Dear All.
I am green on mikrotik ROS.
I have one RB4011iGS+ with 4 WAN via PCC
I want to set up surfshark wireguard when I use VLAN
I find a lot information to set up but filled.
May I get some help on this?
My RB4011iGS+ Config:
/interface bridge
add name=VLAN-1-201-B port-cost-mode=short
add add-dhcp-option82=yes dhcp-snooping=yes igmp-snooping=yes name=VPN-20-B
add add-dhcp-option82=yes dhcp-snooping=yes disabled=yes igmp-snooping=yes \
mtu=9578 multicast-querier=yes name=WiFi_Swith_Bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=9578 mtu=9578 name=\
ether1-WAN1-PCCW-Port-1 rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] l2mtu=9578 mtu=9578 name=\
ether2-WAN2-PCCW-Port-2
set [ find default-name=ether3 ] l2mtu=9578 mtu=9578 name=\
ether3-WAN3-PCCW-Port-3
set [ find default-name=ether4 ] l2mtu=9578 mtu=9578 name=\
ether4-WAN4-PCCW-Port-4
set [ find default-name=ether5 ] l2mtu=9578 mtu=9578 name=ether5-WAN5
set [ find default-name=ether6 ] l2mtu=9578 mtu=9578 name=ether6-VLAN-1-Lan-1
set [ find default-name=ether7 ] l2mtu=9578 mtu=9578 name=ether7-VLAN-1-Lan-2
set [ find default-name=ether8 ] l2mtu=9578 mtu=9578 name=ether8-VLAN-1-Lan-3
set [ find default-name=ether9 ] l2mtu=9578 mtu=9578 name=ether9-VLAN-1-Lan-4
set [ find default-name=ether10 ] l2mtu=9578 mtu=9578 name=\
ether10-VLAN-1-Lan-5
set [ find default-name=sfp-sfpplus1 ] l2mtu=9586 mtu=9586 name=\
ether11-SFP-VLAN-1-Lan-6
/interface l2tp-server
add disabled=yes name=l2tp-Iphone-In user=""
/interface wireguard
add listen-port=51820 mtu=1420 name=SurfsharkTW
/interface vlan
add interface=ether11-SFP-VLAN-1-Lan-6 mtu=9582 name=VLAN-20-SFP+ vlan-id=20
add interface=ether11-SFP-VLAN-1-Lan-6 mtu=9582 name=VLAN-30-VPN-SG vlan-id=\
30
add interface=ether11-SFP-VLAN-1-Lan-6 mtu=9582 name=VLAN-40-VPN-JP vlan-id=\
40
add interface=ether11-SFP-VLAN-1-Lan-6 mtu=9582 name=VLAN-50-VPN-TW vlan-id=\
50
/interface list
add name=WAN
add name=LAN
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 disabled=yes name="For Iphone" pfs-group=none
/ip pool
add name=VLAN-1-201-pool ranges=192.168.201.10-192.168.201.250
add name=WfFi-pool ranges=192.168.1.1-192.168.1.254
add name=VPN-20-Pool ranges=192.168.20.21-192.168.20.50
add name=VPN-30-Pool ranges=192.168.30.11-192.168.30.20
add name=VPN-40-Pool ranges=192.168.40.11-192.168.40.20
add name=VPN-50-Pool ranges=192.168.50.11-192.168.50.20
/ip dhcp-server
add add-arp=yes address-pool=VLAN-1-201-pool always-broadcast=yes \
bootp-support=dynamic interface=VLAN-1-201-B lease-time=10m name=\
DHCP-VLAN-1-201 server-address=192.168.201.1
add add-arp=yes address-pool=VPN-20-Pool always-broadcast=yes bootp-support=\
dynamic interface=VPN-20-B name=DHCP-VLAN-20-VPN
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,1.1.1.1 local-address=\
192.168.201.28 name=IphoneUse remote-address=VLAN-1-201-pool use-upnp=no
/routing id
add disabled=no id=192.168.20.1 name=VPN select-dynamic-id=only-vrf \
select-from-vrf=main
/routing table
add disabled=no fib name=PCCW-port-1
add disabled=no fib name=PCCW-port-2
add disabled=no fib name=PCCW-port-3
add disabled=no fib name=PCCW-port-4
add disabled=no fib name=WiFi-B
add disabled=no fib name=WG-SurfsharkTW
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/ip smb
