Routing Problem

spr41178 · March 5, 2021, 5:04pm

Good Afternoon all.

I have one IKEv2 VPN between two sites Branch and Home

Branch is 192.168.0.0/24
Home is 192.168.5.0/24

Everything works perfectly.

I have created a second IKEv2 with certificate between my phone and the Home point with Strongswan VPN client for Android.

This works too.

The second IKEv2 has a vpn pool of 192.168.6.0/24.

When i connect to the Home point via Strongswan i have full access of the 192.168.5.0/24 network but not the 192.168.0.0/24 network which is already connected with the Home point.

Am i missing something from a NAT point of view or do i need to accept something in the Filter section or is there a policy missing?

Can someone point me out on what to do and how to solve it?

Thanks in advance.

erlinden · March 5, 2021, 5:57pm

Can you please show your /ip routes?

spr41178 · March 5, 2021, 7:52pm

Home Point
/ip route
add distance=1 gateway=192.168.1.1
add comment=vpn01 distance=1 dst-address=192.168.0.0/24 gateway=bridge1
add distance=1 dst-address=192.168.6.0/24 gateway=bridge1

sindy · March 5, 2021, 10:06pm

Better show the complete configuration export. It may be the firewall, it may be the IPsec policies, it may be missing routes. Check my signature below regarding non-destructive anonymisation.

