Hi
here’s what i do but i think it’s not the best way (but it works). I’m beginner and i am not very sure about my routes, my routing rules, my mangles and certainly other stuff?
VOIP under wireguard with VPS CHR as wireguard “server” i have local lan with 2 separate table (voip and others data) and 2 separate network (voip and others data) with LTE connexion.
LTE connection on LHGGLTE passtrough wan IP to HAPAC2 on VLAN name INTERNET
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface vlan
add interface=ether1 name=internet vlan-id=10
add interface=ether1 name=management vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] apn=xxxxxx ip-type=ipv4 passthrough-interface=internet \
passthrough-mac=auto use-network-apn=no use-peer-dns=no
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=management list=LAN
add interface=internet list=WAN
/ip dhcp-client
add default-route-tables=main interface=management
/system clock
set time-zone-name=Europe/Paris
/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
HAPAC2 with INTERNET (vlan under ether1)as dhcp client WAN, bridge/dhcp server with ether2,3,4,wifi1,wifi2, and ether5 as dhcp server with VOIP
/interface bridge
add admin-mac+xxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .frequency=2412,2437,2462 \
.skip-dfs-channels=10min-cac .width=20mhz configuration.country=\
"United States" .mode=ap .ssid=-2GHZ datapath.bridge=bridge disabled=\
no security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=\
5180,5260,5500 .skip-dfs-channels=10min-cac .width=20/40/80mhz \
configuration.country=France .mode=ap .ssid=-5GHZ datapath.bridge=\
bridge disabled=no security.authentication-types=wpa2-psk
/interface wireguard
add listen-port=51820 mtu=1420 name=wireg-ovh
/interface vlan
add interface=ether1 name=INTERNET vlan-id=10
add interface=ether1 name=management vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool2 interface=ether5 name=dhcp1
/routing table
add disabled=no fib name=VOIP
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=management
/ip neighbor discovery-settings
set discover-interface-list=all
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=XXXXXXXXXXX (wan ip VPS wireguard "server")endpoint-port=\
51820 interface=wireg-ovh name=peer1 persistent-keepalive=25s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.100.1/24 interface=ether5 network=192.168.100.0
add address=10.20.0.100/24 interface=wireg-ovh network=10.20.0.0
/ip dhcp-client
add default-route-tables=main interface=INTERNET use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=xxxxxxxxxxxxxxxx (wan ip VPS with wireguard server) list=autorise
add address=10.20.0.1 list=autorise
/ip firewall filter
add action=accept chain=input src-address-list=autorise
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward dst-address-list=autorise
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=xxxxxxxxx (ip range for VOIP provider) \
new-connection-mark=VOIP port=5060,5962,30000-40000 protocol=udp \
src-address=192.168.100.0/24
add action=change-dscp chain=prerouting connection-mark=VOIP new-dscp=46
add action=mark-routing chain=prerouting connection-mark=VOIP \
new-routing-mark=VOIP
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.20.0.1 routing-table=VOIP \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.20.0.0/24 gateway=wireg-ovh \
routing-table=VOIP scope=10 suppress-hw-offload=no target-scope=5
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.20.0.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.100.0/24 gateway=ether5 \
routing-table=VOIP scope=10 suppress-hw-offload=no target-scope=5
/routing rule
add action=lookup disabled=no interface=wireg-ovh table=VOIP
add action=lookup disabled=no interface=ether5 table=VOIP
/system clock
set time-zone-name=Europe/Paris
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
and VPS
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=4000
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=wireguard1 list=WAN
/interface wireguard peers
add allowed-address=\
10.20.0.100/32,xxxxxx (VOIP server),192.168.100.0/24,10.20.0.2/32 interface=\
wireguard1 name=test persistent-keepalive=25s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxx=" responder=yes
/ip address
add address=10.20.0.1/24 interface=wireguard1 network=10.20.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.0.0/24 list=autorise
add address=xxxxxx (VOIP server) list=autorise
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-nat-state="" \
connection-state=established,related,untracked
add action=accept chain=input dst-port=51820 protocol=udp
add action=accept chain=input log-prefix=icmp protocol=icmp
add action=accept chain=input comment="input accept autorise" \
src-address-list=autorise
add action=accept chain=input dst-address=127.0.0.1 log-prefix=127
add action=drop chain=input comment="input drop else " log-prefix=drop-else
add action=drop chain=input comment=drop-invalid connection-state=invalid \
log=yes log-prefix=drop-invalid
add action=accept chain=forward src-address-list=autorise
add action=accept chain=output dst-address-list=autorise
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-mark=no-mark connection-state=established,related disabled=yes \
hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
drop-,not-dstnat-ether1 src-address-list=!autorise
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=VOIP port=\
5060,5962,30000-40000 protocol=udp
add action=change-dscp chain=prerouting connection-mark=VOIP new-dscp=46
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wireguard1 \
routing-table=main suppress-hw-offload=no
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Paris
i have erased some of lines of the vps configuration.
sorry for this long post but if someone can tell something it will be great.