set domain=WORKGROUP enabled=yes interfaces=VLAN-1-201-B
/interface bridge port
add bridge=WiFi_Swith_Bridge fast-leave=yes interface=ether6-VLAN-1-Lan-1 \
internal-path-cost=10 path-cost=10 trusted=yes
add bridge=WiFi_Swith_Bridge fast-leave=yes interface=ether7-VLAN-1-Lan-2 \
internal-path-cost=10 path-cost=10 trusted=yes
add bridge=WiFi_Swith_Bridge fast-leave=yes interface=ether8-VLAN-1-Lan-3 \
internal-path-cost=10 path-cost=10 trusted=yes
add bridge=VLAN-1-201-B fast-leave=yes interface=ether9-VLAN-1-Lan-4 \
internal-path-cost=10 path-cost=10 trusted=yes
add bridge=VLAN-1-201-B fast-leave=yes interface=ether10-VLAN-1-Lan-5 \
internal-path-cost=10 path-cost=10 trusted=yes
add bridge=VLAN-1-201-B fast-leave=yes interface=ether11-SFP-VLAN-1-Lan-6 \
internal-path-cost=10 path-cost=10 trusted=yes
add bridge=VPN-20-B fast-leave=yes interface=VLAN-20-SFP+ trusted=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-redirects=yes accept-source-route=yes
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=IphoneUse enabled=yes use-ipsec=\
yes
/interface list member
add interface=ether1-WAN1-PCCW-Port-1 list=WAN
add interface=ether2-WAN2-PCCW-Port-2 list=WAN
add interface=ether3-WAN3-PCCW-Port-3 list=WAN
add interface=VLAN-1-201-B list=LAN
add interface=ether4-WAN4-PCCW-Port-4 list=WAN
add interface=ether6-VLAN-1-Lan-1 list=LAN
add interface=ether5-WAN5 list=WAN
add interface=ether7-VLAN-1-Lan-2 list=LAN
add interface=ether8-VLAN-1-Lan-3 list=LAN
add interface=ether9-VLAN-1-Lan-4 list=LAN
add interface=ether10-VLAN-1-Lan-5 list=LAN
add interface=ether11-SFP-VLAN-1-Lan-6 list=LAN
add interface=WiFi_Swith_Bridge list=LAN
add interface=SurfsharkTW list=WAN
add interface=VPN-20-B list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.14.0.0/16 endpoint-address=\
tw-tai.prod.surfshark.com endpoint-port=51820 interface=SurfsharkTW name=\
peer3 public-key="P0vaGUOUE7V5bbGOYY2WgQeZnTZEHvIr+dfebU7W4Ao="
/ip address
add address=192.168.201.1/24 interface=VLAN-1-201-B network=192.168.201.0
add address=192.168.20.1/24 interface=VPN-20-B network=192.168.20.0
add address=10.14.0.2/16 interface=SurfsharkTW network=10.14.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-WAN1-PCCW-Port-1
add add-default-route=no interface=ether4-WAN4-PCCW-Port-4 use-peer-dns=no
add add-default-route=no interface=ether2-WAN2-PCCW-Port-2 use-peer-dns=no
add add-default-route=no interface=ether3-WAN3-PCCW-Port-3 use-peer-dns=no
/ip dhcp-relay
add dhcp-server=192.168.1.1 disabled=no interface=WiFi_Swith_Bridge \
local-address=192.168.1.2 name=WiFi-relay
/ip dhcp-server lease
add address=192.168.201.250 address-lists=LAN,NAS always-broadcast=yes \
client-id=1:0:11:32:ff:69:d1 mac-address=00:11:32:FF:69:D1 server=\
DHCP-VLAN-1-201
add address=192.168.201.101 address-lists=LAN-201,Server,DC \
allow-dual-stack-queue=yes always-broadcast=yes client-id=\
1:0:15:5d:c9:cb:7 mac-address=00:15:5D:C9:CB:07 server=DHCP-VLAN-1-201
add address=192.168.201.201 client-id=1:c:c4:7a:ba:c0:ff mac-address=\
0C:C4:7A:BA:C0:FF server=DHCP-VLAN-1-201
add address=192.168.201.202 address-lists=LAN-201,Server always-broadcast=yes \
client-id=1:c:c4:7a:ba:c0:fe mac-address=0C:C4:7A:BA:C0:FE server=\
DHCP-VLAN-1-201
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=\
