Drageir
November 11, 2020, 12:48pm
1
Greetings everyone.
office_vlan: 192.168.50.0
I’ve managed to block the traffic coming from guest_wifi to office_wifi, but when a port is specified, it conects.
Reading about my problem on the web, I tried a Firewall Rule:
Chain: forward
Dst. Address: 192.168.50.36
Protocol: 6 (tcp)
Dst. Port: 8002
In. Interface: ether2 #Guest_WiFi interface
Out. Interface: bridge1 #Office_vlan interface
Action: drop
But it makes nothing.
Thank you for your time.
anav
November 11, 2020, 1:28pm
2
/export hide-sensitive file=anynameyouwish
Drageir
November 11, 2020, 3:15pm
3
# nov/11/2020 16:01:07 by RouterOS 6.45.8
# software id = 49EJ-U4T5
#
# model = 750GL
# serial number = 467A0460B26D
/interface bridge
add admin-mac=4C:5E:0C:E1:9B:EE arp=proxy-arp auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
add disabled=yes name=bridge_invitados
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master-local speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
/interface vlan
add interface=ether1-gateway name=vlan3 vlan-id=3
add interface=ether1-gateway name=vlan6 vlan-id=6
add interface=ether1-gateway name=vlan200 vlan-id=200
add interface=ether2-master-local name=vlan_invitados use-service-tag=yes \
vlan-id=20
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6 keepalive-timeout=60 \
max-mru=1492 max-mtu=1492 name=pppoe-out1 user=adslppp@telefonicanetpa
/interface list
add name=WAN
add name=LAN
add name=LAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=4G \
supplicant-identity=""
/ip firewall layer7-protocol
add name=Proteccion_invitados
/ip ipsec profile
add dh-group=modp1024 name=profile_1
add dh-group=modp1024 name=profile_2
add dh-group=modp1024 name=profile_3
add dh-group=modp1024 enc-algorithm=3des name=profile_4
/ip ipsec peer
# This entry is unreachable
add name=peer4 passive=yes profile=profile_4
# This entry is unreachable
add name=peer3 passive=yes profile=profile_3
# This entry is unreachable
add name=peer2 passive=yes profile=profile_2
# This entry is unreachable
add name=peer1 passive=yes profile=profile_1
/ip pool
add name=dhcp ranges=192.168.10.121-192.168.10.200
add name=vpn ranges=192.168.10.214-192.168.10.234
add name=l2tp-pool ranges=192.168.10.220-192.168.10.225
add name=dhcp_pool3_invi ranges=192.168.20.2-192.168.20.254
add name=hs-pool-9 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge1 name=dhcp1
add address-pool=dhcp_pool3_invi authoritative=after-2sec-delay disabled=no \
interface=bridge_invitados lease-time=10s name=dhcp_invitados
add address-pool=hs-pool-9 disabled=no interface=ether2-master-local \
lease-time=1h name=dhcp2
/ip hotspot user profile
set [ find default=yes ] address-pool=dhcp_pool3_invi shared-users=2
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.10.1 name=\
l2tp remote-address=l2tp-pool use-encryption=yes
add local-address=192.168.10.1 name=openvpn remote-address=l2tp-pool
add dns-server=8.8.8.8 local-address=192.168.10.1 name=vpn remote-address=vpn \
use-encryption=yes wins-server=8.8.4.4
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=1
/interface bridge port
add bridge=bridge1 interface=ether3-slave-local
add bridge=bridge1 interface=ether4-slave-local
add bridge=bridge1 interface=ether5-slave-local
add bridge=bridge_invitados interface=ether2-master-local pvid=20
/interface l2tp-server server
set authentication=mschap2 enabled=yes max-mru=1460 max-mtu=1460 mrru=1600 \
use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=ether1-gateway list=WAN
add interface=bridge1 list=LAN
add interface=ether2-master-local list=LAN2
/interface ovpn-server server
set certificate=mikrotik cipher=blowfish128,aes128,aes192,aes256 \
require-client-certificate=yes
/interface pptp-server server
set enabled=yes keepalive-timeout=180 max-mru=1500 max-mtu=1500
/ip address
add address=192.168.10.1/24 interface=bridge1 network=192.168.10.0
add address=192.168.100.10/24 interface=ether1-gateway network=192.168.100.0
add address=217.124.116.61/29 interface=ether1-gateway network=217.124.116.56
add address=10.5.50.1/24 disabled=yes interface=bridge_invitados network=\
10.5.50.0
add address=10.5.50.1/24 comment="hotspot network" interface=\
ether2-master-local network=10.5.50.0
add address=192.168.100.12 interface=ether2-master-local network=\
192.168.100.0
/ip arp
add address=192.168.10.40 interface=bridge1 mac-address=D8:CB:8A:9C:19:06
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=vlan3 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.10.172 always-broadcast=yes mac-address=BC:83:85:D4:CF:EC \
server=dhcp1
add address=192.168.10.6 mac-address=68:FF:7B:44:C0:E8
add address=192.168.10.5 mac-address=68:FF:7B:44:BE:D8
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
add address=192.168.10.0/24 dns-server=192.168.10.205 gateway=192.168.10.1 \
netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8 gateway=\
192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.10.1 name=router
/ip firewall address-list
add address=192.5.50.0/24 list=Invitados
add address=192.168.10.0/24 list=Interno
add address=192.168.10.221 list=Prox
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" \
connection-state=established
add action=accept chain=input comment="default configuration" \
connection-state=related
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input disabled=yes dst-port=23,80 in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=input disabled=yes dst-port=8291 in-interface=\
all-ethernet protocol=tcp
add action=accept chain=input dst-port=1723 in-interface=all-ethernet \
protocol=tcp
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=accept chain=input dst-port=1701 in-interface=all-ethernet \
protocol=udp
add action=accept chain=input dst-port=500 in-interface=all-ethernet \
protocol=udp
add action=accept chain=input in-interface=all-ethernet protocol=ipsec-ah
add action=accept chain=input dst-port=4500 in-interface=all-ethernet \
protocol=udp
add action=accept chain=input in-interface=all-ethernet protocol=ipsec-esp
add action=accept chain=input in-interface=all-ethernet protocol=gre
add action=accept chain=input disabled=yes dst-port=1194 protocol=tcp
add action=accept chain=input disabled=yes protocol=udp src-port=1194
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=input disabled=yes protocol=tcp src-port=50000-65000
add action=drop chain=input comment="default configuration" disabled=yes \
in-interface=pppoe-out1 log-prefix=rechazadas
add action=drop chain=forward comment="default configuration" \
connection-state=invalid disabled=yes log-prefix=forw
add action=drop chain=forward disabled=yes src-address=192.168.10.21
add action=accept chain=forward
add action=fasttrack-connection chain=forward comment="Fasttrack DNS" \
dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UDP" \
dst-port=53 protocol=udp
add action=accept chain=forward dst-port=9998 in-interface=all-ethernet \
protocol=tcp src-port=9998
add action=accept chain=forward dst-port=9998 in-interface=all-ethernet \
out-interface=all-ethernet protocol=udp src-port=9998
add action=accept chain=forward comment=\
"Invitados no puedan entrar en router" disabled=yes in-interface=\
vlan_invitados out-interface=vlan3
add action=accept chain=output disabled=yes dst-address=192.168.100.0/24 \
src-address=10.5.50.0/24
add action=accept chain=forward in-interface=all-ethernet src-address-list=\
Invitados
add action=accept chain=forward connection-state="" src-address-list=Interno
add action=drop chain=forward comment="Bloquear tr\E1fico para invitados" \
in-interface=ether2-master-local out-interface=bridge1
add action=drop chain=forward comment=\
"Bloquear puerto de Proxmox para invitados" dst-address=192.168.10.221 \
dst-port=8006 in-interface=ether2-master-local out-interface=bridge1 \
protocol=tcp
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=vlan3 \
passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface=\
all-ethernet passthrough=yes
add action=set-priority chain=postrouting new-priority=4 out-interface=\
all-vlan passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface=\
all-ethernet passthrough=yes
add action=accept chain=forward
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=bridge1
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=vlan3
add action=dst-nat chain=dstnat comment="Mapeo Servidor - 443" dst-port=443 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243
add action=dst-nat chain=dstnat comment="CERT SAIT" disabled=yes dst-port=443 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.215
add action=dst-nat chain=dstnat comment="Mapeo Servidor O- 443" disabled=yes \
dst-port=443 in-interface=all-ethernet protocol=tcp to-addresses=\
192.168.10.214
add action=dst-nat chain=dstnat comment="Mapeo Servidor O- 445" dst-port=445 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.216 \
to-ports=445
add action=dst-nat chain=dstnat comment="Mapeo Servidor Nextcloud - 443" \
disabled=yes dst-port=443 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.10.213
add action=dst-nat chain=dstnat comment="R renovacion CERT Office" disabled=\
yes dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=\
192.168.10.216
add action=dst-nat chain=dstnat comment="Mapeo Servidor Nextcloud - 443" \
disabled=yes dst-port=443 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.10.216
add action=dst-nat chain=dstnat comment="Mapeo Servidor Nextcloud - 9980" \
disabled=yes dst-port=9980 in-interface=all-ethernet protocol=tcp \
to-addresses=192.168.10.131
add action=dst-nat chain=dstnat comment="Puerto SMTP SSL" dst-port=465 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=465
