TLS Handshake / TCP ReTransmit

impipeter · September 9, 2020, 2:38pm

Hi.

I have a new mikrotik chateau lte12 and need some help. Everything works, except Onedive for Business and Outlook on my clients. When I change the router, Outlook and Onedive is connecting without problems. I captured some traffic on my client and found out, that only with outlook and onedrive i have TCP ReTransmits. As it works with same SIM in my TP-Link MR600 router, the problem should be related to the mikrotik chateau lte12, but i can’t find the issue. Teams, Sykpe, Websurfing etc. works without problems on both routers. Please Help!

1854	15:27:41 09.09.2020	14.4715489	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:Flags=......S., SrcPort=49883, DstPort=HTTPS(443), PayloadLen=0, Seq=2988734820, Ack=0, Win=64240 ( Negotiating scale factor 0x8 ) = 64240	{TCP:295, IPv4:294}
1856	15:27:41 09.09.2020	14.4942058	OUTLOOK.EXE	s-0005.s-msedge.net	10.100.68.19	TCP	TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=49883, PayloadLen=0, Seq=2216698322, Ack=2988734821, Win=65535 ( Scale factor not supported ) = 16776960	{TCP:295, IPv4:294}
1857	15:27:41 09.09.2020	14.4943283	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:Flags=...A...., SrcPort=49883, DstPort=HTTPS(443), PayloadLen=0, Seq=2988734821, Ack=2216698323, Win=517 (scale factor 0x8) = 132352	{TCP:295, IPv4:294}
1858	15:27:41 09.09.2020	14.4948682	OUTLOOK.EXE	10.100.68.19	e584.g.akamaiedge.net	TCP	TCP:Flags=......S., SrcPort=49884, DstPort=HTTPS(443), PayloadLen=0, Seq=1797575830, Ack=0, Win=64240 ( Negotiating scale factor 0x8 ) = 64240	{TCP:297, IPv4:296}
1867	15:27:41 09.09.2020	14.5110228	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TLS	TLS:TLS Rec Layer-1 HandShake: Client Hello.	{TLS:299, SSLVersionSelector:298, TCP:295, IPv4:294}
1878	15:27:41 09.09.2020	14.5293230	OUTLOOK.EXE	e584.g.akamaiedge.net	10.100.68.19	TCP	TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=49884, PayloadLen=0, Seq=1749374128, Ack=1797575831, Win=29200 ( Negotiated scale factor 0x7 ) = 3737600	{TCP:297, IPv4:296}
1879	15:27:41 09.09.2020	14.5294025	OUTLOOK.EXE	10.100.68.19	e584.g.akamaiedge.net	TCP	TCP:Flags=...A...., SrcPort=49884, DstPort=HTTPS(443), PayloadLen=0, Seq=1797575831, Ack=1749374129, Win=517 (scale factor 0x8) = 132352	{TCP:297, IPv4:296}
1880	15:27:41 09.09.2020	14.5297238	OUTLOOK.EXE	10.100.68.19	e584.g.akamaiedge.net	TLS	TLS:TLS Rec Layer-1 HandShake: Client Hello.	{TLS:301, SSLVersionSelector:300, TCP:297, IPv4:296}
1940	15:27:41 09.09.2020	14.7498841	OUTLOOK.EXE	10.100.68.19	40.101.55.162	TCP	TCP:Flags=......S., SrcPort=49885, DstPort=HTTPS(443), PayloadLen=0, Seq=3469340691, Ack=0, Win=64240 ( Negotiating scale factor 0x8 ) = 64240	{TCP:305, IPv4:304}
1941	15:27:41 09.09.2020	14.7541079	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:[ReTransmit #1867]Flags=...AP..., SrcPort=49883, DstPort=HTTPS(443), PayloadLen=181, Seq=2988734821 - 2988735002, Ack=2216698323, Win=517 (scale factor 0x8) = 132352	{TCP:295, IPv4:294}
