Strange DNS queries over PPTP VPN

Mattie · October 3, 2020, 5:20pm

Hi,

Site A: RB2011 that makes a pptp connection to site B (internal network: 192.168.0.1/24)
Site B: RB4011 that has a PPP secret for site A that gives it the IP 172.16.1.4 (internal network: 192.168.100.0/24)

/interface pptp-client
add connect-to=site-b.nl disabled=no name=siteb-vpn password=abc user=abc

And it has a fixed routing:

/ip route
add distance=1 dst-address=192.168.100.0/24 gateway=siteb-vpn

I was working on the firewall in site B (kinda reconfiguring it nicely) and I noticed the following log entries:

19:11:35 firewall,info PPP Drop vpn_pptp_filter: in:<pptp-mortel> out:vlan-internet, proto UDP, 172.16.1.4:5678->84.116.46.23:53, NAT (172.16.1.4:5678->site.b.external.ip:5678)->84.116.46.23:53, len 64 
19:11:36 firewall,info PPP Drop vpn_pptp_filter: in:<pptp-mortel> out:vlan-internet, proto UDP, 172.16.1.4:5678->84.116.46.22:53, NAT (172.16.1.4:5678->site.b.external.ip:5678)->84.116.46.22:53, len 64 
19:11:36 firewall,info PPP Drop vpn_pptp_filter: in:<pptp-mortel> out:vlan-internet, proto UDP, 172.16.1.4:5678->84.116.46.23:53, NAT (172.16.1.4:5678->site.b.external.ip:5678)->84.116.46.23:53, len 64 
19:11:37 firewall,info PPP Drop vpn_pptp_filter: in:<pptp-mortel> out:vlan-internet, proto UDP, 172.16.1.4:5678->84.116.46.22:53, NAT (172.16.1.4:5678->site.b.external.ip:5678)->84.116.46.22:53, len 64 
19:11:37 firewall,info PPP Drop vpn_pptp_filter: in:<pptp-mortel> out:vlan-internet, proto UDP, 172.16.1.4:5678->84.116.46.23:53, NAT (172.16.1.4:5678->site.b.external.ip:5678)->84.116.46.23:53, len 64 
19:11:38 firewall,info PPP Drop vpn_pptp_filter: in:<pptp-mortel> out:vlan-internet, proto UDP, 172.16.1.4:5678->84.116.46.22:53, NAT (172.16.1.4:5678->site.b.external.ip:5678)->84.116.46.22:53, len 64 
19:11:38 firewall,info PPP Drop vpn_pptp_filter: in:<pptp-mortel> out:vlan-internet, proto UDP, 172.16.1.4:5678->84.116.46.23:53, NAT (172.16.1.4:5678->site.b.external.ip:5678)->84.116.46.23:53, len 64

It seems that the router connecting TO site B is sending DNS requests through site B.

The firewall on site B is setup like this (simplified)

Accept related/established
Jump to chain PPP
Jump to chain specific for this user
Allow some things
Drop all (“PPP Drop” log prefix)

The PPP config:

/ppp secret
add local-address=172.16.1.1 name=siteA password=abc profile=vpn_profile remote-address=172.16.1.4 routes="192.168.1.0/24 172.16.1.4 1"

No static routing is added for this connection.

So my question: why does the RB2011 from site A tries to send DNS requests through site B? I don’t want it to do that.

And just to be sure, the 84.116.46.22 & .23 are DYNAMIC servers received from the ISP. Also a couple of fixed DNS servers are set.

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,208.67.220.220

I cannot think of anything that would explain why the requests are send through site B. Anybody can shed some light on this matter?

sindy · October 3, 2020, 5:41pm

The add-default-route parameter of the /interface pptp-client row on the router at site A is probably set to the default value*) yes.

/ip route export shows the static configuration; /ip route print shows the actual state of the routing table, including routes generated dynamically (by DHCP client, various PPP clients, dynamic routing protocols).

*) EDIT: for PPTP, the default value is no.

Mattie · October 3, 2020, 6:08pm

Thank you for your reply. Yes I forgot about print

The add-default-route is not checked so that is not the problem. Here is the full route list:

[admin@mortel.home.mattie-systems.nl] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.178.1             1
 1 ADC  172.16.1.1/32      172.16.1.4      siteb-vpn              0
 2 A S  172.22.0.0/16                      siteb-vpn              1
 4 ADC  192.168.1.0/24     192.168.1.1     bridge-local              0
                                           bridge-local      
 5 A S  192.168.100.0/24                   siteb-vpn              1
 6 ADC  192.168.178.0/24   192.168.178.178 ether10-gateway           0

(The 172.22.0.0/16 is expected I left that out to simplify my question)

sindy · October 3, 2020, 7:36pm

OK, in that case, I suppose some dst-nat rule at site B is hyperactive. Since the source port is 5678, which is the port of Mikrotik Neighbor Discovery Protocol, I suppose that the router at site A actually sends UDP packets from port 5678 to port 5678 (the MNDP ones), and as they emerge from the tunnel at site B, a dst-nat rule turns them into packets towards 84.116.46.22/3 port 53.

Try sniffing at the tunnel interface at site B: make the cli window as wide as you screen allows and run /tool sniffer quick interface=pptp-mortel port=5678. This will show you whether the packets coming from site A already have 84.116.46.22/3:53 as destination. In the second command line window, run /log print follow-only where topics~“firewall” to see whether there is a correlation between the MNDP packets coming from site A and the log messages from the filter.