spr41178 · March 6, 2021, 1:41pm

/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=WAN
/interface pppoe-client
add add-default-route=yes allow=pap,chap interface=WAN keepalive-timeout=disabled name=OTEBridge service-name=OTE user=xxxxxx@otenet.gr
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n mode=ap-bridge ssid=MikroTik station-roaming=enabled
set [ find default-name=wlan2 ] band=5ghz-n/ac country=no_country_set default-forwarding=no frequency-mode=manual-txpower mode=ap-bridge multicast-helper=disabled ssid=
MikroTik station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface list
add name=OTE
add name=LAN
add name=“WAN Interfaces”
add name=“LAN Interfaces”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=192.168.5.1 html-directory=flash/hotspot login-by=http-chap name=hsprof1 radius-interim-update=10m use-radius=yes
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
add name=ike2
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=vpn01 exchange-mode=ike2 name=peer1 profile=profile1
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
add name=l2tp passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=0s pfs-group=none
add enc-algorithms=aes-128-cbc name=secure-proposal pfs-group=none
add name=ike2 pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.5.2-192.168.5.254
add name=ike2-pool ranges=192.168.6.100-192.168.6.120
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1d name=dhcp1
/ip hotspot
add address-pool=dhcp_pool0 interface=bridge1 name=hotspot1 profile=hsprof1
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=“”
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.5.1 name=profile1 use-encryption=required
/queue simple
add max-limit=5M/24600k name=Limiter priority=1/1 target=bridge1
/system logging action
set 0 memory-lines=10000
set 1 disk-file-count=1 disk-lines-per-file=10000
/interface bridge filter
add action=accept chain=forward disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip out-interface=WAN src-port=68
add action=drop chain=forward disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip src-port=68
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/ip firewall connection tracking
set enabled=yes loose-tcp-tracking=no udp-stream-timeout=5m udp-timeout=2m
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set rp-filter=strict secure-redirects=no send-redirects=no tcp-syncookies=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=profile1 enabled=yes keepalive-timeout=disabled
/interface list member
add interface=bridge1 list=“LAN Interfaces”
add interface=WAN list=“WAN Interfaces”
/interface pptp-server server
set default-profile=profile1 keepalive-timeout=disabled
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=192.168.1.5/24 interface=WAN network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=8192KiB max-udp-packet-size=8192 servers=1.1.1.1
/ip dns static
add address=192.168.5.1 name=router.lan
/ip firewall address-list
add address=192.168.0.0/21 list=“LAN Subnets”
add address=0.0.0.0/8 comment=“RFC 1122 "This host on this network"” list=Bogons
add address=10.0.0.0/8 comment=“RFC 1918 (Private Use IP Space)” list=Bogons
add address=100.64.0.0/10 comment=“RFC 6598 (Shared Address Space)” list=Bogons
add address=127.0.0.0/8 comment=“RFC 1122 (Loopback)” list=Bogons
add address=169.254.0.0/16 comment=“RFC 3927 (Dynamic Configuration of IPv4 Link-Local Addresses)” list=Bogons
add address=172.16.0.0/12 comment=“RFC 1918 (Private Use IP Space)” list=Bogons
add address=192.0.0.0/24 comment=“RFC 6890 (IETF Protocol Assingments)” list=Bogons
add address=192.0.2.0/24 comment=“RFC 5737 (Test-Net-1)” list=Bogons
add address=192.168.0.0/16 comment=“RFC 1918 (Private Use IP Space)” disabled=yes list=Bogons
add address=198.18.0.0/15 comment=“RFC 2544 (Benchmarking)” list=Bogons
add address=198.51.100.0/24 comment=“RFC 5737 (Test-Net-2)” list=Bogons
add address=203.0.113.0/24 comment=“RFC 5737 (Test-Net-3)” list=Bogons
add address=224.0.0.0/4 comment=“RFC 5771 (Multicast Addresses) - Will affect OSPF, RIP, PIM, VRRP, IS-IS, and others. Use with caution.)” disabled=yes list=Bogons
add address=240.0.0.0/4 comment=“RFC 1112 (Reserved)” list=Bogons
add address=192.31.196.0/24 comment=“RFC 7535 (AS112-v4)” list=Bogons
add address=192.52.193.0/24 comment=“RFC 7450 (AMT)” list=Bogons
add address=192.88.99.0/24 comment=“RFC 7526 (Deprecated (6to4 Relay Anycast))” list=Bogons
add address=192.175.48.0/24 comment=“RFC 7534 (Direct Delegation AS112 Service)” list=Bogons
add address=255.255.255.255 comment=“RFC 919 (Limited Broadcast)” disabled=yes list=Bogons
add address=192.168.0.0/21 list=LAN
add address=212.205.212.205 comment=OTE list=“DNS Servers”
add address=195.170.0.1 comment=OTE list=“DNS Servers”
add address=195.170.2.2 comment=OTE list=“DNS Servers”
add address=8.8.8.8 comment=Google list=“DNS Servers”
add address=8.8.4.4 comment=Google list=“DNS Servers”
add address=4.2.2.1 comment=“Level 3” list=“DNS Servers”
add address=4.2.2.2 comment=“Level 3” list=“DNS Servers”
add address=208.67.222.222 comment=OpenDNS list=“DNS Servers”
add address=208.67.220.220 comment=OpenDNS list=“DNS Servers”
add address=1.1.1.1 comment=Cloudflare list=“DNS Servers”
add address=1.0.0.1 comment=Cloudflare list=“DNS Servers”
add address=4.2.2.3 comment=“Level 3” list=“DNS Servers”
add address=4.2.2.4 comment=“Level 3” list=“DNS Servers”
add address=4.2.2.5 comment=“Level 3” list=“DNS Servers”
add address=4.2.2.6 comment=“Level 3” list=“DNS Servers”
add address=www.mikrotik.com disabled=yes list=“Whitelisted URLs”
add address=www.rickfreyconsulting.com disabled=yes list=“Whitelisted URLs”
add address=www.joshaven.com disabled=yes list=“Whitelisted URLs”
add address=45.90.28.225 comment=NextDNS list=“DNS Servers”
add address=45.90.30.225 comment=NextDNS list=“DNS Servers”
add address=948953.dns.nextdns.io comment=NextDNS list=“DNS Servers”
add address=188.94.192.215 comment=FlastStart list=“DNS Servers”
add address=45.76.84.187 comment=FlastStart list=“DNS Servers”
add address=192.168.0.0/21 list=“Exempt Addresses”
add address=core.zeroday.ltd list=“Blacklisted URLs”
add address=www.netflix.com list=“Whitelisted URLs”
/ip firewall filter
add action=accept chain=input comment=“Accept Exempt IP Addresses - This is to bypass the firewall all together. Use the Address Lists to add users to this rule.”
src-address-list=“Exempt Addresses”
add action=accept chain=forward comment=“Accept Exempt IP Addresses - This is to bypass the firewall all together. Use the Address Lists to add users to this rule.”
src-address-list=“Exempt Addresses”
add action=accept chain=input comment=“Accept Whitelisted URLs” src-address-list=“Whitelisted URLs”
add action=accept chain=forward comment=“Accept Whitelisted URLs” src-address-list=“Whitelisted URLs”
add action=accept chain=forward comment=“Accept Whitelisted URLs” dst-address-list=“Whitelisted URLs”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=input comment=“Jump to DNS_DDoS Chain” jump-target=DNS_DDoS port=53 protocol=udp
add action=jump chain=forward comment=“Jump to DNS_DDoS Chain” jump-target=DNS_DDoS port=53 protocol=udp
add action=accept chain=output comment=“Accept DNS Requests from the router” port=53 protocol=udp
add action=accept chain=DNS_DDoS comment=“Accept DNS Request from LAN - LAN IP Address List must be set!” port=53 protocol=udp src-address-list=LAN
add action=accept chain=DNS_DDoS comment=“Accept Valid DNS Servers - Ensure that your DNS Servers are list on the DNS Servers Address List!” dst-address-list=
“DNS Servers” in-interface-list=“LAN Interfaces” port=53 protocol=udp
add action=accept chain=DNS_DDoS comment=“Accept Valid DNS Servers - Ensure that your DNS Servers are list on the DNS Servers Address List!” in-interface-list=
“WAN Interfaces” port=53 protocol=udp src-address-list=“DNS Servers”
add action=add-src-to-address-list address-list=DNS_DDoS address-list-timeout=none-dynamic chain=DNS_DDoS comment=“Add DNS_DDoS Offenders to Blacklist” port=53 protocol=
udp
add action=drop chain=DNS_DDoS comment=“Drop DNS_DDoS Offenders” src-address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment=“Return from DNS_DDoS Chain”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=input comment=“Jump to RFC SSH Chain” dst-port=22 jump-target=“RFC SSH Chain” protocol=tcp
add action=add-src-to-address-list address-list=“Black List (SSH)” address-list-timeout=4w2d chain=“RFC SSH Chain” comment=
“Transfer repeated attempts from SSH Stage 3 to Black-List” connection-state=new dst-port=22 protocol=tcp src-address-list=“SSH Stage 3”
add action=add-src-to-address-list address-list=“SSH Stage 3” address-list-timeout=1m chain=“RFC SSH Chain” comment=“Add succesive attempts to SSH Stage 3”
connection-state=new dst-port=22 protocol=tcp src-address-list=“SSH Stage 2”
add action=add-src-to-address-list address-list=“SSH Stage 2” address-list-timeout=1m chain=“RFC SSH Chain” comment=“Add succesive attempts to SSH Stage 2”
connection-state=new dst-port=22 protocol=tcp src-address-list=“SSH Stage 1”