10.14.0.1,162.252.172.57,149.154.159.92 gateway=192.168.20.1
add address=192.168.201.0/24 dns-server=192.168.201.1,8.8.8.8,1.1.1.1 \
gateway=192.168.201.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,1.1.1.1,162.252.172.57,149.154.159.92
/ip dns static
add address=1.1.1.1 name=DNS1
add address=8.8.8.8 name=DNS2
/ip firewall address-list
add address=192.168.201.0/24 list=LAN-201
add address=192.168.1.0/24 disabled=yes list=LAN-1
add address=192.168.200.0/24 disabled=yes list=LAN-200
add address=192.168.20.0/24 list=VPN-20-LAN
add address=10.14.0.0/16 list=VPN-WAN
add address=192.168.30.0/24 list=VPN-30-LAN-SG
add address=192.168.40.0/24 list=VPN-40-LAN-JP
add address=192.168.50.0/24 list=VPN-50-LAN-TW
add address=218.250.253.0/24 list=WAN
add address=218.250.78.0/24 list=WAN
add address=203.218.80.0/24 list=WAN
add address=219.77.113.0/24 list=WAN
/ip firewall filter
add action=drop chain=input disabled=yes in-interface-list=WAN
add action=accept chain=input comment="allow WireGuard" dst-port=51820 \
protocol=udp
add action=accept chain=input dst-port=51820 protocol=udp src-address=\
10.14.0.0/24
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
10.140.0.0/24
add action=fasttrack-connection chain=forward comment="\?\? established \?\?\?\
\?\?\?\?\?\? related \?\?\?\?\?\?,\?\?\? (forward) \?\?\?\?\? fasttrack-co\
nnection (\?\?\?\?)\?" connection-state=established,related disabled=yes \
hw-offload=yes
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept Local" dst-address=127.0.0.1
add action=accept chain=input comment="Accept LAN In" disabled=yes \
src-address-list=LAN-1
add action=accept chain=input src-address-list=LAN-201
add action=accept chain=input disabled=yes src-address-list=LAN-200
add action=accept chain=input comment="Accept LAN-Route" disabled=yes \
dst-address-list=LAN-200 src-address-list=LAN-1
add action=accept chain=input disabled=yes dst-address-list=LAN-201 \
src-address-list=LAN-1
add action=accept chain=input disabled=yes dst-address-list=LAN-1 \
src-address-list=LAN-200
add action=accept chain=input disabled=yes dst-address-list=LAN-201 \
src-address-list=LAN-200
add action=accept chain=input disabled=yes dst-address-list=LAN-1 \
src-address-list=LAN-201
add action=accept chain=input disabled=yes dst-address-list=LAN-200 \
src-address-list=LAN-201
/ip firewall mangle
add action=accept chain=prerouting comment="PCCW-1 Preroute" dst-address=\
219.77.113.0/24 in-interface=VLAN-1-201-B
add action=accept chain=prerouting comment="PCCW-2 Preroute" dst-address=\
218.250.253.0/24 in-interface=VLAN-1-201-B
add action=accept chain=prerouting comment="PCCW-3 Preroute" dst-address=\
218.250.78.0/24 in-interface=VLAN-1-201-B
add action=accept chain=prerouting comment="PCCW-4 Preroute" dst-address=\
203.218.80.0/24 in-interface=VLAN-1-201-B
add action=mark-connection chain=prerouting comment=\
"PCCW-1 Mark Port 1 to Connection Mark 1" connection-mark=no-mark \
in-interface=ether1-WAN1-PCCW-Port-1 new-connection-mark=PCCW-Port-1-Conn \
passthrough=yes
add action=mark-connection chain=prerouting comment=\
"PCCW-2 Mark Port 2 to Connection Mark 2" connection-mark=no-mark \
in-interface=ether2-WAN2-PCCW-Port-2 new-connection-mark=PCCW-Port-2-Conn \
passthrough=yes
add action=mark-connection chain=prerouting comment=\