Mattie · October 4, 2020, 9:40am

Let’s start with an overview of the NAT rules at site B:

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment="HTTP" dst-address-list=externalip dst-port=80 protocol=tcp to-addresses=192.168.100.200 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS" dst-address-list=externalip dst-port=443 protocol=tcp to-addresses=192.168.100.200 to-ports=443
add action=dst-nat chain=dstnat comment="DNS" dst-address-list=externalip dst-port=53 protocol=tcp to-addresses=192.168.100.221 to-ports=53
add action=dst-nat chain=dstnat comment="DNS" dst-address-list=externalip dst-port=53 protocol=udp to-addresses=192.168.100.221 to-ports=53

There are a couple of more rules but they have the same format as listed above and none of them matches port 5678 so they are not relevant here.

Then I did what you suggested:

So yes it seems to me that the packets incoming already have 84.116.46.22&3 as destination. And now also 1.1.1.1 and 8.8.8.8 (I did not see those yesterday).

I don’t think site B is doing this (right?), but I also cannot see something strange on site A:

/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface=ether10-gateway
add action=masquerade chain=srcnat comment=masquerade out-interface=siteb-vpn
add action=accept chain=srcnat

(Not sure why there is an accept rule there I havent looked at this config in quite some time but disabling it did not resolve the problem)

Do you have any clue with this info?

sindy · October 4, 2020, 10:30am

Well, it is even more weird now. If you look carefully, you can see that both Router A and Router B are sending these strange packets - look at the arows ( → , ← ) and the source IP addresses, there are both 172.16.1.1 and 172.16.1.4.

If there were only those three rules you’ve listed in chain=srcnat, the action=accept one was indeed useless, as accept is the default behaviour in all chains.

So at this point, I’d start thinking about a bug or, in worst case, about a malware. What RouterOS versions are you running at router A and router B? Can you post the configurations of both machines (see my automatic signature below for anonymization hints)?

Partially related, what makes you use PPTP in particular, given that L2TP/IPsec is equally simple to set up and much more secure?

Mattie · October 4, 2020, 12:37pm

Ah yes indeed I didn’t noticed that yet. I double checked and yes on site A only those NAT rules exist. I also checked the firewall, nothing for port 5678. I also checked the Neighbour settings, it was set to pretty much every interface, I changed it to “none” and yet that still did not stop those queries.

Both routers are running 6.47.4 (the latest version at the time of writing). I tried to keep the configs as intact as possible but I did remove some information. To give you some context. The config of site A is ‘old’ (when I first started with Mikrotik). Site B is brand-new (this weekend). So B is hopefully much more clean. Site A will follow perhaps next weekend. That might also be the moment when I switch away from PPTP. When I configured that (I guess about 8-10 years ago?) that was perfectly fine The config for A is explicitly allow and explicitly block, the config for B is really allow a few things and block everything else.

Here is the config from site A:

/interface bridge
add admin-mac=D4:xx arp=proxy-arp auto-mac=no fast-forward=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] 
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] 
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master-local
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether7-slave-local
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether8-slave-local
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether9-slave-local
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether10-gateway
set [ find default-name=sfp1 ] disabled=yes name=sfp1-gateway
/interface pptp-client
add connect-to=homev4.some-domain.nl disabled=no name=siteB-vpn user=mortel
add connect-to=office.unrelated.net max-mru=1400 max-mtu=1400 name=unrelated-vpn user=xx
/interface 6to4
add clamp-tcp-mss=no comment="no longer in use" disabled=yes !keepalive local-address=xx mtu=1280 name=ipv6-tunnel remote-address=xx
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=UNSECURED supplicant-identity=""
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip management-protection=allowed mode=dynamic-keys name=LOL_WPA supplicant-identity="" unicast-ciphers=tkip
add authentication-types=wpa-eap,wpa2-eap eap-methods=eap-ttls-mschapv2 group-ciphers=tkip,aes-ccm mode=dynamic-keys mschapv2-username=xx name=Ziggo radius-eap-accounting=yes radius-mac-mode=as-username-and-password \
    supplicant-identity=xx unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=mattie_ap supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=buren supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=some-domain.nl supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-eC country=no_country_set disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=some-domain.nl ssid=some-domain.nl \
    station-roaming=enabled tx-power-mode=all-rates-fixed wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.xx.nl hotspot-address=192.168.13.1
/ip hotspot user profile
set [ find default=yes ] rate-limit=512000/512000 transparent-proxy=yes
add name=traag rate-limit=1024000/1024000 transparent-proxy=yes
add name=registered_user transparent-proxy=yes
add name="TRIAL USER" rate-limit=1M/1M transparent-proxy=yes
add !idle-timeout !keepalive-timeout name=MEETING rate-limit=1M/1M shared-users=unlimited transparent-proxy=yes
/ip hotspot profile
add dns-name=hotspot.xx.nl hotspot-address=192.168.13.1 login-by=cookie,http-chap,trial name=hsprof1 trial-uptime-limit=1d trial-uptime-reset=15m trial-user-profile=MEETING use-radius=yes
add dns-name=bqq.xx.hwi hotspot-address=192.168.13.1 login-by=cookie,http-chap,trial name=MEETING trial-uptime-limit=1d trial-uptime-reset=15m trial-user-profile=MEETING use-radius=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.200
add name=dhcp ranges=192.168.1.1-192.168.1.200
add name=pool_hotspot ranges=192.168.13.13-192.168.13.113
add name=pool_vpn_no_internal ranges=172.30.30.30-172.30.30.130
add name=MEETING ranges=192.168.14.14-192.168.14.114
add name=dhcp_pool6 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local lease-time=1h name=default
add address-pool=pool_hotspot authoritative=after-2sec-delay lease-time=3d name=dhcp_gast
add address-pool=dhcp_pool6 authoritative=after-2sec-delay interface=bridge-local name=dhcp1 relay=192.168.1.1
/ip hotspot
add address-pool=pool_hotspot disabled=no name=hotspot1 profile=hsprof1
add address-pool=MEETING addresses-per-mac=25 name=MEETING profile=MEETING
/ipv6 dhcp-server
add address-pool=pool1 disabled=yes interface=bridge-local name=ipv6_dhcp
/ipv6 pool
add name=pool1 prefix=fdda:e376:9bf2:8ff0::/64 prefix-length=64
/port
set 1 baud-rate=9600 data-bits=8 flow-control=none name=usb2 parity=none stop-bits=1
/interface ppp-client
add apn=internet.arta default-route-distance=2 dial-on-demand=no name=ppp-out1 phone=*99# port=usb2 use-peer-dns=no
/ppp profile
add change-tcp-mss=yes incoming-filter=vpn_filter_internal local-address=pool_vpn_no_internal name=no_internal remote-address=pool_vpn_no_internal use-encryption=yes
add incoming-filter=vpn_filter_internal local-address=default-dhcp name=vpn_internal remote-address=default-dhcp use-ipv6=default
/queue simple
add burst-time=20s/20s disabled=yes dst=ppp-out1 max-limit=256k/256k name=queue2 target=192.168.1.2/32
add burst-limit=512k/512k burst-time=10s/10s disabled=yes dst=ppp-out1 max-limit=128k/128k name=queue1 target=bridge-local
/snmp community
set [ find default=yes ] addresses=127.0.0.1/32
add addresses=1.2.3.4/32,192.168.178.0/24 name=nope
/system logging action
set 1 disk-lines-per-file=100
/user group
add name=guest policy=read,web,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local hw=no interface=ether1
add bridge=bridge-local disabled=yes interface=wlan1
add bridge=bridge-local disabled=yes interface=*1E
add disabled=yes interface=*20
add bridge=bridge-local disabled=yes interface=xx-vpn
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=ether10-gateway
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-gateway list=discover
add interface=bridge-local list=discover
add interface=wlan1 list=discover
add interface=ppp-out1 list=discover
add interface=unrelated-vpn list=discover
add interface=ipv6-tunnel list=discover
add list=discover
add interface=xx-vpn list=discover
/interface pptp-server server
set enabled=yes
/ip accounting
set enabled=yes
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=192.168.1.1/24 comment="default configuration" disabled=yes interface=wlan1 network=192.168.1.0
add address=192.168.13.1/24 disabled=yes network=192.168.13.0
add address=192.168.1.1/24 interface=bridge-local network=192.168.1.0
add address=192.168.1.1/24 interface=wlan1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="default configuration" interface=sfp1-gateway
add comment="default configuration" interface=ether1
add default-route-distance=2 interface=wlan1
add disabled=no interface=ether10-gateway
/ip dhcp-server lease
[..redacted..]
/ip dhcp-server network
add address=192.168.1.0/32 gateway=192.168.1.0 netmask=32
add address=192.168.1.0/24 comment="default configuration" dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,208.67.220.220