1944	15:27:41 09.09.2020	14.7781774	OUTLOOK.EXE	40.101.55.162	10.100.68.19	TCP	TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=49885, PayloadLen=0, Seq=1074959472, Ack=3469340692, Win=65535 ( Negotiated scale factor 0x8 ) = 16776960	{TCP:305, IPv4:304}
1945	15:27:41 09.09.2020	14.7782860	OUTLOOK.EXE	10.100.68.19	40.101.55.162	TCP	TCP:Flags=...A...., SrcPort=49885, DstPort=HTTPS(443), PayloadLen=0, Seq=3469340692, Ack=1074959473, Win=517 (scale factor 0x8) = 132352	{TCP:305, IPv4:304}
1946	15:27:41 09.09.2020	14.7785789	OUTLOOK.EXE	10.100.68.19	40.101.55.162	TLS	TLS:TLS Rec Layer-1 HandShake: Client Hello.	{TLS:307, SSLVersionSelector:306, TCP:305, IPv4:304}
1947	15:27:41 09.09.2020	14.7861995	OUTLOOK.EXE	10.100.68.19	e584.g.akamaiedge.net	TCP	TCP:[ReTransmit #1880]Flags=...AP..., SrcPort=49884, DstPort=HTTPS(443), PayloadLen=193, Seq=1797575831 - 1797576024, Ack=1749374129, Win=517 (scale factor 0x8) = 132352	{TCP:297, IPv4:296}
1968	15:27:41 09.09.2020	14.8918048	OUTLOOK.EXE	s-0005.s-msedge.net	10.100.68.19	TCP	TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=49883, PayloadLen=0, Seq=2216698322, Ack=2988734821, Win=65535 ( Scale factor not supported ) = 16776960	{TCP:295, IPv4:294}
1969	15:27:41 09.09.2020	14.8918700	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:Flags=...A...., SrcPort=49883, DstPort=HTTPS(443), PayloadLen=0, Seq=2988735002, Ack=2216698323, Win=517 (scale factor 0x8) = 132352	{TCP:295, IPv4:294}
1977	15:27:41 09.09.2020	14.9127024	OUTLOOK.EXE	10.100.68.19	outlook.a1.group	TCP	TCP:Flags=......S., SrcPort=49886, DstPort=HTTPS(443), PayloadLen=0, Seq=3444453986, Ack=0, Win=64240 ( Negotiating scale factor 0x8 ) = 64240	{TCP:312, IPv4:230}
1982	15:27:41 09.09.2020	14.9510463	OUTLOOK.EXE	outlook.a1.group	10.100.68.19	TCP	TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=49886, PayloadLen=0, Seq=4080430433, Ack=3444453987, Win=8190 ( Negotiated scale factor 0x8 ) = 2096640	{TCP:312, IPv4:230}
1983	15:27:41 09.09.2020	14.9511354	OUTLOOK.EXE	10.100.68.19	outlook.a1.group	TCP	TCP:Flags=...A...., SrcPort=49886, DstPort=HTTPS(443), PayloadLen=0, Seq=3444453987, Ack=4080430434, Win=514 (scale factor 0x8) = 131584	{TCP:312, IPv4:230}
1984	15:27:41 09.09.2020	14.9514675	OUTLOOK.EXE	10.100.68.19	outlook.a1.group	TLS	TLS:TLS Rec Layer-1 HandShake: Client Hello.	{TLS:314, SSLVersionSelector:313, TCP:312, IPv4:230}
1988	15:27:41 09.09.2020	15.0229012	OUTLOOK.EXE	10.100.68.19	40.101.55.162	TCP	TCP:[ReTransmit #1946]Flags=...AP..., SrcPort=49885, DstPort=HTTPS(443), PayloadLen=187, Seq=3469340692 - 3469340879, Ack=1074959473, Win=517 (scale factor 0x8) = 132352	{TCP:305, IPv4:304}
1999	15:27:41 09.09.2020	15.0764918	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:[ReTransmit #1867]Flags=...AP..., SrcPort=49883, DstPort=HTTPS(443), PayloadLen=181, Seq=2988734821 - 2988735002, Ack=2216698323, Win=517 (scale factor 0x8) = 132352	{TCP:295, IPv4:294}