"PCCW-3 Mark Port 3 to Connection Mark 3" connection-mark=no-mark \
in-interface=ether3-WAN3-PCCW-Port-3 new-connection-mark=PCCW-Port-3-Conn \
passthrough=yes
add action=mark-connection chain=prerouting comment=\
"PCCW-4 Mark Port 4 to Connection Mark 4" connection-mark=no-mark \
in-interface=ether4-WAN4-PCCW-Port-4 new-connection-mark=PCCW-Port-4-Conn \
passthrough=yes
add action=mark-connection chain=prerouting comment="PCCW-1 Connection Mark" \
connection-mark=no-mark dst-address-type=!local new-connection-mark=\
PCCW-Port-1-Conn passthrough=yes per-connection-classifier=\
both-addresses:4/0 src-address=192.168.201.0/24
add action=mark-connection chain=prerouting comment="PCCW-2 Connection Mark" \
connection-mark=no-mark dst-address-type=!local new-connection-mark=\
PCCW-Port-2-Conn passthrough=yes per-connection-classifier=\
both-addresses:4/1 src-address=192.168.201.0/24
add action=mark-connection chain=prerouting comment="PCCW-3 Connection Mark" \
connection-mark=no-mark dst-address-type=!local new-connection-mark=\
PCCW-Port-3-Conn passthrough=yes per-connection-classifier=\
both-addresses:4/2 src-address=192.168.201.0/24
add action=mark-connection chain=prerouting comment="PCCW-4 Connection Mark" \
connection-mark=no-mark dst-address-type=!local new-connection-mark=\
PCCW-Port-4-Conn passthrough=yes per-connection-classifier=\
both-addresses:4/3 src-address=192.168.201.0/24
add action=mark-routing chain=prerouting comment=\
"PCCW-1 Connection Mark to Route Mark" connection-mark=PCCW-Port-1-Conn \
new-routing-mark=PCCW-port-1 passthrough=yes src-address=192.168.201.0/24
add action=mark-routing chain=prerouting comment=\
"PCCW-2 Connection Mark to Route Mark" connection-mark=PCCW-Port-2-Conn \
new-routing-mark=PCCW-port-2 passthrough=yes src-address=192.168.201.0/24
add action=mark-routing chain=prerouting comment=\
"PCCW-3 Connection Mark to Route Mark" connection-mark=PCCW-Port-3-Conn \
new-routing-mark=PCCW-port-3 passthrough=yes src-address=192.168.201.0/24
add action=mark-routing chain=prerouting comment=\
"PCCW-4 Connection Mark to Route Mark" connection-mark=PCCW-Port-4-Conn \
new-routing-mark=PCCW-port-4 passthrough=yes src-address=192.168.201.0/24
add action=mark-routing chain=prerouting comment=\
"VPN Connection Mark to Route Mark" connection-mark=VPN-Conn \
new-routing-mark=WG-SurfsharkTW passthrough=yes src-address-list=\
VPN-20-LAN
add action=mark-routing chain=output comment=\
"PCCW-1 Mark Connection 1 to Route 1" connection-mark=PCCW-Port-1-Conn \
new-routing-mark=PCCW-port-1 passthrough=yes
add action=mark-routing chain=output comment=\
"PCCW-2 Mark Connection 2 to Route 2" connection-mark=PCCW-Port-2-Conn \
new-routing-mark=PCCW-port-2 passthrough=yes
add action=mark-routing chain=output comment=\
"PCCW-3 Mark Connection 3 to Route 3" connection-mark=PCCW-Port-3-Conn \
new-routing-mark=PCCW-port-3 passthrough=yes
add action=mark-routing chain=output comment=\
"PCCW-4 Mark Connection 4 to Route 4" connection-mark=PCCW-Port-4-Conn \
new-routing-mark=PCCW-port-4 passthrough=yes
add action=change-mss chain=forward comment="Modification for SurfsharkTW" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting dst-address-list=WAN \
dst-address-type=!local new-routing-mark=WG-SurfsharkTW passthrough=yes \