/ip dns static
[..redacted..]
/ip firewall address-list
add address=192.168.1.0/24 list=localNet
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=input dst-port=53 protocol=udp src-address=!192.168.1.0/24
add action=accept chain=forward disabled=yes src-address=172.22.20.0/24
add action=accept chain=forward disabled=yes dst-address=172.22.20.0/24
add action=accept chain=forward disabled=yes in-interface=unrelated-vpn
add action=accept chain=forward disabled=yes out-interface=unrelated-vpn
add action=accept chain=output disabled=yes out-interface=unrelated-vpn
add action=accept chain=input disabled=yes in-interface=unrelated-vpn
add action=accept chain=input comment="snmp van serv naar router" dst-port=161 protocol=udp
add action=drop chain=forward disabled=yes src-address=192.168.1.18
add action=drop chain=forward disabled=yes dst-address=192.168.1.18
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=hs-input comment="block internal access for hotspot" disabled=yes dst-address=192.168.1.0/24
add action=drop chain=pre-hs-input disabled=yes dst-address-type=local hotspot=auth
add action=drop chain=forward disabled=yes src-address=192.168.1.14
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow LAN access to the router itself" connection-state=new in-interface=bridge-local
add action=accept chain=input comment=" ^^ that originated from LAN" connection-state=established
add action=accept chain=input comment=" ^^ that originated from LAN" connection-state=related
add action=passthrough chain=input comment="Custom INPUT rules:"
add action=accept chain=input comment="VPN: accept GRE" protocol=gre
add action=accept chain=input comment="accept ipv6 tunnel" src-address=xx
add action=accept chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=accept chain=input comment="VPN: allow port 1723" dst-port=1723 protocol=tcp
add action=accept chain=input comment="ROUTER: winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="ROUTER: webfig" dst-port=3333 protocol=tcp
add action=accept chain=input comment="allow UPnP" dst-port=1900 protocol=udp
add action=accept chain=input comment="allow UPnP" dst-port=2828 protocol=tcp
add action=accept chain=input comment="TEMP DNS VPN xx" disabled=yes dst-port=53 protocol=udp
add action=accept chain=input comment="accept xx vpn" src-address=172.16.1.4
add action=reject chain=input dst-port=56803 protocol=tcp reject-with=icmp-network-unreachable
add action=reject chain=input dst-port=56803 protocol=udp reject-with=icmp-network-unreachable
add action=drop chain=input comment="drop strange UPnP\?\? packets through VPN" disabled=yes dst-port=1900 protocol=tcp
add action=log chain=input comment="Disallow anything from anywhere on any interface" disabled=yes log-prefix=INPUT_DROP
add action=drop chain=input comment="Disallow anything from anywhere on any interface" log-prefix="INPUT DROP"
add action=accept chain=forward comment="Allow ping ICMP from anywhere" protocol=icmp
add action=passthrough chain=forward comment=-----spacer-----
add action=accept chain=forward comment="Allow LAN access to move through the router" connection-state=new in-interface=bridge-local
add action=accept chain=forward comment=" ^^ that originated from LAN" connection-state=established in-interface=bridge-local
add action=accept chain=forward comment=" ^^ that originated from LAN" connection-state=related in-interface=bridge-local
add action=passthrough chain=forward comment="Custom bridge-local forward rules" in-interface=bridge-local
add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid disabled=yes in-interface=bridge-local
add action=passthrough chain=forward comment=-----spacer-----
# in/out-interface matcher not possible when interface (wlan1) is slave - use master instead (bridge-local)
add action=accept chain=forward comment="Allow valid internet packets" connection-state=new in-interface=wlan1
add action=accept chain=forward comment="Allow valid internet packets" connection-state=new in-interface=ether10-gateway
# in/out-interface matcher not possible when interface (wlan1) is slave - use master instead (bridge-local)
add action=accept chain=forward comment="^^ - same" connection-state=established in-interface=wlan1
add action=accept chain=forward comment="^^ - same" connection-state=established in-interface=ether10-gateway
# in/out-interface matcher not possible when interface (wlan1) is slave - use master instead (bridge-local)
add action=accept chain=forward comment="^^ - same" connection-state=related in-interface=wlan1
add action=accept chain=forward comment="^^ - same" connection-state=related in-interface=ether10-gateway
# in/out-interface matcher not possible when interface (wlan1) is slave - use master instead (bridge-local)
add action=passthrough chain=forward comment="Custom ether1 forward rules" in-interface=wlan1
add action=passthrough chain=forward comment="Custom ether1 forward rules" in-interface=ether10-gateway
add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid disabled=yes in-interface=wlan1
add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid disabled=yes in-interface=ether10-gateway
add action=passthrough chain=forward comment=-----spacer-----
add action=jump chain=forward comment="Jump to vpn rules" jump-target=ppp log-prefix=xx
add action=passthrough chain=forward comment=-----spacer-----
add action=accept chain=forward comment="Allow all other valid stuff (should we get here\?)" connection-state=new
add action=accept chain=forward comment=" ^^ that originated from \?\?" connection-state=established
add action=accept chain=forward comment=" ^^ that originated from \?\?" connection-state=related
add action=passthrough chain=forward comment="Custom \?\? forward rules"
add action=passthrough chain=forward comment=-----spacer-----
add action=log chain=forward comment="Log dropped packets" log-prefix=FORWARD_DROP
add action=drop chain=forward comment="Disallow anything from anywhere on any interface"
add action=passthrough chain=forward comment=-----spacer-----
add action=accept chain=vpn_pptp_filter comment="Allow xx related" connection-state=related