add action=add-src-to-address-list address-list=“SSH Stage 1” address-list-timeout=1m chain=“RFC SSH Chain” comment=“Add intial attempt to SSH Stage 1 List”
connection-state=new dst-port=22 protocol=tcp
add action=return chain=“RFC SSH Chain” comment=“Return From RFC SSH Chain”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=input comment=“Jump to RFC Telnet Chain” dst-port=23 jump-target=“RFC Telnet Chain” protocol=tcp
add action=add-src-to-address-list address-list=“Black List (Telnet)” address-list-timeout=4w2d chain=“RFC Telnet Chain” comment=
“Transfer repeated attempts from Telnet Stage 3 to Black-List” connection-state=new dst-port=23 protocol=tcp src-address-list=“Telnet Stage 3”
add action=add-src-to-address-list address-list=“Telnet Stage 3” address-list-timeout=1m chain=“RFC Telnet Chain” comment=“Add succesive attempts to Telnet Stage 3”
connection-state=new dst-port=23 protocol=tcp src-address-list=“Telnet Stage 2”
add action=add-src-to-address-list address-list=“Telnet Stage 2” address-list-timeout=1m chain=“RFC Telnet Chain” comment=“Add succesive attempts to Telnet Stage 2”
connection-state=new dst-port=23 protocol=tcp src-address-list=“Telnet Stage 1”
add action=add-src-to-address-list address-list=“Telnet Stage 1” address-list-timeout=1m chain=“RFC Telnet Chain” comment=“Add Intial attempt to Telnet Stage 1”
connection-state=new dst-port=23 protocol=tcp
add action=return chain=“RFC Telnet Chain” comment=“Return From RFC Telnet Chain”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=input comment=“Jump to RFC Winbox Chain” dst-port=8291 jump-target=“RFC Winbox Chain” protocol=tcp
add action=add-src-to-address-list address-list=“Black List (Winbox)” address-list-timeout=4w2d chain=“RFC Winbox Chain” comment=
“Transfer repeated attempts from Winbox Stage 3 to Black-List” connection-state=new dst-port=8291 protocol=tcp src-address-list=“Winbox Stage 3”
add action=add-src-to-address-list address-list=“Winbox Stage 3” address-list-timeout=1m chain=“RFC Winbox Chain” comment=“Add succesive attempts to Winbox Stage 3”
connection-state=new dst-port=8291 protocol=tcp src-address-list=“Winbox Stage 2”
add action=add-src-to-address-list address-list=“Winbox Stage 2” address-list-timeout=1m chain=“RFC Winbox Chain” comment=“Add succesive attempts to Winbox Stage 2”
connection-state=new dst-port=8291 protocol=tcp src-address-list=“Winbox Stage 1”
add action=add-src-to-address-list address-list=“Winbox Stage 1” address-list-timeout=1m chain=“RFC Winbox Chain” comment=“Add Intial attempt to Winbox Stage 1”
connection-state=new dst-port=8291 protocol=tcp
add action=return chain=“RFC Winbox Chain” comment=“Return From RFC Winbox Chain”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=input comment=“Jump to RFC FTP Chain” dst-port=21 jump-target=“RFC FTP Chain” protocol=tcp src-port=!21 tcp-flags=
syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=add-src-to-address-list address-list=“Black List (FTP)” address-list-timeout=4w2d chain=“RFC FTP Chain” comment=
“Transfer repeated attempts from FTP Stage 3 to Black-List” connection-state=new dst-port=21 nth=2,2 protocol=tcp src-address-list=“FTP Stage 3” tcp-flags=syn
add action=add-src-to-address-list address-list=“FTP Stage 3” address-list-timeout=1m chain=“RFC FTP Chain” comment=“Add succesive attempts to FTP Stage 3”
connection-state=new dst-port=21 nth=2,2 protocol=tcp src-address-list=“FTP Stage 2” tcp-flags=syn
add action=add-src-to-address-list address-list=“FTP Stage 2” address-list-timeout=1m chain=“RFC FTP Chain” comment=“Add succesive attempts to FTP Stage 2”
connection-state=new dst-port=21 nth=2,2 protocol=tcp src-address-list=“FTP Stage 1” tcp-flags=syn
add action=add-src-to-address-list address-list=“FTP Stage 1” address-list-timeout=1m chain=“RFC FTP Chain” comment=“Add Intial attempt to FTP Stage 1” connection-state=
new dst-port=21 nth=2,2 protocol=tcp tcp-flags=syn
add action=return chain=“RFC FTP Chain” comment=“Return From RFC FTP Chain”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=drop chain=input comment=“Drop Invalid Connections from LAN” connection-state=invalid in-interface-list=“LAN Interfaces”
add action=drop chain=forward comment=“Drop Invalid Connections from LAN” connection-state=invalid in-interface-list=“LAN Interfaces”
add action=drop chain=input comment=“Drop Invalid Connections from WAN” connection-state=invalid in-interface-list=“WAN Interfaces”
add action=drop chain=forward comment=“Drop Invalid Connections from WAN” connection-state=invalid in-interface-list=“WAN Interfaces”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=add-src-to-address-list address-list=“WAN High Connection Rates” address-list-timeout=1d chain=input comment=
“Add WAN High Connections to Address List - Helps with DDoS Attacks” connection-limit=100,32 in-interface-list=“WAN Interfaces”
add action=add-src-to-address-list address-list=“LAN High Connection Rates” address-list-timeout=1d chain=forward comment=
“Add LAN High Connections to Address List - Helps identify compromised systems on your network” connection-limit=500,32 in-interface-list=“LAN Interfaces”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=forward comment=“Jump to "Manage Common Ports" Chain” jump-target=“Manage Common Ports”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=accept chain=input comment=“Accept Related or Established Connections” connection-state=established,related
add action=accept chain=input comment=“IKE, IPSEC Port 500,1701,4500 Allow” in-interface=WAN port=500,1701,4500 protocol=udp
add action=accept chain=input in-interface=WAN protocol=ipsec-esp
add action=accept chain=input in-interface=WAN protocol=ipsec-ah
add action=fasttrack-connection chain=forward comment=“FastTrack Activate” connection-state=established,related disabled=yes
add action=accept chain=forward comment=“Accept Related or Established Connections” connection-state=established,related
add action=accept chain=forward comment=“Accept New Connections” connection-state=new in-interface-list=“LAN Interfaces”
add action=drop chain=forward comment=“drop sip bruteforce” disabled=yes in-interface=WAN src-address-list=sip-not-auth
add action=accept chain=forward comment=“Allow Port Forwards” connection-nat-state=dstnat out-interface=WAN
add action=accept chain=forward comment=“DAHUA CCTV Port 37777 Accept” dst-port=“” port=37777 protocol=tcp
add action=accept chain=forward comment=“FreePBX SIP Port 56061 Accept” port=56061 protocol=udp
add action=accept chain=forward comment=“FreePBX RTP Ports 10030-10130 Port Accept” port=10030-10130 protocol=udp
add action=accept chain=forward comment=“Plex Port 32400 Accept” port=32400 protocol=tcp
add action=drop chain=forward comment=“Drop all other Traffic on the Foward Chain”
add action=drop chain=input comment=“Drop all other Traffic on the Input Chain”
/ip firewall mangle
add action=add-dst-to-address-list address-list=sip-not-auth address-list-timeout=2d1h chain=forward comment=“SIP Not Authorized Checking” connection-bytes=0-2048
content=“SIP/2.0 401 Unauthorized” disabled=yes dst-address-list=!sip-auth dst-limit=5,5,dst-address/30s in-interface=bridge1 protocol=udp src-address=192.168.5.235
src-port=56061
add action=change-mss chain=forward comment=“Auto Change MSS” in-interface=WAN new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=dst-nat chain=dstnat comment=“CCTV Port Forward” dst-port=37777 in-interface=WAN protocol=tcp to-addresses=192.168.5.103 to-ports=37777
add action=dst-nat chain=dstnat comment=“FreePBX SIP Port Forward” dst-port=56061 protocol=udp to-addresses=192.168.5.235 to-ports=56061
add action=dst-nat chain=dstnat comment=“FreePBX RTP Port Forward” dst-port=10030-10130 protocol=udp to-addresses=192.168.5.235 to-ports=10030-10130
add action=dst-nat chain=dstnat comment=“Plex Port Forward” dst-port=32400 protocol=tcp to-addresses=192.168.5.252 to-ports=32400
add action=accept chain=dstnat comment=vpn01 dst-address=192.168.5.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=WAN src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.6.0/24
add action=redirect chain=dstnat comment=“Transparently proxy all DNS traffic” dst-port=53 protocol=udp src-address-list=“LAN Subnets” to-ports=53
/ip firewall raw
add action=accept chain=prerouting comment=“Accept Exempt IP Addresses - This is to bypass the firewall all together. Use the Address Lists to add users to this rule.”
src-address-list=“Exempt Addresses”
add action=accept chain=prerouting comment=“Accept Whitelisted URLs” src-address-list=“Whitelisted URLs”
add action=accept chain=prerouting comment=“Accept Whitelisted URLs” dst-address-list=“Whitelisted URLs”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=prerouting comment=“Jump to RFC Port Scans” jump-target=“RFC Port Scans” protocol=tcp
add action=jump chain=prerouting comment=“Jump to RFC Port Scans” jump-target=“RFC Port Scans” protocol=udp src-address-list=“!DNS Servers”