2012	15:27:41 09.09.2020	15.0952455	OUTLOOK.EXE	10.100.68.19	e584.g.akamaiedge.net	TCP	TCP:[ReTransmit #1880]Flags=...AP..., SrcPort=49884, DstPort=HTTPS(443), PayloadLen=193, Seq=1797575831 - 1797576024, Ack=1749374129, Win=517 (scale factor 0x8) = 132352	{TCP:297, IPv4:296}
2018	15:27:41 09.09.2020	15.2080739	OUTLOOK.EXE	10.100.68.19	outlook.a1.group	TCP	TCP:[ReTransmit #1984]Flags=...AP..., SrcPort=49886, DstPort=HTTPS(443), PayloadLen=183, Seq=3444453987 - 3444454170, Ack=4080430434, Win=514 (scale factor 0x8) = 131584	{TCP:312, IPv4:230}
2047	15:27:41 09.09.2020	15.3234957	OUTLOOK.EXE	10.100.68.19	40.101.55.162	TCP	TCP:[ReTransmit #1946]Flags=...AP..., SrcPort=49885, DstPort=HTTPS(443), PayloadLen=187, Seq=3469340692 - 3469340879, Ack=1074959473, Win=517 (scale factor 0x8) = 132352	{TCP:305, IPv4:304}
2078	15:27:42 09.09.2020	15.5090427	OUTLOOK.EXE	10.100.68.19	outlook.a1.group	TCP	TCP:[ReTransmit #1984]Flags=...AP..., SrcPort=49886, DstPort=HTTPS(443), PayloadLen=183, Seq=3444453987 - 3444454170, Ack=4080430434, Win=514 (scale factor 0x8) = 131584	{TCP:312, IPv4:230}
2079	15:27:42 09.09.2020	15.5480563	OUTLOOK.EXE	e584.g.akamaiedge.net	10.100.68.19	TCP	TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=49884, PayloadLen=0, Seq=1749374128, Ack=1797575831, Win=29200 ( Negotiated scale factor 0x7 ) = 3737600	{TCP:297, IPv4:296}
2080	15:27:42 09.09.2020	15.5481206	OUTLOOK.EXE	10.100.68.19	e584.g.akamaiedge.net	TCP	TCP:Flags=...A...., SrcPort=49884, DstPort=HTTPS(443), PayloadLen=0, Seq=1797576024, Ack=1749374129, Win=517 (scale factor 0x8) = 132352	{TCP:297, IPv4:296}
2094	15:27:42 09.09.2020	15.6881853	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:[ReTransmit #1867]Flags=...AP..., SrcPort=49883, DstPort=HTTPS(443), PayloadLen=181, Seq=2988734821 - 2988735002, Ack=2216698323, Win=517 (scale factor 0x8) = 132352	{TCP:295, IPv4:294}
2095	15:27:42 09.09.2020	15.6975880	OUTLOOK.EXE	s-0005.s-msedge.net	10.100.68.19	TCP	TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=49883, PayloadLen=0, Seq=2216698322, Ack=2988734821, Win=65535 ( Scale factor not supported ) = 16776960	{TCP:295, IPv4:294}
2096	15:27:42 09.09.2020	15.6976429	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:[Dup Ack #1969]Flags=...A...., SrcPort=49883, DstPort=HTTPS(443), PayloadLen=0, Seq=2988735002, Ack=2216698323, Win=517 (scale factor 0x8) = 132352	{TCP:295, IPv4:294}
2097	15:27:42 09.09.2020	15.7048624	OUTLOOK.EXE	10.100.68.19	e584.g.akamaiedge.net	TCP	TCP:[ReTransmit #1880]Flags=...AP..., SrcPort=49884, DstPort=HTTPS(443), PayloadLen=193, Seq=1797575831 - 1797576024, Ack=1749374129, Win=517 (scale factor 0x8) = 132352	{TCP:297, IPv4:296}
2117	15:27:42 09.09.2020	15.9300385	OUTLOOK.EXE	10.100.68.19	40.101.55.162	TCP	TCP:[ReTransmit #1946]Flags=...AP..., SrcPort=49885, DstPort=HTTPS(443), PayloadLen=187, Seq=3469340692 - 3469340879, Ack=1074959473, Win=517 (scale factor 0x8) = 132352	{TCP:305, IPv4:304}
2124	15:27:42 09.09.2020	16.1128508	OUTLOOK.EXE	10.100.68.19	outlook.a1.group	TCP	TCP:[ReTransmit #1984]Flags=...AP..., SrcPort=49886, DstPort=HTTPS(443), PayloadLen=183, Seq=3444453987 - 3444454170, Ack=4080430434, Win=514 (scale factor 0x8) = 131584	{TCP:312, IPv4:230}