add action=accept chain=vpn_pptp_filter comment="Allow xx established" connection-state=established
add action=accept chain=vpn_pptp_filter comment="Allow xx -> serv" dst-address=192.168.1.250
add action=accept chain=vpn_pptp_filter comment="Allow xx -> pi" dst-address=192.168.1.50
add action=drop chain=vpn_pptp_filter comment="DROP ALL OTHER VPN" disabled=yes
add action=passthrough chain=vpn_filter_internal comment=-----spacer-----
add action=accept chain=vpn_filter_internal comment="Allow all verified VPN's"
add action=accept chain=forward
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=172.22.0.0/16 new-routing-mark=unrelated-vpn passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment=masquerade out-interface=ether10-gateway
add action=masquerade chain=srcnat comment=masquerade disabled=yes out-interface=wlan1
add action=masquerade chain=srcnat comment=masquerade disabled=yes dst-address=xx9 dst-address-list=localNet out-interface=bridge-local src-address-list=localNet
add action=masquerade chain=srcnat comment=masquerade out-interface=siteB-vpn
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.13.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.14.0/24 to-addresses=0.0.0.0
add action=accept chain=srcnat
/ip hotspot user
add name=admin profile=registered_user
add name=test profile=traag
add name=gast
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1 max-cache-size=none port=7000
/ip route
add distance=1 dst-address=172.22.0.0/16 gateway=xx-vpn
add disabled=yes distance=1 dst-address=172.22.0.0/16 gateway=unrelated-vpn
add distance=1 dst-address=192.168.100.0/24 gateway=xx-vpn
/ip service
set telnet address=192.168.1.0/24
set ftp address=192.168.1.0/24
set www port=3333
set ssh address=192.168.1.0/24
/ip smb
set allow-guests=no enabled=yes
/ip socks
set enabled=yes port=4153
/ip socks access
add action=deny src-address=!2.2.2.2/25
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.1.50
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1 type=external
/ipv6 address
add address=aa:bb:cc:dd::2 advertise=no comment="client ipv6 address" disabled=yes interface=ipv6-tunnel
add address=aa:bb:cc:dd::1 comment="routed /64" disabled=yes interface=bridge-local
/ipv6 firewall filter
add action=reject chain=forward comment="temp disable ipv6 till HE inlog" reject-with=icmp-no-route
add action=reject chain=forward comment="block netflix ipv6 for android player" reject-with=icmp-address-unreachable src-address=aa:bb:cc:dd:1200:ff:fe2a:df/128
add action=accept chain=input protocol=icmpv6
add action=accept chain=forward comment="accept all"
add action=accept chain=forward comment="uitgaand ipv6" in-interface=bridge-local out-interface=ipv6-tunnel
add action=accept chain=forward comment="uitgaand ipv6" out-interface=ipv6-tunnel
add action=accept chain=output comment="uitgaand ipv6"
add action=accept chain=forward comment=established connection-state=established in-interface=ipv6-tunnel out-interface=bridge-local
add action=accept chain=input comment=established connection-state=established
add action=accept chain=input comment=established protocol=icmpv6
add action=accept chain=forward comment=related connection-state=related in-interface=ipv6-tunnel out-interface=bridge-local
add action=accept chain=forward comment=serv connection-state=new dst-address=aa:bb:cc:dd:9958:14d2:68f4:85d5/128 in-interface=ipv6-tunnel
add action=accept chain=forward comment=serv connection-state=new dst-address=aa:bb:cc:dd::b00b:face/128 in-interface=ipv6-tunnel
add action=log chain=forward
add action=drop chain=forward
add action=drop chain=input
add action=log chain=output
add action=drop chain=output
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ipv6 route
add check-gateway=ping distance=1 gateway=ipv6-tunnel
add comment="ipv6 fail test rule\?" disabled=yes distance=1 gateway=1:470:1f14:787::1
add disabled=yes distance=1 dst-address=2000::/3 gateway=ipv6-tunnel
add comment="added muni storing" disabled=yes distance=1 dst-address=aa:bb:cc:1::/64 gateway=unrelated-vpn
/lcd
set default-screen=interfaces
/lcd pin
set pin-number=0000
/ppp profile
add change-tcp-mss=yes incoming-filter=vpn_pptp_filter insert-queue-before=bottom name=vpn_profile parent-queue=pptp_limit_upload use-encryption=yes
add bridge=*1F change-tcp-mss=yes name=VPN_BRIDGE use-encryption=yes
/ppp secret
add disabled=yes local-address=172.16.1.1 name=xx profile=vpn_profile remote-address=172.16.1.2 routes="192.168.2.0/24 172.16.1.2 1"
add disabled=yes local-address=172.16.1.1 name=xx profile=vpn_profile remote-address=172.16.1.3 routes="192.168.88.0/24 172.16.1.3 1"
add disabled=yes name=xx profile=no_internal
add name=xx profile=vpn_internal routes=192.168.109.0/24
add disabled=yes local-address=192.168.1.1 name=xx profile=vpn_profile remote-address=192.168.1.177
add disabled=yes name=xx profile=no_internal
add disabled=yes local-address=172.16.1.1 name=xx profile=vpn_internal remote-address=172.16.1.4 routes="192.168.100.0/24 172.16.1.4 1"
add disabled=yes local-address=172.22.1.1 name=xx profile=vpn_profile remote-address=172.16.1.5
/queue simple
add burst-time=1m/1m dst=*F0001A max-limit=5M/0 name=pptp_limit_upload target=192.168.1.250/32 time=7h-23h,sun,mon,tue,wed,thu,fri,sat total-queue=default
add burst-time=1m/1m dst=*F0001A max-limit=5M/0 name=ernst_pptp target=192.168.1.250/32 time=7h-23h,sun,mon,tue,wed,thu,fri,sat total-queue=default
/radius
add address=127.0.0.1 service=hotspot
/snmp
set enabled=yes trap-community=nope trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=mortel.home.some-domain.nl
/system logging
add prefix=GSM topics=gsm
add disabled=yes topics=debug
/system ntp client
set enabled=yes primary-ntp=217.77.132.1 secondary-ntp=82.94.196.40
/tool e-mail
set address=3.3.3.3. from=mikrotik@some-domain.nl
/tool graphing interface
add interface=ether5
add interface=ether1
add
/tool netwatch
add host=192.168.1.250
/tool sms
set allowed-number="" auto-erase=yes channel=1 port=usb2
/tool sniffer
set filter-interface=bridge-local filter-ip-address=192.168.1.0/24 filter-stream=yes streaming-server=192.168.1.2

