte.lacinet
add forward-to=192.168.5.254 regexp=".*\\.visznet" type=FWD
add comment=visznet forward-to=192.168.5.254 regexp=\
    ".*\\.5\\.168\\.192.\\in-addr\\.arpa" type=FWD
add forward-to=192.168.18.254 regexp=".*\\.kavicsnet" type=FWD
add comment=kavicsbanya-base forward-to=192.168.18.254 regexp=\
    ".*\\.18\\.168\\.192.\\in-addr\\.arpa" type=FWD
add forward-to=192.168.13.254 regexp=".*\\.sznet" type=FWD
add comment=sznet-base forward-to=192.168.13.254 regexp=\
    ".*\\.13\\.168\\.192.\\in-addr\\.arpa" type=FWD
add forward-to=192.168.19.254 regexp=".*\\.magnet" type=FWD
add comment=magzatom-base forward-to=192.168.19.254 regexp=\
    ".*\\.19\\.168\\.192.\\in-addr\\.arpa" type=FWD
add comment=magzatom-vlan forward-to=192.168.19.254 regexp=\
    ".*\\.19\\.10.\\in-addr\\.arpa" type=FWD
add address=10.14.200.101 name=forgach.lacinet
add address=10.14.200.102 name=erika.lacinet
add address=10.14.200.103 name=tony-i7.lacinet
add address=10.14.200.1 name=hall.lacinet
add address=10.14.10.105 name=htpc.lacinet
add address=10.14.200.105 name=kardirex.lacinet
add address=10.14.200.106 name=szek.lacinet
add address=10.14.200.107 name=stonemining.lacinet
add address=10.14.200.108 name=edit.lacinet
add address=10.14.200.109 name=szucsnorbi.lacinet
add address=10.14.200.111 name=nyergesati.lacinet
add address=10.14.200.110 name=ghbackup.lacinet
add address=192.168.14.101 name=brocade.lacinet
add address=192.168.14.100 name=laci-ryzen9.lacinet
add address=10.14.200.113 comment=bukkszenterzsebet name=backup.lacinet
add address=192.168.14.201 name=coc01.lacinet
add address=192.168.14.202 name=coc02.lacinet
add address=192.168.14.203 name=coc03.lacinet
add address=192.168.14.204 name=coc04.lacinet
add address=192.168.14.205 name=coc05.lacinet
add address=192.168.14.104 name=gw.lacinet
add address=10.14.200.112 name=silyegabi.lacinet
add address=10.14.10.105 comment=#DHCP name=htpc.lacinet. ttl=10m
add address=10.14.10.124 comment=#DHCP name=M2101K6G.lacinet. ttl=10m
/ip firewall filter
add action=accept chain=input comment=\
    "Allow IKEv2 500, IKEv2 NAT-T 4500, L2TP 1701" port=500,4500,1701 \
    protocol=udp
add action=accept chain=input comment=\
    "Allow IPSEC/ESP (also used below L2TP/UDP)" protocol=ipsec-esp
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Input from BASE mgmt" \
    in-interface-list=BASE
add action=jump chain=input comment="SSH input, with brute force protection" \
    dst-port=22 in-interface=!RED_VLAN jump-target=input_ssh protocol=tcp
add action=jump chain=input comment="Input from VLAN" in-interface-list=VLAN \
    jump-target=input_from_vlan
add action=jump chain=input jump-target=input_from_l2tp src-address=\
    10.14.200.0/24
add action=accept chain=input comment="Required by CAPsMAN" dst-address-type=\
    local src-address-type=local
add action=drop chain=input comment=Drop
add action=drop chain=input_ssh comment="drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input_ssh connection-state=new \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input_ssh connection-state=new
add action=accept chain=input_from_vlan comment="Local DNS UDP" dst-port=53 \
    protocol=udp
add action=accept chain=input_from_vlan comment="Local DNS TCP" dst-port=53 \
    protocol=tcp
add action=accept chain=input_from_vlan comment="Local NTP UDP" dst-port=123 \
    protocol=udp
add action=accept chain=input_from_vlan comment="DHCP 67 UDP" dst-port=67 \
    protocol=udp
add action=accept chain=input_from_vlan comment="DHCP 68 UDP" dst-port=68 \
    protocol=udp
add action=reject chain=input_from_vlan in-interface=RED_VLAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=input_from_vlan comment=Drop
add action=accept chain=forward comment=\
    "Accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=jump chain=forward jump-target=from_htpc src-address=10.14.10.105
add action=reject chain=from_htpc comment=\
    "Reject HTPC->Any when we are on LTE" out-interface=ether4-lte \
    reject-with=icmp-admin-prohibited
add action=accept chain=from_htpc comment="kalihomok slave/vnc htpc->forgach" \
    dst-address=10.14.200.101 dst-port=5432,5900 protocol=tcp
add action=accept chain=from_htpc comment=\
    "kavicsbanya slave/vnc htpc->borika-pc" dst-address=192.168.18.199 \
    dst-port=5432,5900 protocol=tcp
add action=accept chain=from_htpc comment="htpc->visznet full access" \
    dst-address=192.168.5.0/24
add action=accept chain=from_htpc comment=\
    "stonemining slave/vnc htpc->stonemining" dst-address=10.14.200.107 \
    dst-port=5432,5900 protocol=tcp
add action=accept chain=forward comment="l2tp laci-vivobook -> any" \
    src-address=10.14.200.104
add action=reject chain=forward comment="Commonly hacked ports" \
    connection-state=new dst-port=21,23,25,110,135,1433 protocol=tcp \