src-address=192.168.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1-WAN1-PCCW-Port-1
add action=masquerade chain=srcnat out-interface=ether4-WAN4-PCCW-Port-4
add action=masquerade chain=srcnat out-interface=ether3-WAN3-PCCW-Port-3
add action=masquerade chain=srcnat out-interface=ether2-WAN2-PCCW-Port-2
add action=masquerade chain=srcnat comment=WG-TW-VPN out-interface=\
SurfsharkTW
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0 template=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
aes-256,3des hash-algorithm=sha256 name="For Iphone Profile"
/ip ipsec settings
set xauth-use-radius=yes
/ip nat-pmp
set enabled=yes
/ip route
add disabled=no distance=1 dst-address=203.218.80.0/24 gateway=\
ether4-WAN4-PCCW-Port-4 routing-table=PCCW-port-4 scope=10 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=219.77.113.0/24 gateway=\
ether1-WAN1-PCCW-Port-1 routing-table=PCCW-port-1 scope=10 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=219.77.113.254 \
routing-table=PCCW-port-1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=203.218.80.254 \
routing-table=PCCW-port-4 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=218.250.253.254 \
routing-table=PCCW-port-2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=218.250.78.254 \
routing-table=PCCW-port-3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=218.250.253.0/24 gateway=\
ether2-WAN2-PCCW-Port-2 routing-table=PCCW-port-2 scope=10 \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=218.250.78.0/24 gateway=\
ether3-WAN3-PCCW-Port-3 routing-table=PCCW-port-3 scope=10 \
suppress-hw-offload=no target-scope=10
add check-gateway="(unknown)" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=SurfsharkTW routing-table=WG-SurfsharkTW scope=30 \
suppress-hw-offload=no target-scope=10
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=ether1-WAN1-PCCW-Port-1 \
routing-table=PCCW-port-1 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=::/0 gateway=ether4-WAN4-PCCW-Port-4 \
routing-table=PCCW-port-4 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=::/0 gateway=ether2-WAN2-PCCW-Port-2 \
routing-table=PCCW-port-2 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=::/0 gateway=ether3-WAN3-PCCW-Port-3 \
routing-table=PCCW-port-3 scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=2404:c804:301e:a500::/64 gateway=\
VLAN-1-201-B routing-table=main scope=10 suppress-hw-offload=no \
vrf-interface=ether1-WAN1-PCCW-Port-1
add disabled=no distance=1 dst-address=2404:c804:301e:a200::/64 gateway=\
VLAN-1-201-B routing-table=main scope=10 suppress-hw-offload=no \
vrf-interface=ether2-WAN2-PCCW-Port-2
add disabled=no distance=1 dst-address=2404:c804:301e:a300::/64 gateway=\
VLAN-1-201-B routing-table=main scope=10 suppress-hw-offload=no \
vrf-interface=ether3-WAN3-PCCW-Port-3
add disabled=no distance=1 dst-address=2404:c804:301e:e500::/64 gateway=\
VLAN-1-201-B routing-table=main scope=10 suppress-hw-offload=no \
vrf-interface=ether4-WAN4-PCCW-Port-4
/ip service
set telnet address=192.168.201.0/24
set www address=192.168.201.0/24,192.168.1.0/24
set ssh address=192.168.201.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ipv6 address
add from-pool=PCCW1 interface=VLAN-1-201-B
add from-pool=PCCW4 interface=VLAN-1-201-B