Here is the config from site B:

/interface bridge
add admin-mac=74:xx auto-mac=no comment=defconf name=bridge-local
add name=bridge-SomeVPNProvider
add fast-forward=no name=bridge-secure
/interface ethernet
set [ find default-name=ether1 ] comment="AA "
set [ find default-name=ether2 ] comment=server
set [ find default-name=ether3 ] comment="AB ()"
set [ find default-name=ether4 ] comment="BA ()"
set [ find default-name=ether5 ] comment="CA ()"
set [ find default-name=ether6 ] comment="CB ()"
set [ find default-name=ether7 ] comment="DA ()"
set [ find default-name=ether8 ] comment="DB ()"
set [ find default-name=ether9 ] comment=switch
set [ find default-name=ether10 ] comment=PLA
/interface wireless
set [ find default-name=wlan1 ] country=netherlands disabled=no mode=ap-bridge ssid=xx-xx.nl wireless-protocol=802.11
set [ find default-name=wlan2 ] country=netherlands disabled=no frequency=auto mode=ap-bridge ssid=xx-xx.nl wireless-protocol=802.11
/interface ipip
add local-address=my.external.ip name=MyWork-tunnel remote-address=my.work.ip
/interface 6to4
add !keepalive local-address=my.external.ip mtu=1280 name=ipv6-tunnel remote-address=ipv6.tunnel.ip
/interface vlan
add interface=sfp-sfpplus1 name=vlan-internet vlan-id=300
add interface=sfp-sfpplus1 name=vlan-tv vlan-id=640
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment="" eap-methods="" management-protection=allowed mode=dynamic-keys name=mattie-secure supplicant-identity=""
/ip ipsec mode-config
add connection-mark=no-mark name=SomeVPNProvider responder=no src-address-list=SomeVPNProvider
/ip ipsec peer
add address=xx.xx.com disabled=yes exchange-mode=ike2 name="SomeVPNProvider HUNGARY"
add address=xx.xx.com disabled=yes exchange-mode=ike2 name="SomeVPNProvider NL"
add address=xx.xx.com disabled=yes exchange-mode=ike2 name="SomeVPNProvider NORWAY"
/ip ipsec policy group
add name=SomeVPNProvider
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=muniprofile nat-traversal=no
add name=SomeVPNProvider
/ip ipsec peer
add address=my.work.ip/32 local-address=my.external.ip name=MyWork profile=muniprofile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=MyWork pfs-group=modp2048
add enc-algorithms=3des name=SomeVPNProvider pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.100.10-192.168.100.200
add comment="from mikrotik quickstart" name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool_vpn_no_internal ranges=172.30.30.30-172.30.30.130
add name=pool-secure ranges=192.168.101.100-192.168.101.200
add name=SomeVPNProvider-pool ranges=192.168.102.10-192.168.102.100
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=dhcp-bridge-local
add address-pool=pool-secure authoritative=after-2sec-delay disabled=no interface=bridge-secure name=secure-dhcp
/ppp profile
add incoming-filter=vpn_filter_internal local-address=default-dhcp name=vpn_internal remote-address=default-dhcp use-ipv6=default
add change-tcp-mss=yes incoming-filter=vpn_filter_internal local-address=pool_vpn_no_internal name=no_internal remote-address=pool_vpn_no_internal use-encryption=yes
add incoming-filter=vpn_pptp_filter name=vpn_profile use-encryption=yes
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp instance
set default as=65000 disabled=yes
add as=64515 client-to-client-reflection=no name=bgp-MyWork router-id=192.168.100.1
/snmp community
set [ find default=yes ] addresses=127.0.0.1/32
add addresses=xx.xx.xx.xx/32 name=nope
/interface pptp-client
add comment="vpn DISABLED NOT IN USE" connect-to=xx.sn.mynetname.net mrru=1600 name=vpn_mortel_OUT profile=bridge_mortel_OUT user=matthijs
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2
add bridge=bridge-local comment=defconf interface=ether3
add bridge=bridge-local comment=defconf interface=ether4
add bridge=bridge-local comment=defconf interface=ether5
add bridge=bridge-local comment=defconf interface=ether6
add bridge=bridge-local comment=defconf interface=ether7
add bridge=bridge-local comment=defconf interface=ether8
add bridge=bridge-local comment=defconf interface=ether9
add bridge=bridge-local comment=defconf interface=ether10
add bridge=bridge-local comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge-local comment=defconf interface=wlan1
add bridge=bridge-local comment=defconf interface=wlan2
add bridge=bridge-local interface=ether1
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=vlan-internet list=WAN
add interface=bridge-local list=LAN
add interface=ipv6-tunnel list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=172.22.19.173/30 interface=MyWork-tunnel network=172.22.19.172
add address=192.168.101.1/24 interface=bridge-secure network=192.168.101.0
add address=192.168.102.1/24 interface=bridge-SomeVPNProvider network=192.168.102.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=vlan-internet
/ip dhcp-server lease
[..redacted..]
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.1 gateway=192.168.100.1 netmask=24
add address=192.168.101.0/24 gateway=192.168.101.1
add address=192.168.102.0/24 gateway=192.168.102.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.222.222,1.1.1.1,2001:4860:4860::8888,2001:470:20::2
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
add address=192.168.100.1 name=router
[..redacted..]
/ip firewall address-list
add address=192.168.100.0/24 list=localNet
add address=192.168.102.0/24 list=SomeVPNProvider
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.100.0/24 list=lan_ip
add address=192.168.102.0/24 list=lan_ip
add address=192.168.101.0/24 list=lan_ip
add address=255.255.255.255 list=lan_ip
add address=my.external.ip list=externalip
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack established / related" connection-state=established,related
add action=fasttrack-connection chain=forward dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=fasttrack-connection chain=forward src-address=192.168.100.0/24
add action=accept chain=input comment="accept pings" protocol=icmp
add action=accept chain=input comment="accept input established" connection-state=established,related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="VPN: accept GRE" protocol=gre
add action=accept chain=input comment="MUNI: allow MyWork tunnel" protocol=ipencap src-address=my.work.ip
add action=accept chain=input comment="MUNI: allow MyWork tunnel" protocol=ipsec-esp src-address=my.work.ip
add action=accept chain=input comment="MUNI: allow MyWork tunnel" dst-port=179 in-interface=MyWork-tunnel protocol=tcp
add action=jump chain=forward comment="MUNI: other MyWork tunnel traffic goes to jump list" in-interface=MyWork-tunnel jump-target=muni_tunnel
add action=accept chain=input comment="accept ipv6 tunnel" src-address=ipv6.tunnel.ip
add action=accept chain=input comment="accept smnp from server to router" dst-port=161 protocol=udp src-address=xx.xx.xx.xx
add action=accept chain=input comment="ROUTER: winbox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="ROUTER: webfig" dst-port=3333 protocol=tcp
add action=accept chain=input comment="explicitly allow LAN network to access router" in-interface-list=LAN
add action=drop chain=input comment="drop all incoming not LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Accept all established / related" connection-nat-state="" connection-state=established,related
add action=jump chain=forward comment="have all PPP connections to to their rules" in-interface=all-ppp jump-target=vpn_pptp_filter
add action=drop chain=forward comment="drop bridge-secure (no sideways access)" connection-state="" dst-address=0.0.0.0/0 in-interface=bridge-secure
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge-local log=yes log-prefix=!public_from_LAN out-interface=vlan-internet