    reject-with=icmp-admin-prohibited
add action=reject chain=forward comment="Reject RED->Internet" \
    connection-state=new in-interface=RED_VLAN out-interface-list=WAN \
    reject-with=icmp-admin-prohibited
add action=accept chain=forward comment="Allow VLAN->Internet" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE->Internet" \
    connection-state=new in-interface-list=BASE out-interface-list=WAN
add action=accept chain=forward comment="BASE->VLAN src-nated" \
    connection-state=new in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment=\
    "BASE->10.14.x.x includes BASE->L2TP and BASE->LTE" connection-state=new \
    dst-address=10.14.0.0/16 in-interface-list=BASE
add action=reject chain=forward comment=\
    "After accept rules - net-unreach when ipsec is down" out-interface=ipsec \
    reject-with=icmp-network-unreachable
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=accept chain=input_ssh
add action=accept chain=input_from_l2tp comment="DNS from l2tp client (tcp)" \
    dst-port=53 protocol=tcp
add action=accept chain=input_from_l2tp comment="DNS from l2tp client (udp)" \
    dst-port=53 protocol=udp
add action=accept chain=input_from_l2tp comment="NTP from l2tp client (udp)" \
    dst-port=123 protocol=udp
add action=reject chain=input_from_l2tp reject-with=icmp-admin-prohibited
add action=return chain=from_htpc
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS for in,ipsec" ipsec-policy=in,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS for out,ipsec" ipsec-policy=out,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=passthrough chain=prerouting comment=x dst-address=192.168.14.0/24 \
    protocol=icmp src-address=192.168.19.254
/ip firewall nat
add action=jump chain=srcnat comment="Src-Nat l2tp laci-vivobook-> any" \
    jump-target=srcnat_laci_l2tp src-address=10.14.200.104
add action=src-nat chain=srcnat comment="Src-Nat BASE->BLUE" out-interface=\
    BLUE_VLAN src-address=192.168.14.0/24 to-addresses=10.14.10.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->RED" out-interface=\
    RED_VLAN src-address=192.168.14.0/24 to-addresses=10.14.30.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->CYAN" out-interface=\
    CYAN_VLAN src-address=192.168.14.0/24 to-addresses=10.14.40.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->HALL" dst-address=\
    10.14.200.0/24 src-address=192.168.14.0/24 to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->LTE-mgmt" \
    out-interface=ether4-lte src-address=192.168.14.0/24 to-addresses=\
    10.14.100.2
add action=src-nat chain=srcnat_laci_l2tp comment=\
    "Src-Nat l2tp laci-vivbook->ipsec" out-interface=ipsec to-addresses=\
    192.168.14.254
add action=src-nat chain=srcnat_laci_l2tp comment=\
    "Src-Nat l2tp laci-vivobook->l2tp (inter-l2tp)" dst-address=\
    10.14.200.0/24 to-addresses=10.14.200.1
add action=dst-nat chain=dstnat comment=\
    "postgres kali-homok slave backup.router1.test.com->lacinet->forgach-vpn" \
    dst-port=54321 in-interface=ether5-wan protocol=tcp src-address=\
    1.2.3.4 to-addresses=10.14.10.105 to-ports=5432
add action=src-nat chain=srcnat comment=\
    "stonemining slave/vnc htpc->stonemining" dst-address=10.14.200.107 \
    dst-port=5432,5900 protocol=tcp src-address=10.14.10.105 to-addresses=\
    10.14.200.1
add action=src-nat chain=srcnat comment="kalihomok slave/vnc htpc->forgach" \
    dst-address=10.14.200.101 dst-port=5432,5900 protocol=tcp src-address=\
    10.14.10.105 to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="kavicsbanya slave htpc->borika-pc" \
    dst-address=192.168.18.199 dst-port=5432,5900 protocol=tcp src-address=\
    10.14.10.105 to-addresses=192.168.14.254
add action=src-nat chain=srcnat comment="Src-Nat htpc->visznet all" \
    dst-address=192.168.5.0/24 src-address=10.14.10.105 to-addresses=\
    192.168.14.254
add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=src-nat chain=srcnat_laci_l2tp comment=\
    "Src-Nat l2tp laci-vivobook->blue" dst-address=10.14.10.0/24 \
    to-addresses=10.14.10.1
/ip ipsec identity
add auth-method=digital-signature certificate=laci.router1.test.com comment=\
    office.partner1.test.com generate-policy=port-strict match-by=certificate \
    my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\
    group-viszfuvar remote-certificate=office.partner1.test.com remote-id=\
    fqdn:office.partner1.test.com
add auth-method=digital-signature certificate=laci.router1.test.com comment=\
    office.router1.test.com generate-policy=port-strict match-by=certificate my-id=\
    fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=group-office \
    remote-certificate=office.router1.test.com remote-id=fqdn:office.router1.test.com
add auth-method=digital-signature certificate=laci.router1.test.com comment=\
    kavicsbanya.partner2.test.com generate-policy=port-strict match-by=certificate \
    my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\
    group-kavicsbanya remote-certificate=kavicsbanya.partner2.test.com remote-id=\
    fqdn:kavicsbanya.partner2.test.com
add auth-method=digital-signature certificate=laci.router1.test.com comment=\
    office.partner3.magnet.com generate-policy=port-strict match-by=certificate \
    my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\
    group-magzatom remote-certificate=office.partner3.magnet.com remote-id=\
    fqdn:office.partner3.magnet.com
/ip ipsec policy
set 0 comment="For l2tp-server"
add comment=office.partner1.test.com dst-address=192.168.5.0/24 group=\
    group-viszfuvar proposal=proposal-s2s-ros src-address=192.168.14.0/24 \
    template=yes
add comment=office.router1.test.com dst-address=192.168.13.0/24 group=group-office \
    proposal=proposal-s2s-ros src-address=192.168.14.0/24 template=yes
add comment=kavicsbanya.router1.test.com dst-address=192.168.18.0/24 group=\
    group-kavicsbanya proposal=proposal-s2s-ros src-address=192.168.14.0/24 \
    template=yes
add comment=office.partner3.magnet.com dst-address=192.168.19.0/24 group=\
    group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 \
    template=yes
add comment=office.partner3.magnet.com-vlan dst-address=10.19.0.0/16 group=\
    group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 \
    template=yes
/ip route
add comment="EKKE Telekom Mobil/LTE" disabled=yes distance=2 gateway=\
    10.14.100.1
add comment="Prevent package leak RFC1918 class A" distance=1 dst-address=\
    10.0.0.0/8 type=unreachable
add comment="VPN to magnet-vlan" distance=1 dst-address=10.19.0.0/16 gateway=\
    ipsec pref-src=192.168.14.254
add comment="Prevent package leak RFC1918 class B" distance=1 dst-address=\
    172.16.0.0/12 type=unreachable
add comment="Prevent package leak RFC1918 class C" distance=1 dst-address=\
    192.168.0.0/16 type=unreachable
add comment="VPN to visznet" distance=1 dst-address=192.168.5.0/24 gateway=\
    ipsec pref-src=192.168.14.254
add comment="VPN to sznet" distance=1 dst-address=192.168.13.0/24 gateway=\
    ipsec pref-src=192.168.14.254
add comment="VPN to kavicsnet" distance=1 dst-address=192.168.18.0/24 \
    gateway=ipsec pref-src=192.168.14.254
add comment="VPN to magnet-base" distance=1 dst-address=192.168.19.0/24 \
    gateway=ipsec pref-src=192.168.14.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.14.0/24
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ppp secret
add name=forgach profile=l2tp_vpn remote-address=10.14.200.101 service=l2tp
add name=erika profile=l2tp_vpn remote-address=10.14.200.102 service=l2tp
add name=tony_i7 profile=l2tp_vpn remote-address=10.14.200.103 service=l2tp
add name=laci-vivobook profile=l2tp_vpn remote-address=10.14.200.104 service=\
    l2tp
add name=kardirex profile=l2tp_vpn remote-address=10.14.200.105 service=l2tp
add name=szek profile=l2tp_vpn remote-address=10.14.200.106 service=l2tp
add name=stonemining profile=l2tp_vpn remote-address=10.14.200.107 service=\
    l2tp
add name=edit profile=l2tp_vpn remote-address=10.14.200.108 service=l2tp
add name=szucsnorbi profile=l2tp_vpn remote-address=10.14.200.109 service=\
    l2tp
add name=ghbackup profile=l2tp_vpn remote-address=10.14.200.110
add name=nyergesati profile=l2tp_vpn remote-address=10.14.200.111
add name=silyegabi profile=l2tp_vpn remote-address=10.14.200.112
add name=backupmesshu profile=l2tp_vpn remote-address=10.14.200.113
/routing filter
add chain=dynamic-in set-check-gateway=ping
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=router.lacinet
/system logging
add topics=wireless
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add interval=1d name=e-mail-backup on-event=e-mail-backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=20:00:00
/system script
add dont-require-permissions=no name=onDhcpLease owner=gandalf policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n\
    \n\
    \n:local DHCPtag\
    \n:set DHCPtag \"#DHCP\"\
    \n\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \n\
    \n:if ( \$leaseBound = 1 ) do=\\\
    \n{\
    \n  :local ttl\
    \n  :local domain\
    \n  :local hostname\
    \n  :local fqdn\
    \n  :local leaseId\
    \n  :local comment\
    \n\
    \n  /ip dhcp-server\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\
    \n  network \
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\
    \n  \
    \n  .. lease\
    \n  :set leaseId [ find address=\$leaseActIP ]\
    \n\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\
    \n\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\
    \n  {\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\
    \n   :error \"multiple active leases for \$leaseActIP\"\
    \n  }  \
    \n\
    \n  :set hostname [ get \$leaseId host-name ]\
    \n  :set comment [ get \$leaseId comment ]\
    \n  /\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\
    \n    :error \"empty lease host-name or comment\"\
    \n  }\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\
    \n    :error \"empty network domain name\"\
    \n  }\
    \n\
    \n  :set fqdn \"\$hostname.\$domain\"\
    \n  \
    \n  /ip dns static\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\
    \n  } else=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \
    \n  }\
    \n  /\
    \n} \\\
    \nelse=\\\
    \n{\
    \n  /ip dns static\
    \n  :local dnsDhcpId \
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\
    \n\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\
    \n    remove \$dnsDhcpId\
    \n  }\
    \n  /\
    \n}\
    \n\
    \n"
add dont-require-permissions=no name=e-mail-backup owner=gandalf policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system backup save encryption=aes-sha256 name=\"email.backup\" password=\"\
    ********\";/tool e-mail send to=\"gandalf@router1.test.com\" subject=([/system id\
    entity get name].\" (system=\".[/system package get system value-name=vers\
    ion].\") backup\") file=email.backup;:log info \"Backup e-mail sent.\";  "
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=mail.router1.test.com from=\
    "MikroTik Hontalan router.lacinet <mikrotik@router1.test.com>" port=465 start-tls=\
    tls-only user=mikrotik@router1.test.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-ip-protocol=icmp

router 2:

# jan/16/2022 12:47:40 by RouterOS 6.48.5
# software id = BGJQ-V2CF
#
# model = RBD52G-5HacD2HnD
# serial number = *************
/caps-man channel
add band=2ghz-onlyn extension-channel=XX frequency="" name=channels-2.4 \
    secondary-frequency="" tx-power=-10
add band=5ghz-onlyac extension-channel=XXXX frequency="" name=channels-5 \
    secondary-frequency="" skip-dfs-channels=yes
/caps-man datapath
add local-forwarding=yes name=datapath-blue vlan-id=10 vlan-mode=use-tag
add local-forwarding=yes name=datapath-green vlan-id=20 vlan-mode=use-tag
add local-forwarding=yes name=datapath-red vlan-id=30 vlan-mode=use-tag
add local-forwarding=yes name=datapath-base vlan-id=99 vlan-mode=use-tag
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BR1 \
    vlan-filtering=yes
add name=ipsec protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-sw01
set [ find default-name=ether2 ] name=ether2-lte
set [ find default-name=ether3 ] name=ether3-blue
set [ find default-name=ether4 ] name=ether4-blue
set [ find default-name=ether5 ] name=ether5-wan
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(-13dBm), SSID: magzatom_base, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: magzatom_base, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=HALL_VLAN vlan-id=200
add interface=BR1 name=RED_VLAN vlan-id=30
/caps-man rates
add basic=12Mbps name=rates-2.4 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic=12Mbps name=rates-5 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-blue
add authentication-types=wpa2-psk encryption=aes-ccm name=security-green
add authentication-types=wpa2-psk encryption=aes-ccm name=security-red
add authentication-types=wpa2-psk encryption=aes-ccm name=security-base
/caps-man configuration
add channel=channels-5 country=hungary datapath=datapath-blue installation=\
    any name=caps-blue-5 rates=rates-5 security=security-blue ssid=\
    magzatom-privat
add channel=channels-2.4 country=hungary datapath=datapath-blue installation=\
    any name=caps-blue-2.4 rates=rates-2.4 security=security-blue ssid=\
    magzatom-privat
add channel=channels-2.4 country=hungary datapath=datapath-green \
    installation=any name=caps-green-2.4 rates=rates-2.4 security=\
    security-green ssid=magzatom-vendeg
add channel=channels-5 country=hungary datapath=datapath-green installation=\
    any name=caps-green-5 rates=rates-5 security=security-green ssid=\
    magzatom-vendeg
add channel=channels-2.4 country=hungary datapath=datapath-base hide-ssid=yes \
    installation=any name=caps-base-2.4 rates=rates-2.4 security=\
    security-base ssid=magzatom_base
add channel=channels-5 country=hungary datapath=datapath-base hide-ssid=yes \
    installation=any name=caps-base-5 rates=rates-5 security=security-base \
    ssid=magzatom_base
add channel=channels-2.4 country=hungary datapath=datapath-red hide-ssid=yes \
    installation=any name=caps-red-2.4 rates=rates-2.4 security=security-red \
    ssid=magzatom_red
add channel=channels-5 country=hungary datapath=datapath-red hide-ssid=yes \
    installation=any name=caps-red-5 rates=rates-5 security=security-red \
    ssid=magzatom_red
/caps-man interface
add configuration=caps-base-2.4 disabled=no l2mtu=1600 mac-address=\
    08:55:31:E7:F3:6C master-interface=none name=r01.magnet-1 radio-mac=\
    08:55:31:E7:F3:6C radio-name=085531E7F36C
add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:6C master-interface=r01.magnet-1 name=r01.magnet-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36C
add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:6D master-interface=r01.magnet-1 name=r01.magnet-1-2 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36D
add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:6E master-interface=r01.magnet-1 name=r01.magnet-1-3 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36E
add configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\
    08:55:31:E7:F3:6D master-interface=none name=r01.magnet-2 radio-mac=\
    08:55:31:E7:F3:6D radio-name=085531E7F36D
add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:6F master-interface=r01.magnet-2 name=r01.magnet-2-1 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36F
add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:70 master-interface=r01.magnet-2 name=r01.magnet-2-2 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F370
add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:71 master-interface=r01.magnet-2 name=r01.magnet-2-3 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F371
add configuration=caps-base-2.4 disabled=no l2mtu=1600 mac-address=\
    08:55:31:E7:E1:93 master-interface=none name=r02.magnet-1 radio-mac=\
    08:55:31:E7:E1:93 radio-name=085531E7E193
add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:93 master-interface=r02.magnet-1 name=r02.magnet-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E193
add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:94 master-interface=r02.magnet-1 name=r02.magnet-1-2 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E194
add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:95 master-interface=r02.magnet-1 name=r02.magnet-1-3 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E195
add configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\
    08:55:31:E7:E1:94 master-interface=none name=r02.magnet-2 radio-mac=\
    08:55:31:E7:E1:94 radio-name=085531E7E194
add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:96 master-interface=r02.magnet-2 name=r02.magnet-2-1 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E196
add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:97 master-interface=r02.magnet-2 name=r02.magnet-2-2 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E197
add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:98 master-interface=r02.magnet-2 name=r02.magnet-2-3 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E198
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=119 name=domain-search-option value="'magnet.'"
/ip ipsec policy group
add name=group-lacinet
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 name=\
    profile_l2tp
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    profile-s2s-ros proposal-check=strict
/ip ipsec peer
add address=92f20943ba88.sn.mynetname.net exchange-mode=ike2 name=\
    laci.router1.test.com profile=profile-s2s-ros
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 comment=\
    "For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=4h name=\
    proposal-s2s-ros pfs-group=modp2048
/ip pool
add name=BLUE_POOL ranges=10.19.10.100-10.19.10.200
add name=GREEN_POOL ranges=10.19.20.100-10.19.20.200
add name=RED_POOL ranges=10.19.30.100-10.19.30.200
add name=BASE_POOL ranges=192.168.19.100-192.168.19.200
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN lease-script=\
    onDhcpLease name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/ppp profile
add dns-server=10.19.200.1,1.1.1.3 local-address=10.19.200.1 name=l2tp_vpn
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=BASE_VLAN
/caps-man provisioning
add action=create-enabled hw-supported-modes=ac master-configuration=\
    caps-base-5 name-format=identity slave-configurations=\
    caps-blue-5,caps-green-5,caps-red-5
add action=create-enabled master-configuration=caps-base-2.4 name-format=\
    identity slave-configurations=caps-blue-2.4,caps-green-2.4,caps-red-2.4
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1-sw01
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3-blue pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4-blue pvid=10
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1-sw01 untagged=ether3-blue,ether4-blue \
    vlan-ids=10
add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=20
add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=30
add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=99
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_vpn enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether5-wan list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=ether2-lte list=WAN
/interface wireless cap
# 
set bridge=BR1 certificate=request discovery-interfaces=BASE_VLAN enabled=yes \
    interfaces=wlan1,wlan2
/ip address
add address=192.168.19.254/24 interface=BASE_VLAN network=192.168.19.0
add address=10.19.10.1/24 interface=BLUE_VLAN network=10.19.10.0
add address=10.19.20.1/24 interface=GREEN_VLAN network=10.19.20.0
add address=10.19.30.1/24 interface=RED_VLAN network=10.19.30.0
add address=10.19.200.1/24 interface=HALL_VLAN network=10.19.200.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip dhcp-client
add disabled=no interface=ether5-wan use-peer-dns=no
add default-route-distance=2 disabled=no interface=ether2-lte use-peer-dns=no
/ip dhcp-server lease
add address=10.19.10.198 client-id=1:74:fe:48:57:68:ae comment=\
    "Nyugati Samsung Ultrahang, +smb share" mac-address=74:FE:48:57:68:AE \
    server=BLUE_DHCP
add address=10.19.10.194 client-id=1:40:b0:76:5b:be:f8 comment=\
    "Keleti vizsgalo desktop gep" mac-address=40:B0:76:5B:BE:F8 server=\
    BLUE_DHCP
add address=10.19.30.10 client-id=1:ec:c8:9c:b9:9c:e5 comment="HkVision NVR" \
    mac-address=EC:C8:9C:B9:9C:E5 server=RED_DHCP
add address=10.19.10.192 client-id=1:dc:a6:32:c8:1c:e6 comment=Babyscreen \
    mac-address=DC:A6:32:C8:1C:E6 server=BLUE_DHCP
add address=10.19.10.190 client-id=1:0:17:c8:a6:90:55 comment=\
    "KyoceraP6230CDN lezer" mac-address=00:17:C8:A6:90:55 server=BLUE_DHCP
add address=10.19.10.101 client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:13:66:88:18:da:5e:fe:33 mac-address=\
    98:90:96:CE:6F:92 server=BLUE_DHCP
add address=10.19.30.101 client-id=1:2c:a5:9c:fa:c4:5c mac-address=\
    2C:A5:9C:FA:C4:5C server=RED_DHCP
add address=10.19.30.102 client-id=1:4c:f5:dc:5e:ff:37 mac-address=\
    4C:F5:DC:5E:FF:37 server=RED_DHCP
/ip dhcp-server network
add address=10.19.10.0/24 dns-server=192.168.19.254 domain=magnet. gateway=\
    10.19.10.1
add address=10.19.20.0/24 dns-server=192.168.19.254 gateway=10.19.20.1
add address=10.19.30.0/24 dns-server=192.168.19.254 gateway=10.19.30.1
add address=192.168.19.0/24 dns-server=192.168.19.254 gateway=192.168.19.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip dns static
add address=192.168.19.254 name=r01.magnet
add address=192.168.19.253 name=r02.magnet
add address=192.168.19.252 name=r03.magnet
add address=192.168.19.244 name=sw01.magnet
add address=192.168.19.243 name=sw02.magnet
add address=192.168.19.242 name=sw03.magnet
add address=192.168.19.241 name=sw04.magnet
add address=10.19.30.10 name=nvr.magnet
add address=10.19.100.254 name=lte.magnet
add address=10.19.200.101 comment="L2TP Brigi Laptop" name=brigi.magnet
add address=10.19.200.103 comment="L2TP Brigi-oled laptop" name=\
    brigi-oled.magnet
add address=10.19.200.102 comment="L2TP ViktorNAS" name=viktornas.magnet
add address=10.19.200.1 comment="L2TP hall" name=hall.magnet
add address=10.19.30.101 name=cam-folyoso.magnet
add address=10.19.30.102 name=cam-varo.magnet
add address=10.19.10.194 comment=#DHCP name=keleti-vizsgalo.magnet. ttl=10m
add address=10.19.10.106 comment=#DHCP name=DESKTOP-V210M8R.magnet. ttl=10m
add address=10.19.10.101 comment=#DHCP name=nas.magnet. ttl=10m
/ip firewall filter
add action=accept chain=input comment=\
    "Allow UDP 500,4500,1701 for IKE, IPSEC/ESP and L2TP" port=1701,500,4500 \
    protocol=udp
add action=accept chain=input comment="Allow IPSEC/ESP" protocol=ipsec-esp
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN and CAP" dst-address-type=\
    local src-address-type=local
add action=accept chain=input comment="Input from BASE mgmt" \
    in-interface-list=BASE
add action=jump chain=input comment="SSH input, with brute force protection" \
    dst-port=22 jump-target=input_ssh protocol=tcp
add action=jump chain=input comment="Input from VLAN" in-interface-list=VLAN \
    jump-target=input_from_vlan
add action=jump chain=input comment="Input from L2TP client" jump-target=\
    input_from_l2tp src-address=10.19.200.0/24
add action=accept chain=input comment="DNS from lacinet udp" dst-port=53 \
    protocol=udp src-address=192.168.14.0/24
add action=accept chain=input comment="DNS from lacinet tcp" dst-port=53 \
    protocol=tcp src-address=192.168.14.0/24
add action=drop chain=input comment=Drop
add action=drop chain=input_ssh comment="drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input_ssh connection-state=new \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input_ssh connection-state=new
add action=accept chain=input_ssh comment="allow ssh from anywhere"
add action=drop chain=input_ssh comment=Drop
add action=accept chain=input_from_vlan comment="Local DNS UDP" dst-port=53 \
    protocol=udp
add action=accept chain=input_from_vlan comment="Local DNS TCP" dst-port=53 \
    protocol=tcp
add action=accept chain=input_from_vlan comment="Local NTP UDP" dst-port=123 \
    protocol=udp
add action=accept chain=input_from_vlan comment="DHCP 67 UDP" dst-port=67 \
    protocol=udp
add action=accept chain=input_from_vlan comment="DHCP 68 UDP" dst-port=68 \
    protocol=udp
add action=drop chain=input_from_vlan comment=Drop
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "Accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=reject chain=forward comment=\
    "Reply with network-unreachable when IPSEC tunnel is down" out-interface=\
    ipsec reject-with=icmp-network-unreachable
add action=accept chain=forward comment="Allow VLAN->Internet" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE->Internet" \
    connection-state=new in-interface-list=BASE out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE->VLAN" connection-state=\
    new in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="l2tp brigi-laptop->any" src-address=\
    10.19.200.101
add action=accept chain=forward comment="l2tp brigi-oled->any" src-address=\
    10.19.200.103
add action=accept chain=forward comment=\
    "l2tp viktornas.magnet->nas.magnet syncthing" dst-address=10.19.10.101 \
    dst-port=22000,22 protocol=tcp src-address=10.19.200.102
add action=accept chain=forward comment=\
    "l2tp nas.magnet->viktornas.magnet syncthing" dst-address=10.19.200.102 \
    dst-port=22000,22 protocol=tcp src-address=10.19.10.101
add action=accept chain=forward comment="ICMP between VLANs and HALL" \
    disabled=yes dst-address=10.19.0.0/16 protocol=icmp src-address=\
    10.19.0.0/16
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=drop chain=input_ssh comment="drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input_ssh connection-state=new \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input_ssh connection-state=new
add action=accept chain=input_ssh comment="allow ssh from anywhere"
add action=drop chain=input_ssh comment=Drop
add action=accept chain=input_from_l2tp comment="DNS from l2tp client (tcp)" \
    dst-port=53 protocol=tcp
add action=accept chain=input_from_l2tp comment="DNS from l2tp client (udp)" \
    dst-port=53 protocol=udp
add action=accept chain=input_from_l2tp comment="NTP from l2tp client (udp)" \
    dst-port=123 protocol=udp
add action=reject chain=input_from_l2tp reject-with=icmp-admin-prohibited
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS for in,ipsec" ipsec-policy=in,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS for out,ipsec" ipsec-policy=out,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="scr-nat lacinet->RED" out-interface=\
    RED_VLAN src-address=192.168.14.0/24 to-addresses=10.19.30.1
add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->base-magnet" \
    out-interface=BASE_VLAN src-address=192.168.14.0/24 to-addresses=\
    192.168.19.254
add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->hall-magnet" \
    dst-address=10.19.200.0/24 src-address=192.168.14.0/24 to-addresses=\
    10.19.200.1
add action=src-nat chain=srcnat comment="l2tp brigi-oled->magnet-blue" \
    dst-address=10.19.10.0/24 src-address=10.19.200.103 to-addresses=\
    10.19.10.1
add action=src-nat chain=srcnat comment="Src-Nat l2tp viktornas->nas" \
    dst-address=10.19.10.101 src-address=10.19.200.102 to-addresses=\
    10.19.200.1
/ip ipsec identity
add auth-method=digital-signature certificate=office.partner3.magnet.com my-id=\
    fqdn:office.partner3.magnet.com peer=laci.router1.test.com policy-template-group=\
    group-lacinet remote-id=fqdn:laci.router1.test.com
/ip ipsec policy
set 0 comment="For l2tp-server" dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.14.0/24 peer=laci.router1.test.com proposal=proposal-s2s-ros \
    src-address=192.168.19.0/24 tunnel=yes
add dst-address=192.168.14.0/24 peer=laci.router1.test.com proposal=proposal-s2s-ros \
    src-address=10.19.0.0/16 tunnel=yes
/ip route
add comment="Prevent package leak RFC1918 class A" distance=1 dst-address=\
    10.0.0.0/8 type=unreachable
add comment="Prevent package leak RFC1918 class B" distance=1 dst-address=\
    172.16.0.0/12 type=unreachable
add comment="Prevent package leak RFC1918 class C" distance=1 dst-address=\
    192.168.0.0/16 type=unreachable
add comment="VPN to lacinet" distance=1 dst-address=192.168.14.0/24 gateway=\
    ipsec pref-src=192.168.19.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.19.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=brigi profile=l2tp_vpn remote-address=10.19.200.101 service=l2tp
add name=viktornas profile=l2tp_vpn remote-address=10.19.200.102 service=l2tp
add name=brigi-oled profile=l2tp_vpn remote-address=10.19.200.103 service=\