add action=dst-nat chain=dstnat comment="Puerto SMTP" dst-port=25 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=25
add action=dst-nat chain=dstnat comment="Puerto SSH" dst-port=22 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.213 \
to-ports=22
add action=dst-nat chain=dstnat comment="Puerto SSH" dst-port=81 \
in-interface=all-ethernet protocol=tcp src-port="" to-addresses=\
192.168.10.212 to-ports=80
add action=dst-nat chain=dstnat comment="Redireccion Owncloud" dst-port=444 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.213 \
to-ports=443
add action=dst-nat chain=dstnat comment=\
"Network News Transfer Protocol (NNTP)" dst-port=119 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.10.243 to-ports=119
add action=dst-nat chain=dstnat comment="Mail Transfer Agent (MTA)" dst-port=\
102 in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=102
add action=dst-nat chain=dstnat comment="Domain Name System (DNS)" dst-port=\
53 in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=53
add action=dst-nat chain=dstnat comment="Remote Procedure Protocol (RPC)" \
dst-port=135 in-interface=all-ethernet protocol=tcp to-addresses=\
192.168.10.243 to-ports=135
add action=dst-nat chain=dstnat comment="SSL secured NNTP" dst-port=563 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=563
add action=dst-nat chain=dstnat comment=\
"LDAP communications with an Active Directory Global Catalog Server" \
dst-port=3268 in-interface=all-ethernet protocol=tcp to-addresses=\
192.168.10.243 to-ports=3268
add action=dst-nat chain=dstnat comment=WEBMAIL dst-port=80 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.10.243 to-ports=443
add action=dst-nat chain=dstnat comment="CERT ITSA" disabled=yes dst-port=80 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.215 \
to-ports=80
add action=dst-nat chain=dstnat comment=WEBMAIL disabled=yes dst-port=4422 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.10.213 \
to-ports=4422
add action=dst-nat chain=dstnat dst-port=4423 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.216 to-ports=4423
add action=dst-nat chain=dstnat disabled=yes dst-port=4424 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.10.214 to-ports=4424
add action=dst-nat chain=dstnat dst-port=37777 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.49 to-ports=37777
add action=dst-nat chain=dstnat comment="WEBMAIL 2" disabled=yes dst-port=\
8080 in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.200 \
to-ports=8080
add action=dst-nat chain=dstnat comment="Puerto STARTTLS" dst-port=587 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=587
add action=dst-nat chain=dstnat comment="Puerto IMAP SSL" dst-port=993 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=993
add action=dst-nat chain=dstnat comment="Puerto POP SSL" dst-port=995 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=995
add action=dst-nat chain=dstnat comment="Puerto IMAP" dst-port=143 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=143
add action=dst-nat chain=dstnat comment="Puerto POP" dst-port=110 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=110
add action=dst-nat chain=dstnat comment="Mapeo Servidor .200- WAN1" disabled=\
yes dst-port=3395 in-interface=pppoe-out1 protocol=tcp to-addresses=\
192.168.10.200 to-ports=3395
add action=dst-nat chain=dstnat disabled=yes dst-port=3398 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.10.205 to-ports=3398
add action=dst-nat chain=dstnat dst-port=56994 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.49 to-ports=3399
add action=dst-nat chain=dstnat dst-port=56856 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.52 to-ports=3340
add action=dst-nat chain=dstnat dst-port=56022 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.216 to-ports=56022
add action=dst-nat chain=dstnat disabled=yes dst-port=3397 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.10.209 to-ports=3397
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" disabled=\
yes dst-port=4443 in-interface=all-ethernet protocol=tcp to-addresses=\
192.168.10.243 to-ports=4443
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" dst-port=\
3010 in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.101 \
to-ports=3010
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" dst-port=\
3011 in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.101 \
to-ports=3011
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" dst-port=\
3010 in-interface=all-ethernet protocol=udp to-addresses=192.168.10.101 \
to-ports=3010
add action=dst-nat chain=dstnat comment="Mapeo Servidor EX- WAN1" dst-port=\
3011 in-interface=all-ethernet protocol=udp to-addresses=192.168.10.101 \
to-ports=3011
add action=dst-nat chain=dstnat comment="Mapeo Servidor AD" disabled=yes \