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address-list=!lan_ip
add action=accept chain=muni_tunnel comment="MUNI: allow established/related" connection-state=established,related
add action=accept chain=muni_tunnel comment="MUNI: allow matthijs-pc" src-address=172.22.20.94
add action=drop chain=muni_tunnel comment="MUNI: block others to my internal network"
add action=accept chain=vpn_pptp_filter comment="VPN: allow established / related" connection-state=established,related
add action=accept chain=vpn_pptp_filter comment="VPN: allow DNS why are there queries" dst-port=53 protocol=udp src-port=""
add action=accept chain=vpn_pptp_filter comment="VPN: allow server (unraid)" dst-address=192.168.100.200
add action=drop chain=vpn_pptp_filter comment="VPN: block others to my internal network" log=yes log-prefix="PPP Drop"
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=172.22.0.0/16 new-routing-mark=MyWork-vpn passthrough=yes
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=SomeVPNProvider passthrough=yes src-address=192.168.102.0/24
add action=mark-connection chain=postrouting disabled=yes dst-address=192.168.102.0/24 new-connection-mark=SomeVPNProvider passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=masquerade disabled=yes out-interface=vlan-internet
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=masquerade chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment="WINSERV: FTP" dst-port=20-21 in-interface=vlan-internet protocol=tcp to-addresses=192.168.100.220 to-ports=20-21
add action=dst-nat chain=dstnat comment="WINSERV: FTP passive" dst-port=36000 in-interface=vlan-internet protocol=tcp to-addresses=192.168.100.220 to-ports=35000
add action=dst-nat chain=dstnat comment="UNRAID: HTTP" dst-address-list=externalip dst-port=80 protocol=tcp to-addresses=192.168.100.200 to-ports=1880
add action=dst-nat chain=dstnat comment="UNRAID: HTTPS" dst-address-list=externalip dst-port=443 protocol=tcp to-addresses=192.168.100.200 to-ports=18443
add action=dst-nat chain=dstnat comment="DebianDNS: SSH" dst-address-list=externalip dst-port=22 protocol=tcp to-addresses=192.168.100.221 to-ports=22
add action=dst-nat chain=dstnat comment="DebianDNS: pdns web interface" disabled=yes dst-port=8081 in-interface=vlan-internet protocol=tcp to-addresses=192.168.100.221 to-ports=8081
add action=dst-nat chain=dstnat comment="DebianDNS: DNS" dst-address-list=externalip dst-port=53 protocol=tcp to-addresses=192.168.100.221 to-ports=53
add action=dst-nat chain=dstnat comment="DebianDNS: DNS" dst-address-list=externalip dst-port=53 protocol=udp to-addresses=192.168.100.221 to-ports=53
add action=dst-nat chain=dstnat comment="WINSERV: RDP" dst-address-list=externalip dst-port=3389 protocol=tcp to-addresses=192.168.100.220 to-ports=3389
add action=dst-nat chain=dstnat comment="WINSERV: Calibre" dst-address-list=externalip dst-port=8100 protocol=tcp to-addresses=192.168.100.220 to-ports=8100
add action=dst-nat chain=dstnat comment="DebianDNS: SNMP" dst-address-list=externalip dst-port=10161 protocol=udp to-addresses=192.168.100.221 to-ports=161
/ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=SomeVPNProvider peer="SomeVPNProvider HUNGARY" policy-template-group=SomeVPNProvider username=
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=SomeVPNProvider peer="Nord VPN NL P2P" policy-template-group=SomeVPNProvider username=
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=SomeVPNProvider peer="SomeVPNProvider NL" policy-template-group=SomeVPNProvider username=
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=SomeVPNProvider peer="SomeVPNProvider NORWAY" policy-template-group=SomeVPNProvider username=
add peer=MyWork
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=my.work.ip/32 peer=MyWork proposal=MyWork src-address=my.external.ip/32
add dst-address=0.0.0.0/0 group=SomeVPNProvider proposal=SomeVPNProvider src-address=0.0.0.0/0 template=yes
/ip service
set winbox address=0.0.0.0/0
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=sfp-sfpplus1 type=external
/ipv6 address
add address=2001:470:1f14:787::2 advertise=no comment="client ipv6 address" interface=ipv6-tunnel
add address=my:public:ipv6::1 interface=bridge-local
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=reject chain=forward comment=killswitch disabled=yes reject-with=icmp-address-unreachable
add action=reject chain=input comment=killswitch disabled=yes reject-with=icmp-address-unreachable
add action=reject chain=output comment=killswitch disabled=yes reject-with=icmp-address-unreachable
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="allow pings" protocol=icmpv6
add action=accept chain=input comment="allow established and related" connection-state=established,related
add action=accept chain=forward comment="allow established and related" connection-state=established,related connection-type=""
add action=accept chain=forward comment="Allow DNS @ debiandns" dst-address=my:public:ipv6:11:32ff:fe28:ef7b/128 dst-port=53,33344 protocol=tcp
add action=accept chain=forward comment="Allow DNS @ debiandns" dst-address=my:public:ipv6:11:32ff:fe28:ef7b/128 dst-port=53 protocol=udp
add action=accept chain=forward dst-address=my:public:ipv6:d250:99ff:fe10:f6b3/128 dst-port=80,443 protocol=tcp
add action=accept chain=forward dst-address=my:public:ipv6:d250:99ff:fe10:f6b3/128 dst-port=80,443 protocol=udp
add action=reject chain=forward comment="block SomeVPNProvider" in-interface=bridge-SomeVPNProvider reject-with=icmp-no-route
add action=reject chain=forward comment="block SomeVPNProvider" out-interface=bridge-SomeVPNProvider reject-with=icmp-no-route
add action=passthrough chain=forward comment="mikrotik config from below here"
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed
add action=drop chain=input
add action=drop chain=input in-interface-list=WAN log=yes log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=forward comment=established,related connection-state=established,related
add action=accept chain=forward comment="local network" in-interface-list=LAN src-address-list=allowed
add action=accept chain=output
add action=accept chain=forward comment="Allow traffic from LAN to WAN (incl ipv6-tunnel)" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward log-prefix=IPV6
/ipv6 route
add check-gateway=ping distance=1 dst-address=2000::/3 gateway=ipv6-tunnel
/ppp profile
add bridge=*8D change-tcp-mss=yes name=bridge_mortel_OUT use-encryption=yes
add bridge=*A3 dns-server=1.1.1.1 name=SomeVPNProvider use-encryption=yes use-ipv6=no
/ppp secret
add comment="default van mikrotik" name=vpn
add local-address=172.16.1.1 name=AA profile=vpn_profile remote-address=172.16.1.2 routes="192.168.10.0/24 172.16.1.2 1"
add local-address=172.16.1.1 name=BB profile=vpn_profile remote-address=172.16.1.3 routes="192.168.88.0/24 172.16.1.3 1"
add name=CC profile=vpn_internal
add local-address=172.16.1.1 name=mortel profile=vpn_profile remote-address=172.16.1.4 routes="192.168.1.0/24 172.16.1.4 1"
add name=DD profile=vpn_internal
/routing bgp network
add network=192.168.100.0/24 synchronize=no
/routing bgp peer
add instance=bgp-MyWork name=MyWork-office-ziggo remote-address=xx remote-as=64514 ttl=default
/snmp
set contact=[..redacted..]
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=[..redacted..]
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client
set enabled=yes primary-ntp=194.109.6.2 secondary-ntp=51.105.208.173 server-dns-names=nl.pool.ntp.org,time.windows.com
/tool graphing interface
add allow-address=192.168.100.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=vlan-internet filter-stream=yes streaming-enabled=yes streaming-server=192.168.100.10