add action=add-src-to-address-list address-list=“WAN Port Scanners” address-list-timeout=none-dynamic chain=“RFC Port Scans” comment=“Detect WAN TCP Port Scans”
in-interface-list=“WAN Interfaces” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“WAN Port Scanners” address-list-timeout=none-dynamic chain=“RFC Port Scans” comment=“Detect WAN UDP Port Scans”
in-interface-list=“WAN Interfaces” protocol=udp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“WAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect WAN NMAP FIN Stealth scan”
in-interface-list=“WAN Interfaces” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“WAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect WAN SYN/FIN scan” in-interface-list=
“WAN Interfaces” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“WAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect WAN SYN/RST scan” in-interface-list=
“WAN Interfaces” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect WAN FIN/PSH/URG scan” in-interface-list=
“WAN Interfaces” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“WAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect WAN ALL/ALL scan” in-interface-list=
“WAN Interfaces” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“WAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect WAN NMAP NULL scan” in-interface-list=
“WAN Interfaces” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“LAN Port Scanners” address-list-timeout=none-dynamic chain=“RFC Port Scans” comment=“Detect LAN TCP Port Scans”
in-interface-list=“LAN Interfaces” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“LAN Port Scanners” address-list-timeout=none-dynamic chain=“RFC Port Scans” comment=“Detect LAN UDP Port Scans”
in-interface-list=“LAN Interfaces” protocol=udp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“LAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect LAN NMAP FIN Stealth scan”
in-interface-list=“LAN Interfaces” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“LAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect LAN SYN/FIN scan” in-interface-list=
“LAN Interfaces” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“LAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect LAN SYN/RST scan” in-interface-list=
“LAN Interfaces” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“LAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect LAN FIN/PSH/URG scan”
in-interface-list=“LAN Interfaces” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“LAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect LAN ALL/ALL scan” in-interface-list=
“LAN Interfaces” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“LAN Port Scanners” address-list-timeout=2w chain=“RFC Port Scans” comment=“Detect LAN NMAP NULL scan” in-interface-list=
“LAN Interfaces” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=return chain=“RFC Port Scans” comment=“Return from RFC Port Scans”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=drop chain=prerouting comment=“Drop anyone in the Black List (Manually Added)” src-address-list=“Manually Added Black List”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (Manually Added)” dst-address-list=“Manually Added Black List”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (SSH)” src-address-list=“Black List (SSH)”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (SSH)” dst-address-list=“Black List (SSH)”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (Telnet)” src-address-list=“Black List (Telnet)”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (Telnet)” dst-address-list=“Black List (Telnet)”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (Winbox)” src-address-list=“Black List (Winbox)”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (Winbox)” dst-address-list=“Black List (Winbox)”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (FTP)” src-address-list=“Black List (FTP)”
add action=drop chain=prerouting comment=“Drop anyone in the Black List (FTP)” dst-address-list=“Black List (FTP)”
add action=drop chain=prerouting comment=“Drop all packets on Joshaven Potter’s Blacklist for SpamHaus, dshield, and malc0de” src-address-list=blacklist
add action=drop chain=prerouting comment=“Drop all packets on Joshaven Potter’s Blacklist for SpamHaus, dshield, and malc0de” dst-address-list=blacklist
add action=drop chain=prerouting comment=“Drop all packets on Joshaven Potter’s VOIP Blacklist” src-address-list=voip-blacklist
add action=drop chain=prerouting comment=“Drop all packets on Joshaven Potter’s VOIP Blacklist” dst-address-list=voip-blacklist
add action=drop chain=prerouting comment=“Drop anyone in the WAN Port Scanner List” src-address-list=“WAN Port Scanners”
add action=drop chain=prerouting comment=“Drop anyone in the WAN Port Scanner List” dst-address-list=“WAN Port Scanners”
add action=drop chain=prerouting comment=“Drop anyone in the LAN Port Scanner List” src-address-list=“LAN Port Scanners”
add action=drop chain=prerouting comment=“Drop anyone in the LAN Port Scanner List” dst-address-list=“LAN Port Scanners”
add action=drop chain=prerouting comment=“Drop anyone in the WAN High Connections List” src-address-list=“WAN High Connection Rates”
add action=drop chain=prerouting comment=“Drop anyone in the WAN High Connections List” dst-address-list=“WAN High Connection Rates”
add action=drop chain=prerouting comment=“Drop anyone in the LAN High Connections List” src-address-list=“LAN High Connection Rates”
add action=drop chain=prerouting comment=“Drop anyone in the LAN High Connections List” dst-address-list=“LAN High Connection Rates”
add action=drop chain=prerouting comment=“Drop all Blacklisted URLs” src-address-list=“Blacklisted URLs”
add action=drop chain=prerouting comment=“Drop all Blacklisted URLs” dst-address-list=“Blacklisted URLs”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=prerouting comment=“Jump to RFC Bogon Chain” jump-target=“RFC Bogon Chain”
add action=drop chain=“RFC Bogon Chain” comment=“Drop all packets sourced from Bogons” src-address-list=Bogons
add action=drop chain=“RFC Bogon Chain” comment=“Drop all packets destined to Bogons” dst-address-list=Bogons
add action=return chain=“RFC Bogon Chain” comment=“Return from RFC Bogon Chain”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=prerouting comment=“Protect RouterOS Services” jump-target=“Protect RouterOS Services”
add action=accept chain=“Protect RouterOS Services” comment=“Allow BW Test Server from LAN” in-interface-list=“LAN Interfaces” port=2000 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow MAC Winbox from the LAN” in-interface-list=“LAN Interfaces” port=20561 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow Bootstrap and DHCP from LAN” in-interface-list=“LAN Interfaces” port=67-68 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow SNMP from LAN” in-interface-list=“LAN Interfaces” port=161,162 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow RIP from LAN” in-interface-list=“LAN Interfaces” port=520,521 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow DHCPv6 Client and Server Messages from LAN” in-interface-list=“LAN Interfaces” port=546,547 protocol=
udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow LDP Transport Session from LAN” in-interface-list=“LAN Interfaces” port=646 protocol=tcp
add action=accept chain=“Protect RouterOS Services” comment=“Allow LDP Hello Messages from LAN” in-interface-list=“LAN Interfaces” port=646 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow RSVP TE Tunnels from LAN” in-interface-list=“LAN Interfaces” port=1698,1699 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow L2TP from LAN & WAN” port=1701 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow PPTP from LAN & WAN” port=1723 protocol=tcp
add action=accept chain=“Protect RouterOS Services” comment=“Allow BGP (TCP 179) from LAN & WAN” port=179 protocol=tcp
add action=accept chain=“Protect RouterOS Services” comment=“Allow CAPsMAN from LAN” in-interface-list=“LAN Interfaces” port=5246,5247 protocol=udp
add action=accept chain=“Protect RouterOS Services” comment=“Allow IGMP/ Multicast from LAN” in-interface-list=“LAN Interfaces” protocol=igmp
add action=accept chain=“Protect RouterOS Services” comment=“Allow PIM/ Multicast from LAN” in-interface-list=“LAN Interfaces” protocol=pim
add action=accept chain=“Protect RouterOS Services” comment=“Allow OSPF from LAN” in-interface-list=“LAN Interfaces” protocol=ospf
add action=accept chain=“Protect RouterOS Services” comment=“Allow GRE from LAN & WAN” protocol=gre
add action=accept chain=“Protect RouterOS Services” comment=“Allow ESP LAN & WAN” protocol=ipsec-esp
add action=accept chain=“Protect RouterOS Services” comment=“Allow AH from LAN & WAN” protocol=ipsec-ah
add action=accept chain=“Protect RouterOS Services” comment=“Allow VRRP from LAN & WAN” protocol=vrrp
add action=accept chain=“Protect RouterOS Services” comment=“Allow OpenFlow from LAN & WAN” port=6343 protocol=tcp
add action=accept chain=“Protect RouterOS Services” comment=“Allow MNDP from LAN” in-interface-list=“LAN Interfaces” port=5678 protocol=udp
add action=drop chain=“Protect RouterOS Services” comment=“Drop attempts to access the SOCKs Proxy” log=yes log-prefix=FW-SOCKS port=1080 protocol=tcp
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=prerouting comment=“RFC Unusual Protocols” jump-target=“RFC Unusual Protocols”
add action=drop chain=“RFC Unusual Protocols” comment=“Drop GGP (Gateway to Gateway Protocol - Obsolete)” protocol=ggp
add action=drop chain=“RFC Unusual Protocols” comment=“Drop GGP (Internet Stream Protocol - Obsolete)” protocol=st
add action=drop chain=“RFC Unusual Protocols” comment=“Drop EGP (Exterior Gateway Protocol - Obsolete)” protocol=egp
add action=drop chain=“RFC Unusual Protocols” comment=“Drop PUP (PARC Universal Packet Protocol - Obsolete)” protocol=pup
add action=drop chain=“RFC Unusual Protocols” comment=“Drop HMP (Host Monitoring Protocol - Obsolete)” protocol=hmp
add action=drop chain=“RFC Unusual Protocols” comment=“Drop XNS-IDP (Xerox Network Systems Internet Datagram Protocol - Obsolete)” protocol=xns-idp
add action=drop chain=“RFC Unusual Protocols” comment=“Drop XTP (Xpress Transport Protocol - Obsolete)” protocol=xtp
add action=drop chain=“RFC Unusual Protocols” comment=“Drop RSPF (Radio Shortest Path First - Not applicable to most people)” protocol=rspf
add action=drop chain=“RFC Unusual Protocols” comment=“Drop VMTP (Versatile Message Transaction Protocol - Not applicable to most people)” protocol=vmtp
add action=return chain=“RFC Unusual Protocols” comment=“Return from RFC Unusual Protocols”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=drop chain=prerouting comment=“Drop packets that contain yersinia” content=yersinia
add action=drop chain=prerouting comment=“Drop packets that contain kali” content=kali
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=prerouting comment=“Jump to TCP Protection” jump-target=“RFC TCP Protection” protocol=tcp
add action=drop chain=“RFC TCP Protection” comment=“Drop all TCP Resets from WAN” in-interface-list=“WAN Interfaces” protocol=tcp src-address-list=“DNS Servers”
tcp-flags=rst
add action=drop chain=“RFC TCP Protection” comment=“Drop all TCP sourced from common DNS Servers” dst-port=!53 in-interface-list=“WAN Interfaces” protocol=tcp
src-address-list=“DNS Servers” tcp-flags=“”
add action=return chain=“RFC TCP Protection” comment=“Return from TCP Protection” protocol=tcp
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=prerouting comment=“Jump to Virus Chain” jump-target=Virus protocol=tcp
add action=jump chain=prerouting comment=“Jump to Virus Chain” jump-target=Virus protocol=udp
add action=drop chain=Virus comment=“Drop Blaster Worm” dst-port=135-139 protocol=tcp
add action=drop chain=Virus comment=“Drop Blaster Worm” dst-port=445 protocol=tcp
add action=drop chain=Virus comment=“Drop Blaster Worm” dst-port=445 protocol=udp
add action=drop chain=Virus comment=“Drop Messenger Worm” dst-port=135-139 protocol=udp
add action=drop chain=Virus comment=Conficker dst-port=593 protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=1024-1030 protocol=tcp
add action=drop chain=Virus comment=“ndm requester” dst-port=1363 protocol=tcp
add action=drop chain=Virus comment=“ndm server” dst-port=1364 protocol=tcp
add action=drop chain=Virus comment=“screen cast” dst-port=1368 protocol=tcp
add action=drop chain=Virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=Virus comment=“Drop MyDoom” dst-port=1080 protocol=tcp
add action=drop chain=Virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=Virus comment=“Drop Dumaru.Y” dst-port=2283 protocol=tcp
add action=drop chain=Virus comment=“Drop Beagle” dst-port=2535 protocol=tcp
add action=drop chain=Virus comment=“Drop Beagle.C-K” dst-port=2745 protocol=tcp
add action=drop chain=Virus comment=“Drop MyDoom” dst-port=3127-3128 protocol=tcp
add action=drop chain=Virus comment=“Drop Backdoor OptixPro” dst-port=3410 protocol=tcp
add action=drop chain=Virus comment=“Drop Sasser” dst-port=5554 protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=Virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=Virus comment=“Drop Beagle.B” dst-port=8866 protocol=tcp
add action=drop chain=Virus comment=“Drop Dabber.A-B” dst-port=9898 protocol=tcp
add action=drop chain=Virus comment=“Drop Dumaru.Y” dst-port=10000 protocol=tcp
add action=drop chain=Virus comment=“Drop MyDoom.B” dst-port=10080 protocol=tcp
add action=drop chain=Virus comment=“Drop NetBus” dst-port=12345 protocol=tcp
add action=drop chain=Virus comment=“Drop Kuang2” dst-port=17300 protocol=tcp
add action=drop chain=Virus comment=“Drop SubSeven” dst-port=27374 protocol=tcp
add action=drop chain=Virus comment=“Drop PhatBot, Agobot, Gaobot” dst-port=65506 protocol=tcp
add action=return chain=Virus comment=“Return From Virus Chain”
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=prerouting comment=“Jump to RFC ICMP Protection Chain” jump-target=“RFC ICMP Protection” protocol=icmp
add action=add-dst-to-address-list address-list=“Suspected SMURF Attacks” address-list-timeout=none-dynamic chain=“RFC ICMP Protection” comment=
“Detect Suspected SMURF Attacks” dst-address-type=broadcast log=yes log-prefix=“FW-SMURF Attacks” protocol=icmp
add action=drop chain=“RFC ICMP Protection” comment=“Drop Suspected SMURF Attacks” dst-address-list=“Suspected SMURF Attacks” protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Accept Echo Requests” icmp-options=8:0 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Accept Echo Replys” icmp-options=0:0 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Accept Destination Network Unreachable” icmp-options=3:0 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Accept Destination Host Unreachable” icmp-options=3:1 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Fragmentation Messages” icmp-options=3:4 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Accept Destination Port Unreachable” icmp-options=3:3 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Source Route Failed” icmp-options=3:5 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Network Admin Prohibited” icmp-options=3:9 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Host Admin Prohibited” icmp-options=3:10 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Router Advertisemnet” icmp-options=9:0 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Router Solicitation” icmp-options=9:10 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=“Time Exceeded” icmp-options=11:0-255 protocol=icmp
add action=accept chain=“RFC ICMP Protection” comment=Traceroute icmp-options=30:0 protocol=icmp
add action=drop chain=“RFC ICMP Protection” comment=“Drop ALL other ICMP Messages” log=yes log-prefix=“FW-ICMP Protection” protocol=icmp
add action=accept chain=output comment=“Section Break” disabled=yes
add action=jump chain=prerouting comment=“Jump to "Manage Common Ports" Chain” jump-target=“Manage Common Ports”
add action=accept chain=“Manage Common Ports” comment=“"All hosts on this subnet" Broadcast” src-address=224.0.0.1
add action=accept chain=“Manage Common Ports” comment=“"All routers on this subnet" Broadcast” src-address=224.0.0.2
add action=accept chain=“Manage Common Ports” comment=“DVMRP (Distance Vector Multicast Routing Protocol)” src-address=224.0.0.4
add action=accept chain=“Manage Common Ports” comment=“OSPF - All OSPF Routers Broadcast” src-address=224.0.0.5
add action=accept chain=“Manage Common Ports” comment=“OSPF - OSPF DR Routers Broadcast” src-address=224.0.0.6
add action=accept chain=“Manage Common Ports” comment=“RIP Broadcast” src-address=224.0.0.9
add action=accept chain=“Manage Common Ports” comment=“EIGRP Broadcast” src-address=224.0.0.10
add action=accept chain=“Manage Common Ports” comment=“PIM Broadcast” src-address=224.0.0.13
add action=accept chain=“Manage Common Ports” comment=“VRRP Broadcast” src-address=224.0.0.18
add action=accept chain=“Manage Common Ports” comment=“IS-IS Broadcast” src-address=224.0.0.19
add action=accept chain=“Manage Common Ports” comment=“IS-IS Broadcast” src-address=224.0.0.20
add action=accept chain=“Manage Common Ports” comment=“IS-IS Broadcast” src-address=224.0.0.21
add action=accept chain=“Manage Common Ports” comment=“IGMP Broadcast” src-address=224.0.0.22
add action=accept chain=“Manage Common Ports” comment=“GRE Protocol (Local Management)” protocol=gre
add action=accept chain=“Manage Common Ports” comment=“FTPdata transfer” port=20 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="FTPdata transfer " port=20 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“FTPcontrol (command)” port=21 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Secure Shell(SSH)” port=22 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="Secure Shell(SSH) " port=22 protocol=udp