add from-pool=PCCW3 interface=VLAN-1-201-B
add from-pool=PCCW2 interface=VLAN-1-201-B
/ipv6 dhcp-client
add add-default-route=yes interface=ether2-WAN2-PCCW-Port-2 pool-name=PCCW2 \
rapid-commit=no request=prefix use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=ether1-WAN1-PCCW-Port-1 pool-name=PCCW1 \
rapid-commit=no request=prefix use-interface-duid=yes
add add-default-route=yes interface=ether3-WAN3-PCCW-Port-3 pool-name=PCCW3 \
rapid-commit=no request=prefix use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=ether4-WAN4-PCCW-Port-4 pool-name=PCCW4 \
rapid-commit=no request=prefix use-peer-dns=no
add add-default-route=yes disabled=yes interface=WiFi_Swith_Bridge pool-name=\
WiFi rapid-commit=no request=prefix use-interface-duid=yes
/ipv6 firewall address-list
add address=2404:c804:9f8:bd00::/64 list=PCCW-4-VLAN-201
add address=2404:c804:9f8:bc00::/64 list=PCCW-1-VLAN-201
/ipv6 firewall filter
add action=drop chain=input disabled=yes in-interface-list=WAN
add action=accept chain=forward connection-state=\
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmpv6
add action=accept chain=input comment="Accept Local" dst-address=fe80::/56
add action=accept chain=input src-address-list=PCCW-1-VLAN-201
add action=accept chain=input src-address-list=PCCW-4-VLAN-201
/ipv6 firewall mangle
add action=accept chain=prerouting comment="PCCW-1 Preroute" disabled=yes \
dst-address=2404:c804:301e:a500::/56 in-interface=VLAN-1-201-B
add action=accept chain=prerouting comment="PCCW-2 Preroute" disabled=yes \
dst-address=2404:c804:301e:a200::/56 in-interface=VLAN-1-201-B
add action=accept chain=prerouting comment="PCCW-2 Preroute" disabled=yes \
dst-address=2404:c804:301e:e700::/56 in-interface=VLAN-1-201-B
add action=accept chain=prerouting comment="PCCW-4 Preroute" disabled=yes \
dst-address=2404:c804:301e:e500::/56 in-interface=VLAN-1-201-B
add action=mark-connection chain=prerouting comment=\
"PCCW-1 Mark Port1 to Connection Mark 1" connection-mark=no-mark \
disabled=yes in-interface=ether1-WAN1-PCCW-Port-1 new-connection-mark=\
PCCW-Port-1-Conn passthrough=yes
add action=mark-connection chain=prerouting comment=\
"PCCW-2 Mark Port2 to Connection Mark 2" connection-mark=no-mark \
disabled=yes in-interface=ether2-WAN2-PCCW-Port-2 new-connection-mark=\
PCCW-Port-2-Conn passthrough=yes
add action=mark-connection chain=prerouting comment=\
"PCCW-3 Mark Port3 to Connection Mark 3" connection-mark=no-mark \
disabled=yes in-interface=ether3-WAN3-PCCW-Port-3 new-connection-mark=\
PCCW-Port-3-Conn passthrough=yes
add action=mark-connection chain=prerouting comment=\
"PCCW-4 Mark Port4 to Connection Mark 4" connection-mark=no-mark \
disabled=yes in-interface=ether4-WAN4-PCCW-Port-4 new-connection-mark=\
PCCW-Port-4-Conn passthrough=yes
add action=mark-connection chain=prerouting comment="PCCW-1 Connection Mark" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
new-connection-mark=PCCW-Port-1-Conn passthrough=yes \
per-connection-classifier=both-addresses:4/0 src-address=\
2404:c804:301e:a500::/64
add action=mark-connection chain=prerouting comment="PCCW-2 Connection Mark" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
new-connection-mark=PCCW-Port-2-Conn passthrough=yes \
per-connection-classifier=both-addresses:4/1 src-address=\
2404:c804:301e:a200::/64
add action=mark-connection chain=prerouting comment="PCCW-2 Connection Mark" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
new-connection-mark=PCCW-Port-3-Conn passthrough=yes \
per-connection-classifier=both-addresses:4/2 src-address=\
2404:c804:301e:e700::/64
add action=mark-connection chain=prerouting comment="PCCW-4 Connection Mark" \
connection-mark=PCCW-Port-4-Conn disabled=yes dst-address-type=!local \
new-connection-mark=PCCW-Port-4-Conn passthrough=yes \
per-connection-classifier=both-addresses:4/3 src-address=\
2404:c804:301e:e500::/64
add action=mark-routing chain=prerouting comment=\
"PCCW-1 Connection Mark to Route Mark" connection-mark=PCCW-Port-1-Conn \
disabled=yes new-routing-mark=PCCW-port-1 passthrough=yes src-address=\
2404:c804:301e:a500::/64
add action=mark-routing chain=prerouting comment=\
"PCCW-2 Connection Mark to Route Mark" connection-mark=PCCW-Port-2-Conn \
disabled=yes new-routing-mark=PCCW-port-2 passthrough=yes src-address=\
2404:c804:301e:a200::/64
add action=mark-routing chain=prerouting comment=\
"PCCW-3 Connection Mark to Route Mark" connection-mark=PCCW-Port-3-Conn \
disabled=yes new-routing-mark=PCCW-port-3 passthrough=yes src-address=\
2404:c804:301e:e700::/64
add action=mark-connection chain=prerouting comment=\
"PCCW-4 Connection Mark to Route Mark" connection-mark=PCCW-Port-4-Conn \
disabled=yes new-connection-mark=PCCW-Port-4-Conn passthrough=yes \
src-address=2404:c804:301e:e500::/64
add action=mark-routing chain=output comment=\
"PCCW-1 Mark Connection 1 to Route 1" connection-mark=PCCW-Port-1-Conn \
disabled=yes new-routing-mark=PCCW-port-1 passthrough=yes
add action=mark-routing chain=output comment=\
"PCCW-2 Mark Connection 2 to Route 2" connection-mark=PCCW-Port-2-Conn \
disabled=yes new-routing-mark=PCCW-port-2 passthrough=yes
add action=mark-routing chain=output comment=\
"PCCW-3 Mark Connection 3 to Route 3" connection-mark=PCCW-Port-3-Conn \
disabled=yes new-routing-mark=PCCW-port-3 passthrough=yes
add action=mark-routing chain=output comment=\
"PCCW-4 Mark Connection 4 to Route 4" connection-mark=PCCW-Port-4-Conn \
disabled=yes new-routing-mark=PCCW-port-4 passthrough=yes
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1-PCCW-Port-1
add action=masquerade chain=srcnat out-interface=ether2-WAN2-PCCW-Port-2
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether4-WAN4-PCCW-Port-4
add action=masquerade chain=srcnat out-interface=ether3-WAN3-PCCW-Port-3
/ipv6 nd
set [ find default=yes ] other-configuration=yes
add interface=ether1-WAN1-PCCW-Port-1 other-configuration=yes
add interface=ether4-WAN4-PCCW-Port-4
add interface=ether2-WAN2-PCCW-Port-2
add interface=ether3-WAN3-PCCW-Port-3
add interface=WiFi_Swith_Bridge
/ppp secret
add name=its profile=IphoneUse service=l2tp
add name=Jason profile=IphoneUse service=l2tp
/routing rule
add action=lookup disabled=no src-address=192.168.20.0/24 table=\
WG-SurfsharkTW
/system clock
set time-zone-name=Asia/Hong_Kong
/system identity
set name=Home-Main-Router
/system logging
add topics=ipsec
/system note
set show-at-login=no
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system package update
set channel=development
/system routerboard settings
set auto-upgrade=yes