I could also first clean the config of site A and then convert to l2TP/IPsec but I am also still learning (every day :p) so for this issue I am also really interested in what could cause this.

Thanks again!

sindy · October 4, 2020, 1:09pm

On both routers, there’s
/interface detect-internet
set detect-interface-list=all
Unless you really need this brand-new (since about a year) hi-tech feature, change that to detect-interface-list=none and the mystery should be gone. And be thankful to whatever entity you believe in that you haven’t encountered worse problem due to this, like other users occasionally report.

Mattie · October 4, 2020, 7:42pm

Wow, indeed disabling that feature (whatever it is) did solve my problem. I don’t think I enabled it, must be in the default config (for site B) and auto-enabled (for site A).

I will check out the forum for this as now I’m interested in knowing what exactly this is and what for problems this can cause

Thanks for your assistance!

sindy · October 4, 2020, 7:54pm

Yes, features added due to RouterOS upgrade are configured with default settings, and this censored is enabled by default.

Sob · October 4, 2020, 10:00pm

I’m still not sure what’s the point of this feature. At first, when you just read the name and don’t know what it does, it sounds interesting.

My idea was that it could be used as a simple way how to detect what WAN port actually has working internet access, and replace other solutions like recursive routing depending on pinging third-party servers. But it can’t be used for that, as far as I can tell.

Other possible use would be to automatically allow different level of access on ports, depending on where they are connected to. It is possible, but with LAN (where you’d probably have the least security) being initial state, it’s far from ideal.

So is there any good use for this at all?

Mattie · October 5, 2020, 5:46pm

Hm yes I can imagine that would be useful. But then by default only check fixed eth/sfp ports or something and not every interface that might or might not exists Perhaps I have years or years of strange DNS queries but never noticed it … Ah well I don’t mind but I just need to know these things if it is strange I need to know why