add action=accept chain=“Manage Common Ports” comment=Telnet port=23 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=Telnet port=23 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Priv-mail: any privatemailsystem.” port=24 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="Priv-mail: any privatemailsystem. " port=24 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Simple Mail Transfer Protocol(SMTP)” port=25 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="Simple Mail Transfer Protocol(SMTP) " port=25 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“TIME protocol” port=37 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“TIME protocol " port=37 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“ARPA Host Name Server Protocol & WINS” port=42 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“ARPA Host Name Server Protocol & WINS " port=42 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“WHOIS protocol” port=43 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“WHOIS protocol” port=43 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Domain Name System (DNS)” port=53 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Domain Name System (DNS)” port=53 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Mail Transfer Protocol(RFC 780)” port=57 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=”(BOOTP) Server & (DHCP) " port=67 protocol=udp
add action=accept chain=“Manage Common Ports” comment=”(BOOTP) Client & (DHCP) " port=68 protocol=udp
add action=accept chain=“Manage Common Ports” comment="Trivial File Transfer Protocol (TFTP) " port=69 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Gopher protocol” port=70 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Finger protocol” port=79 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Hypertext Transfer Protocol (HTTP)” port=80 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“RemoteTELNETService protocol” port=107 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Post Office Protocolv2 (POP2)” port=109 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Post Office Protocolv3 (POP3)” port=110 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“IdentAuthentication Service/Identification Protocol” port=113 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="Authentication Service (auth) " port=113 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Simple File Transfer Protocol (SFTP)” port=115 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Network Time Protocol(NTP)” port=123 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“NetBIOSNetBIOS Name Service” port=137 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="NetBIOSNetBIOS Name Service " port=137 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“NetBIOSNetBIOS Datagram Service” port=138 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="NetBIOSNetBIOS Datagram Service " port=138 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“NetBIOSNetBIOS Session Service” port=139 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="NetBIOSNetBIOS Session Service " port=139 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Internet Message Access Protocol (IMAP)” port=143 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Background File Transfer Program (BFTP)” port=152 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="Background File Transfer Program (BFTP) " port=152 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“SGMP,Simple Gateway Monitoring Protocol” port=153 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="SGMP,Simple Gateway Monitoring Protocol " port=153 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“DMSP, Distributed Mail Service Protocol” port=158 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="DMSP, Distributed Mail Service Protocol " port=158 protocol=udp
add action=accept chain=“Manage Common Ports” comment="Simple Network Management Protocol(SNMP) " port=161 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Simple Network Management ProtocolTrap (SNMPTRAP)” port=162 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="Simple Network Management ProtocolTrap (SNMPTRAP) " port=162 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“BGP (Border Gateway Protocol)” port=179 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Internet Message Access Protocol (IMAP), version 3” port=220 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Internet Message Access Protocol (IMAP), version 3” port=220 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“BGMP, Border Gateway Multicast Protocol” port=264 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="BGMP, Border Gateway Multicast Protocol " port=264 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Lightweight Directory Access Protocol (LDAP)” port=389 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Lightweight Directory Access Protocol (LDAP)” port=389 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“SSTP TCP Port 443 (Local Management) & HTTPS” port=443 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Microsoft-DSActive Directory, Windows shares” port=445 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“L2TP/ IPSEC UDP Port 500 (Local Management)” port=500 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Modbus, Protocol” port=502 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="Modbus, Protocol " port=502 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Shell (Remote Shell, rsh, remsh)” port=514 protocol=tcp
add action=accept chain=“Manage Common Ports” comment="Syslog - used for system logging " port=514 protocol=udp
add action=accept chain=“Manage Common Ports” comment="Routing Information Protocol (RIP) " port=520 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“e-mail message submission (SMTP)” port=587 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“LDP,Label Distribution Protocol” port=646 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“LDP,Label Distribution Protocol” port=646 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“FTPS Protocol (data):FTP over TLS/SSL” port=989 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“FTPS Protocol (data):FTP over TLS/SSL” port=989 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“FTPS Protocol (control):FTP over TLS/SSL” port=990 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“FTPS Protocol (control):FTP over TLS/SSL” port=990 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“TELNET protocol overTLS/SSL” port=992 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“TELNET protocol overTLS/SSL” port=992 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Internet Message Access Protocol over TLS/SSL (IMAPS)” port=993 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“Post Office Protocol3 over TLS/SSL (POP3S)” port=995 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“OVPN TCP Port 1194 (Local Management)” port=1194 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“PPTP Port 1723 (Local Management)” port=1723 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“L2TP UDP Port 1701 (Local Management)” port=1701 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“L2TP UDP Port 4500 (Local Management)” port=4500 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Easy4IP Common Ports Allow” port=8800-8815,8883 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“DAHUA CCTV TCP Port 37777 (Local Management)” port=37777 protocol=tcp
add action=accept chain=“Manage Common Ports” comment=“STUN UDP Port 3478 (Local Management)” port=3478 protocol=udp
add action=accept chain=“Manage Common Ports” comment=“Plex TCP Port 32400 (Local Management)” port=32400 protocol=tcp
add action=accept chain=output comment=“Section Break” disabled=yes
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes ports=5060,5061,6060,6061
/ip hotspot user
add name=admin
/ip ipsec identity
add peer=peer1
add generate-policy=port-override peer=l2tp
add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add comment=vpn01 dst-address=192.168.0.0/24 peer=peer1 proposal=secure-proposal sa-dst-address=85.75.235.49 sa-src-address=192.168.1.5 src-address=192.168.5.0/24 tunnel=
yes
add dst-address=192.168.6.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip proxy
set cache-administrator=xxxxxxx@gmail.com cache-on-disk=yes cache-path=disk1 max-cache-object-size=500000KiB max-client-connections=1000 max-server-connections=1000
parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=192.168.1.1
add comment=vpn01 distance=1 dst-address=192.168.0.0/24 gateway=bridge1
add distance=1 dst-address=192.168.6.0/24 gateway=bridge1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8085
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.5.0/24
set api-ssl disabled=yes
/ip upnp interfaces
add interface=WAN type=external
add interface=bridge1 type=internal
/ppp secret
add name=admin profile=profile1 remote-address=192.168.6.100 service=l2tp
add name=wife profile=profile1 remote-address=192.168.6.101 service=l2tp
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=“hAP ac^2 Controller”
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=162.159.200.1
/system ntp server
set enabled=yes manycast=no
/system routerboard settings
set auto-upgrade=yes

sindy · March 6, 2021, 4:39pm

Forum rules: please edit your post and place [code] and [/code] tags around the configuration export.

To the topic: as a minimum, a policy for 192.168.0.0/24 <=> 192.168.6.0/24 is missing in the configuration of the tunnel between “branch” and “home”. Add it accordingly at both machines and report back - I won’t dive into your firewall rules until really necessary

spr41178 · March 6, 2021, 5:35pm

Hi sindy

Policy added to both machines and PH2 State is established but still no connection to the 0.0 network via the 2nd IKEv2

sindy · March 6, 2021, 6:06pm

I cannot even find the reason why the IKEv2 clients in 192.168.6.0/24 can access anything in 192.168.5.0/24 as you state: in the forward chain of filter, the rule “accept new” matches on in-interface-list=LAN (so it doesn’t match on packets from those IKEv2 client whose in-interface is the WAN through which the IPsec session is established) and the rule “accept exempted” matches on src-address-list=“Exempt Addresses” which doesn’t contain 192.168.6.0/24.

Off topic, your long list of “accept” rules in raw doesn’t end with any “drop the rest”, so the whole list is redundant as the packets which match none of those rules get accepted anyway, so they make it to connection-tracking and later filter.

anav · March 6, 2021, 7:06pm

I think the op needs to simplify.
In fact, going back to default rules add required ipsec and then state further requirements and then see what needs to be added.
All I see is bloatware.
I am curious as to the reason of setting rp-filter strict for example??

gotsprings · March 6, 2021, 7:28pm

There is that firewall floating around… People slap it in there with no idea what it does and it just makes it harder to find the problem.

At the very top of your firewall add a forwarding chain that allows each subnet to the others.

spr41178 · March 6, 2021, 8:45pm

I will simplify the firewall tomorrow, remove the bloatware and repost.

I will add the forwarding chains also and try.

anav · March 6, 2021, 11:09pm

I like the priorities -->tomorrow, tonight Ouzo comes first!!

What I mean is start from defaults and ONLY add what you need to allow the devices and users on or using your network to do what they need to do.

spr41178 · March 7, 2021, 9:47am

This damn ouzo will be the end of me hahaha
I have added the basics and reposting still no success though.

/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=WAN
/interface pppoe-client
add add-default-route=yes allow=pap,chap interface=WAN keepalive-timeout=disabled name=OTEBridge service-name=OTE user=xxxxx@otenet.gr
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n mode=ap-bridge ssid=MikroTik station-roaming=enabled
set [ find default-name=wlan2 ] band=5ghz-n/ac country=no_country_set default-forwarding=no frequency-mode=manual-txpower mode=ap-bridge multicast-helper=disabled ssid=\
    MikroTik station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/interface list
add name=OTE
add name=LAN
add name="WAN Interfaces"
add name="LAN Interfaces"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=192.168.5.1 html-directory=flash/hotspot login-by=http-chap name=hsprof1 radius-interim-update=10m use-radius=yes
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
add name=ike2
/ip ipsec peer
add address=xxxxxxxx/32 comment=vpn01 exchange-mode=ike2 name=peer1 profile=profile1
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
add name=l2tp passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=0s pfs-group=none
add enc-algorithms=aes-128-cbc name=secure-proposal pfs-group=none
add name=ike2 pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.5.2-192.168.5.254
add name=ike2-pool ranges=192.168.6.100-192.168.6.120
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=1d name=dhcp1
/ip hotspot
add address-pool=dhcp_pool0 interface=bridge1 name=hotspot1 profile=hsprof1
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=""
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.5.1 name=profile1 use-encryption=required
/queue simple
add disabled=yes max-limit=5M/24600k name=Limiter priority=1/1 target=bridge1
/system logging action
set 0 memory-lines=10000
set 1 disk-file-count=1 disk-lines-per-file=10000
/interface bridge filter
add action=accept chain=forward disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip out-interface=WAN src-port=68
add action=drop chain=forward disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip src-port=68
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/ip firewall connection tracking
set enabled=yes loose-tcp-tracking=no udp-stream-timeout=5m udp-timeout=2m
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=profile1 enabled=yes keepalive-timeout=disabled
/interface list member
add interface=bridge1 list=LAN
add interface=WAN list=OTE
/interface pptp-server server
set default-profile=profile1 keepalive-timeout=disabled
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=192.168.1.5/24 interface=WAN network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=8192KiB max-udp-packet-size=8192 servers=1.1.1.1
/ip dns static
add address=192.168.5.1 name=router.lan
/ip firewall address-list
add address=192.168.0.0/24 list=Allowed_IN
add address=192.168.5.0/24 list=Allowed_IN
add address=192.168.6.0/24 list=Allowed_IN
/ip firewall filter
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.6.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=192.168.6.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=Allowed_IN
add action=accept chain=input dst-port=500,1701,4500 in-interface=WAN protocol=udp
add action=accept chain=input in-interface=WAN protocol=ipsec-esp
add action=accept chain=input in-interface=WAN protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow Port Forwards" connection-nat-state=dstnat out-interface=WAN
add action=accept chain=forward comment="DAHUA CCTV Port 37777 Accept" dst-port="" port=37777 protocol=tcp
add action=accept chain=forward comment="FreePBX SIP Port 56061 Accept" port=56061 protocol=udp
add action=accept chain=forward comment="FreePBX RTP Ports 10030-10130 Port Accept" port=10030-10130 protocol=udp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=OTE
/ip firewall mangle
add action=add-dst-to-address-list address-list=sip-not-auth address-list-timeout=2d1h chain=forward comment="SIP Not Authorized Checking" connection-bytes=0-2048 \
    content="SIP/2.0 401 Unauthorized" disabled=yes dst-address-list=!sip-auth dst-limit=5,5,dst-address/30s in-interface=bridge1 protocol=udp src-address=192.168.5.235 \
    src-port=56061
add action=change-mss chain=forward comment="Auto Change MSS" in-interface=WAN new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=37777 in-interface=WAN protocol=tcp to-addresses=192.168.5.103 to-ports=37777
add action=dst-nat chain=dstnat comment="FreePBX SIP Port Forward" dst-port=56061 protocol=udp to-addresses=192.168.5.235 to-ports=56061
add action=dst-nat chain=dstnat comment="FreePBX RTP Port Forward" dst-port=10030-10130 protocol=udp to-addresses=192.168.5.235 to-ports=10030-10130
add action=accept chain=dstnat comment=vpn01 dst-address=192.168.5.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=WAN src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.6.0/24
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes ports=5060,5061,6060,6061
/ip hotspot user
add name=admin
/ip ipsec identity
add peer=peer1
add generate-policy=port-override peer=l2tp
add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add comment=vpn01 dst-address=192.168.0.0/24 peer=peer1 proposal=secure-proposal sa-dst-address=xxxxxxxx sa-src-address=192.168.1.5 src-address=192.168.5.0/24 tunnel=\
    yes
add dst-address=192.168.0.0/24 peer=peer1 proposal=secure-proposal sa-dst-address=xxxxxxxx sa-src-address=0.0.0.0 src-address=192.168.6.0/24 tunnel=yes
add dst-address=192.168.6.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip proxy
set cache-administrator=xxxxxxx@gmail.com cache-on-disk=yes cache-path=disk1 max-cache-object-size=500000KiB max-client-connections=1000 max-server-connections=1000 \
    parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=192.168.1.1
add comment=vpn01 distance=1 dst-address=192.168.0.0/24 gateway=bridge1
add distance=1 dst-address=192.168.6.0/24 gateway=bridge1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8085
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.0.0/24,192.168.5.0/24
set api-ssl disabled=yes
/ip upnp interfaces
add interface=WAN type=external
add interface=bridge1 type=internal
/ppp secret
add name=admin profile=profile1 remote-address=192.168.6.100 service=l2tp
add name=wife profile=profile1 remote-address=192.168.6.101 service=l2tp
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="hAP ac^2 Controller"
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=162.159.200.1
/system ntp server
set enabled=yes manycast=no
/system routerboard settings
set auto-upgrade=yes

spr41178 · March 7, 2021, 10:37am

Adding a srcnat 192.168.6.0/24 to 192.168.0.0/24 seems to have solved my issue.

I am having web interface access to everything on the 0.0 network plus winbox access.

However when i try to view my cameras at the 0.0 network through the Dahua application from my phone (part of 192.168.6.0 client) as local (192.168.0.127) port 37777 it isn’t working.

sindy · March 7, 2021, 12:26pm

If so, it means that the firewall at the branch machine doesn’t accept incoming connections from 192.168.6.0/24. So the above is rather a workaround than a solution.

anav · March 7, 2021, 1:12pm

(1) I have never used bridge filter so wondering if this is better placed in input chain if necessary or is this something hotspot requires??
/interface bridge filter
add action=accept chain=forward disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip out-interface=WAN src-port=68
add action=drop chain=forward disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip src-port=68

(2) Also I have never used this and wondering if it is the complication causing issues?
/interface bridge settings
set use-ip-firewall-for-pppoe=yes

(3) This seems incomplete considering the Interfaces and needs rework!!!
/interface list
add name=OTE (this is not required and not used or used effectively)
add name=LAN (good)
add name=“WAN Interfaces” (okay if your using this because you named ether1 ‘WAN’, instead of something less confusing like ether1-wan )
add name=“LAN Interfaces” (not required)
??
/interface list member
add interface=bridge1 list=LAN (good)
add interface=WAN list=OTE (not good get rid of it).
change to
add interface=WAN list=WAN Interfaces
add interface=OTEBridge list=WAN Interfaces

(4) Where the heck does this subnet come from??
/ip firewall address-list
add address=192.168.0.0/24 list=Allowed_IN
_add address=192.168.5.0/24 list=Allowed_IN
add address=192.168.6.0/24 list=Allowed_I_N

(5) Besides the same issue unknown subnet 192.168.0.0, why are these rules before all other rules and (in terms of order, before the other forward chain rules)?
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.6.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=192.168.6.0/24

(6) Same unknown subnet is allowed access to winbox??

(7) After changing Wan interface list members above, then this rule should work better with modification.
add action=accept chain=forward comment=“Allow Port Forwards” connection-nat-state=dstnat out-interface**-list**=WAN Interfaces

(8) What is the purpose of these forward chain rules, they dont state where coming from or where headed to, seems wide open???
Many folks mistakenly put forward chain rules for stuff belonging in destination nat for example if thats the case one needs to get rid of these…
add action=accept chain=forward comment=“DAHUA CCTV Port 37777 Accept” dst-port=“” port=37777 protocol=tcp
add action=accept chain=forward comment=“FreePBX SIP Port 56061 Accept” port=56061 protocol=udp
add action=accept chain=forward comment=“FreePBX RTP Ports 10030-10130 Port Accept” port=10030-10130 protocol=udp

(9) You allowed port forwarding so this rule is redundant, for at least half of it.
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=OTE

Why not just put at the bottom.
add action=drop chain=forward comment=“drop all else” (which drops all traffic not specifically allowed by the OP)
If not that then
add action=drop chain=forward in-interface**-list=WAN Interfaces (which drops all traffic from the WAN)

(10) Only need one masquerade rule.
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list**=WAN Interfaces

spr41178 · March 7, 2021, 3:38pm

Any suggestion in how to accept them?
I have tried the forward chains with all the subnets which doesn’t make any difference.

spr41178 · March 7, 2021, 3:46pm

(1) I have never used bridge filter so wondering if this is better placed in input chain if necessary or is this something hotspot requires??
/interface bridge filter
add action=accept chain=forward disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip out-interface=WAN src-port=68
add action=drop chain=forward disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip src-port=68

(2) Also I have never used this and wondering if it is the complication causing issues?
/interface bridge settings
set use-ip-firewall-for-pppoe=yes

(3) This seems incomplete considering the Interfaces and needs rework!!!
/interface list
add name=OTE (this is not required and not used or used effectively)
add name=LAN (good)
add name=“WAN Interfaces” (okay if your using this because you named ether1 ‘WAN’, instead of something less confusing like ether1-wan )
add name=“LAN Interfaces” (not required)
??
/interface list member
add interface=bridge1 list=LAN (good)
add interface=WAN list=OTE (not good get rid of it).
change to
add interface=WAN list=WAN Interfaces
add interface=OTEBridge list=WAN Interfaces

(4) Where the heck does this subnet come from??
/ip firewall address-list
add address=192.168.0.0/24 list=Allowed_IN
_add address=192.168.5.0/24 list=Allowed_IN
add address=192.168.6.0/24 list=Allowed_I_N

(5) Besides the same issue unknown subnet 192.168.0.0, why are these rules before all other rules and (in terms of order, before the other forward chain rules)?
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.6.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=192.168.6.0/24

(6) Same unknown subnet is allowed access to winbox??

(7) After changing Wan interface list members above, then this rule should work better with modification.
add action=accept chain=forward comment=“Allow Port Forwards” connection-nat-state=dstnat out-interface**-list**=WAN Interfaces

(8) What is the purpose of these forward chain rules, they dont state where coming from or where headed to, seems wide open???
Many folks mistakenly put forward chain rules for stuff belonging in destination nat for example if thats the case one needs to get rid of these…
add action=accept chain=forward comment=“DAHUA CCTV Port 37777 Accept” dst-port=“” port=37777 protocol=tcp
add action=accept chain=forward comment=“FreePBX SIP Port 56061 Accept” port=56061 protocol=udp
add action=accept chain=forward comment=“FreePBX RTP Ports 10030-10130 Port Accept” port=10030-10130 protocol=udp

(9) You allowed port forwarding so this rule is redundant, for at least half of it.
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=OTE

Why not just put at the bottom.
add action=drop chain=forward comment=“drop all else” (which drops all traffic not specifically allowed by the OP)
If not that then
add action=drop chain=forward in-interface**-list=WAN Interfaces (which drops all traffic from the WAN)

(10) Only need one masquerade rule.
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list**=WAN Interfaces

Thank you for your detailed answer.

I have made some modifications.

Your 1 and 2 quote are disabled rules and i have removed them.

pppoe doesn’t exist at all and also OTEBridge.

I have removed the forward entries to the ports i.e 37777 as they are not necessary and removed the allow port forward.

The 0.0/24 subnet comes from my 1st IKEv2 VPN…It is the Branch office.
The 5.0/24 subnet i the Home Point
The 6.0/24 subnet is a VPN pool for my 2nd IKEv2 VPN that i connect to the homepoint from my android phone.
fyi the 6.0 network has only a pool range…I haven’t added it in the address section nor have i created a DHCP server for it.

I want to be able to see the Branch Ofiice from my phone.

Adding the srcnat from 192.168.6.0/24 to 192.168.0.0/24 has helped the situation but i only access web interfaces and winbox.

Apparently the Branch office isn’t accepting connections from 192.168.6.0/24

gotsprings · March 7, 2021, 4:56pm

Forwarding

spr41178 · March 8, 2021, 10:50am

Good morning

add action=accept chain=forward dst-address=192.168.5.0/24 in-interface=WAN ipsec-policy=in,ipsec src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 in-interface=WAN ipsec-policy=in,ipsec src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.6.0/24 in-interface=WAN ipsec-policy=in,ipsec src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 in-interface=WAN ipsec-policy=in,ipsec src-address=192.168.6.0/24

I have done this on both sites

It seems that with these rules i don’t need the srcnat 192.168.6.0/24 to 192.168.0.0/24 rule get the web interface access and mikrotik remote but still
fail to open my cameras a s a local connection from my phone.

Meaning i VPN from my phone to the home point i can open up a browser and access the 192.168.0.127 (cctv box) web interface but when i run the program to access the cameras
it fails although it doesn’t fail opening my local camera which is 192.168.5.103. All this mind you via LTE.

Maybe it has something to do with port 37777 not reaching the Branch office?

Any ideas?

I have noticed that when i L2TP IPSEC from my phone i don’t have this issue.
Should my ipsec policy level be changed to unique from required? As i notice the L2TP connection comes with Level Unique