    l2tp
/routing filter
add chain=dynamic-in set-check-gateway=ping
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=r01.magnet
/system logging
add topics=l2tp
add topics=ipsec
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add interval=1d name=e-mail-backup on-event=e-mail-backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=20:00:00
/system script
add dont-require-permissions=no name=onDhcpLease owner=gandalf policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n\
    \n\
    \n:local DHCPtag\
    \n:set DHCPtag \"#DHCP\"\
    \n\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \n\
    \n:if ( \$leaseBound = 1 ) do=\\\
    \n{\
    \n  :local ttl\
    \n  :local domain\
    \n  :local hostname\
    \n  :local fqdn\
    \n  :local leaseId\
    \n  :local comment\
    \n\
    \n  /ip dhcp-server\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\
    \n  network \
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\
    \n  \
    \n  .. lease\
    \n  :set leaseId [ find address=\$leaseActIP ]\
    \n\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\
    \n\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\
    \n  {\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\
    \n   :error \"multiple active leases for \$leaseActIP\"\
    \n  }  \
    \n\
    \n  :set hostname [ get \$leaseId host-name ]\
    \n  :set comment [ get \$leaseId comment ]\
    \n  /\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\
    \n    :error \"empty lease host-name or comment\"\
    \n  }\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\
    \n    :error \"empty network domain name\"\
    \n  }\
    \n\
    \n  :set fqdn \"\$hostname.\$domain\"\
    \n  \
    \n  /ip dns static\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\
    \n  } else=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \
    \n  }\
    \n  /\
    \n} \\\
    \nelse=\\\
    \n{\
    \n  /ip dns static\
    \n  :local dnsDhcpId \
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\
    \n\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\
    \n    remove \$dnsDhcpId\
    \n  }\
    \n  /\
    \n}\
    \n\
    \n"
add dont-require-permissions=no name=e-mail-backup owner=gandalf policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system backup save encryption=aes-sha256 name=\"email.backup\" password=\"\
    ***********\";/tool e-mail send to=\"gandalf@router1.test.com\" subject=([/system id\
    entity get name].\" (system=\".[/system package get system value-name=vers\
    ion].\") backup\") file=email.backup;:log info \"Backup e-mail sent.\";  "
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=mail.router1.test.com from="Mikrotik r01.magnet <mikrotik@router1.test.com>" port=\
    465 start-tls=tls-only user=mikrotik@router1.test.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-ip-protocol=udp filter-port=dns

WAN ports are not ports of any bridge on either side. I do have hw=yes on the bridges on both sides, but they only contain wlan interfaces (dynamically added by CAPsMAN) local ethernet ports, and vlan interfaces.

All right, this is how input filter chain begins on router1:

 /ip firewall filter> print chain=input
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; x
      chain=input action=passthrough protocol=icmp src-address=192.168.19.254

 1    ;;; Allow IKEv2 500, IKEv2 NAT-T 4500, L2TP 1701
      chain=input action=accept protocol=udp port=500,4500,1701

This is how mangle starts:

 /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; x
      chain=prerouting action=passthrough protocol=icmp src-address=192.168.19.254

Then I reset counters, and send 5 ping packets:

 /ping  192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                                          timeout
    1 192.168.19.254                                          timeout
    2 192.168.19.254                                          timeout
    3 192.168.19.254                                          timeout
    4 192.168.19.254                                          timeout
    sent=5 received=0 packet-loss=100%

Counters:

 /ip firewall mangle> print stats interval=1s where comment=x
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                ACTION                            BYTES         PACKETS
 0    ;;; x
      prerouting                                                           passthrough                         336               6

 /ip firewall filter> print stats interval=1s where comment=x
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                ACTION                            BYTES         PACKETS
 0    ;;; x
      input                                                                passthrough                         336               6