2262	15:27:43 09.09.2020	16.8896323	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:[ReTransmit #1867]Flags=...AP..., SrcPort=49883, DstPort=HTTPS(443), PayloadLen=181, Seq=2988734821 - 2988735002, Ack=2216698323, Win=517 (scale factor 0x8) = 132352	{TCP:295, IPv4:294}
2265	15:27:43 09.09.2020	16.9103637	OUTLOOK.EXE	10.100.68.19	e584.g.akamaiedge.net	TCP	TCP:[ReTransmit #1880]Flags=...AP..., SrcPort=49884, DstPort=HTTPS(443), PayloadLen=193, Seq=1797575831 - 1797576024, Ack=1749374129, Win=517 (scale factor 0x8) = 132352	{TCP:297, IPv4:296}
2323	15:27:43 09.09.2020	17.1434592	OUTLOOK.EXE	10.100.68.19	40.101.55.162	TCP	TCP:[ReTransmit #1946]Flags=...AP..., SrcPort=49885, DstPort=HTTPS(443), PayloadLen=187, Seq=3469340692 - 3469340879, Ack=1074959473, Win=517 (scale factor 0x8) = 132352	{TCP:305, IPv4:304}
2324	15:27:43 09.09.2020	17.2926218	OUTLOOK.EXE	s-0005.s-msedge.net	10.100.68.19	TCP	TCP:Flags=.....R.., SrcPort=HTTPS(443), DstPort=49883, PayloadLen=0, Seq=2216698323, Ack=2988734821, Win=0 (scale factor 0x8) = 0	{TCP:295, IPv4:294}
2325	15:27:43 09.09.2020	17.2930644	OUTLOOK.EXE	10.100.68.19	s-0005.s-msedge.net	TCP	TCP:Flags=......S., SrcPort=49894, DstPort=HTTPS(443), PayloadLen=0, Seq=483928721, Ack=0, Win=64240 ( Negotiating scale factor 0x8 ) = 64240	{TCP:365, IPv4:294}

At first, i tried with default config. Then disabled the fasttrack rules etc. Deleted the config and tried the basic nat setup form the wiki in different variants… Played with filter rules and setting the last few days without success. everything else works, just outlook and onedrive for business makes problems. in my current setup, i deleted all filter rules, my current config:

[admin@MikroTik] > export compact 
# sep/09/2020 15:53:26 by RouterOS 7.1beta2
# software id = ZWWL-1RYS
#
# model = RBD53G-5HacD2HnD
# serial number = C8CA0C5FAE50
/interface bridge
add admin-mac=48:8F:5A:17:40:A8 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-1740AE station-roaming=enabled wireless-protocol=802.11
/interface vlan
add interface=bridge name=ImpGuest vlan-id=70
add interface=bridge name=ImpIoT vlan-id=72
add interface=bridge name=ImpWiFi vlan-id=68
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=default ip-type=ipv4
add apn=webapn.at authentication=chap ip-type=ipv4 name=webapn
/interface lte
set [ find ] allow-roaming=no apn-profiles=webapn name=lte1 network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=profile1 supplicant-identity=MikroTik wpa2-pre-shared-key=LANme2home
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=profile1 ssid=MikroTik-1740AD station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-128,3des hash-algorithm=md5 name=AES256
/ip ipsec peer
add address=51.15.27.118/32 name=online profile=AES256
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=aes-256-cbc name=proposal1 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pool_lan64 ranges=10.100.64.10-10.100.64.60