dst-port=3394 in-interface=pppoe-out1 protocol=tcp to-addresses=\
192.168.10.245 to-ports=3394
add action=dst-nat chain=dstnat dst-port=6767 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.20 to-ports=6767
add action=dst-nat chain=dstnat dst-port=20 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.20 to-ports=20
add action=dst-nat chain=dstnat dst-port=8090 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.150 to-ports=8090
add action=dst-nat chain=dstnat dst-port=8090 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.150 to-ports=8090
add action=dst-nat chain=dstnat dst-port=3080 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.150 to-ports=3080
add action=dst-nat chain=dstnat dst-port=3080 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.150 to-ports=3080
add action=dst-nat chain=dstnat dst-port=7000 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.150 to-ports=7000
add action=dst-nat chain=dstnat dst-port=7000 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.150 to-ports=7000
add action=dst-nat chain=dstnat dst-port=8000 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.150 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8000 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.150 to-ports=8000
add action=dst-nat chain=dstnat dst-port=9000 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.150 to-ports=9000
add action=dst-nat chain=dstnat dst-port=9000 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.150 to-ports=9000
add action=dst-nat chain=dstnat dst-port=10510 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.150 to-ports=10510
add action=dst-nat chain=dstnat dst-port=10510 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.150 to-ports=10510
add action=dst-nat chain=dstnat dst-port=8091 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.151 to-ports=8091
add action=dst-nat chain=dstnat dst-port=8091 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.151 to-ports=8091
add action=dst-nat chain=dstnat dst-port=3081 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.151 to-ports=3081
add action=dst-nat chain=dstnat dst-port=3081 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.151 to-ports=3081
add action=dst-nat chain=dstnat disabled=yes dst-port=7001 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.10.151 to-ports=7001
add action=dst-nat chain=dstnat disabled=yes dst-port=7001 in-interface=\
pppoe-out1 protocol=udp to-addresses=192.168.10.151 to-ports=7001
add action=dst-nat chain=dstnat disabled=yes dst-port=8001 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.10.151 to-ports=8001
add action=dst-nat chain=dstnat disabled=yes dst-port=8001 in-interface=\
all-ethernet protocol=udp to-addresses=192.168.10.151 to-ports=8001
add action=dst-nat chain=dstnat dst-port=9001 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.151 to-ports=9001
add action=dst-nat chain=dstnat dst-port=9001 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.151 to-ports=9001
add action=dst-nat chain=dstnat dst-port=10520 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.151 to-ports=10520
add action=dst-nat chain=dstnat dst-port=10520 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.151 to-ports=10520
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.10.19 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
all-ethernet protocol=udp to-addresses=192.168.10.19 to-ports=3389
add action=dst-nat chain=dstnat dst-port=44444-44445 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.10.19 to-ports=44444-44445
add action=dst-nat chain=dstnat dst-port=56529 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.21 to-ports=3393
add action=dst-nat chain=dstnat disabled=yes dst-port=3396 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.10.46 to-ports=3396
add action=dst-nat chain=dstnat comment="admin remota 2" disabled=yes \
dst-port=8291 in-interface=all-ethernet protocol=tcp to-addresses=\
192.168.10.1 to-ports=8291
add action=dst-nat chain=dstnat disabled=yes in-interface=all-ethernet \
protocol=ipsec-ah to-addresses=192.168.10.1
add action=dst-nat chain=dstnat disabled=yes in-interface=all-ethernet \
protocol=ipsec-esp to-addresses=192.168.10.1
add action=dst-nat chain=dstnat comment=IPSEC dst-port=500 in-interface=\
all-ethernet protocol=udp to-addresses=192.168.10.1 to-ports=500
add action=dst-nat chain=dstnat comment=L2TP dst-port=1701 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.10.1 to-ports=1701
add action=dst-nat chain=dstnat dst-port=4233 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.221 to-ports=22
add action=dst-nat chain=dstnat disabled=yes in-interface=all-ethernet \
protocol=gre to-addresses=192.168.10.1
add action=dst-nat chain=dstnat comment=PPTP dst-port=1723 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.10.1 to-ports=1723
add action=dst-nat chain=dstnat dst-port=44444-44445 in-interface=\
all-ethernet protocol=udp to-addresses=192.168.10.19 to-ports=44444-44445
add action=dst-nat chain=dstnat dst-port=3333-3334 in-interface=all-ethernet \
protocol=udp to-addresses=192.168.10.33 to-ports=3333-3334
add action=dst-nat chain=dstnat disabled=yes dst-port=3390 in-interface=\
all-ethernet protocol=tcp to-addresses=192.168.10.33 to-ports=3390
add action=dst-nat chain=dstnat comment="WEB RENOVAR CERT NUBE" disabled=yes \
dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=\
192.168.10.213 to-ports=80
add action=dst-nat chain=dstnat comment="WEB RENOVAR CERT SERVICIO" disabled=\
yes dst-port=80 in-interface=all-ethernet protocol=tcp to-addresses=\
192.168.10.219 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=3390 in-interface=\
all-ethernet protocol=udp to-addresses=192.168.10.35 to-ports=3390
add action=dst-nat chain=dstnat comment="MAPEO SERVIDOR 3 VODAFONE" disabled=\
yes dst-port=5900-5909 in-interface=ether1-gateway protocol=tcp \
to-addresses=192.168.1.131 to-ports=5900-5909
add action=dst-nat chain=dstnat disabled=yes dst-port=47 in-interface=\
all-ethernet protocol=udp to-addresses=192.168.1.20 to-ports=47
add action=dst-nat chain=dstnat dst-port=8060-8070 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.201 to-ports=8060-8070
add action=dst-nat chain=dstnat dst-port=1234 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.120 to-ports=1234
add action=dst-nat chain=dstnat disabled=yes in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.100 to-ports=10000-10020
add action=dst-nat chain=dstnat comment="SSL secured SMTP" dst-port=26 \
in-interface=all-ethernet protocol=tcp to-addresses=192.168.10.243 \
to-ports=26
add action=dst-nat chain=dstnat disabled=yes protocol=tcp src-port=1194 \
to-addresses=192.168.10.1
add action=dst-nat chain=dstnat dst-port=56443 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.216 to-ports=56443
add action=dst-nat chain=dstnat dst-port=2525 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.243 to-ports=2525
add action=dst-nat chain=dstnat dst-port=717 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.10.243 to-ports=717
add action=accept chain=dstnat dst-address=192.168.1.150 dst-port=9998 \
protocol=tcp
add action=accept chain=dstnat dst-address=192.168.1.150 dst-port=9998 \
protocol=udp
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=accept chain=dstnat dst-port=3399 protocol=udp
add action=dst-nat chain=dstnat comment=IPSEC dst-port=4500 in-interface=\
all-ethernet protocol=udp to-addresses=192.168.10.1 to-ports=4500
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=yes src-address=10.5.50.0/24
/ip hotspot user
add name=admin
add name=invitado
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer1
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer2
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer3
add generate-policy=port-override peer=peer4 remote-id=ignore
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set enabled=yes
/ip proxy access
add action=deny
/ip route
add distance=3 gateway=217.124.116.57
add distance=255 gateway=255.255.255.255
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes port=44606
set api-ssl disabled=yes
/ip socks
set enabled=yes port=34605
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=victorl2 profile=l2tp service=l2tp
add name=informatica profile=l2tp
add name=dgarcia profile=l2tp service=l2tp
add name=Bon profile=l2tp service=l2tp
add name=vpn
/routing rip interface
add interface=vlan3 passive=yes receive=v2
/routing rip network
add network=10.0.0.0/8
/system clock
set time-zone-name=Europe/Madrid
/system logging
add topics=l2tp
add disabled=yes topics=ovpn
/system ntp client
set enabled=yes primary-ntp=213.251.52.234 secondary-ntp=46.165.221.137
/system package update
set channel=long-term
/system scheduler
add interval=1d name=Reinicio on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/05/2019 start-time=05:30:00
anav
November 11, 2020, 6:31pm
4
Yeah your config is a bloated mess and 1/2 implementing many things like bridge ports filtering etc.
Suggestion.http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Then come back here and go from there…
Drageir
November 12, 2020, 8:49am
5
Greetings.
Yes, is a mess -.-". I inherited from the previous technician and I don’t know enought of MikroTik to make it from scratch.
On other topic, I finnally resolved my problem. The only thing I did was to add a Rule in Routes:
Dst. Address: 192.168.10.0/24 #Office Vlan
Interface: bridge_guests
Action: drop
That way EVERYTHING coming from that interface gets dropped when trying to connecto to mi office’s vlan.
Thank you so much for your time.