add comment=ImpGuest name=pool70 ranges=10.100.70.10-10.100.70.50
add comment=ImpWiFi name=pool68 ranges=10.100.68.10-10.100.68.100
add comment=ImpIoT name=pool72 ranges=10.100.72.10-10.100.72.100
add name=dhcp_pool5 ranges=10.100.70.1-10.100.70.50
/ip dhcp-server
add address-pool=pool_lan64 bootp-support=none disabled=no interface=bridge lease-time=6h name=LAN64
add address-pool=pool68 disabled=no interface=ImpWiFi lease-time=6h name=ImpWiFi
add address-pool=pool70 disabled=no interface=ImpGuest lease-time=6h name=ImpGuest
add address-pool=pool72 disabled=no interface=ImpIoT lease-time=12h name=ImpIoT
/ip vrf
add list=all name=main
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=68,70,72
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=ImpIoT list=LAN
add interface=ImpWiFi list=LAN
add interface=ImpGuest list=LAN
add interface=ether1 list=LAN
/interface lte settings
set external-antenna=both
/ip address
add address=10.100.64.254/24 comment=defconf interface=ether1 network=10.100.64.0
add address=10.100.68.254/24 interface=ImpWiFi network=10.100.68.0
add address=10.100.70.254/24 interface=ImpGuest network=10.100.70.0
add address=10.100.72.254/24 interface=ImpIoT network=10.100.72.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.100.64.0/24 comment=defconf dns-server=10.100.64.1,10.100.32.1 domain=in.4net.stream gateway=10.100.64.254 netmask=24
add address=10.100.68.0/24 dns-server=10.100.64.1,10.100.32.1 domain=in.4net.stream gateway=10.100.68.254 netmask=24
add address=10.100.70.0/24 dns-server=10.100.64.1,10.100.32.1 domain=in.4net.stream gateway=10.100.70.254 netmask=24
add address=10.100.72.0/24 dns-server=10.100.64.1,10.100.32.1 domain=in.4net.stream gateway=10.100.72.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.100.64.254 comment=defconf name=router.lan type=A
/ip firewall nat
add action=accept chain=srcnat dst-address=10.100.32.0/20 src-address=10.100.64.0/19
add action=accept chain=srcnat disabled=yes out-interface=lte1 src-address=92.248.45.247
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=lte1
/ip ipsec identity
add auth-method=rsa-key key=tik.4net.stream my-id=fqdn:tik.4net.stream peer=online remote-id=fqdn:gw00.4net.stream remote-key=gw00.4net.stream
/ip ipsec policy
add dst-address=10.100.32.0/20 peer=online proposal=proposal1 sa-dst-address=51.15.27.118 sa-src-address=0.0.0.0 src-address=10.100.64.0/19 tunnel=yes
/ip route
add dst-address=10.100.96.0/24 gateway=10.100.64.253 type=unicast
add dst-address=10.100.48.0/24 gateway=10.100.64.253 type=unicast
add dst-address=10.100.66.0/24 gateway=10.100.64.253 type=unicast
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.100.0.0/16
set ssh address=10.100.0.0/16
set api address=10.100.0.0/16
set winbox address=10.100.0.0/16
set api-ssl address=10.100.0.0/16
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Vienna
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add topics=firewall
add disabled=yes topics=packet
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks!