Hello,
I have just completed the configuration of Load Balancing with two WANs. However, after this, VPN clients (PPTP and L2TP) are unable to access the LAN. Could anyone help identify which rule might be blocking VPN clients from accessing the LAN?
Proxy-ARP is already set on the bridge."
Make an export to a text file of your router’s current configuration. Remove confidential information (passwords, serial numbers, etc.) from this file and post it in this thread in the CODE tags.
Yes, your config blocks it.
Revised Question: with Config file
I have the following setup on my MikroTik router:
Three DHCP networks:
10.10.0.0/24
10.10.3.0/24
10.5.50.0/24
The devices in these networks cannot ping each other.
Additionally, VPN clients (using L2TP with a LAN-to-LAN configuration) cannot access devices at either end of the routers.
Could you please help me resolve these issues?
/interface bridge
add arp=proxy-arp name=Fiber-bridge
add arp=local-proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=WAN-1
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp name="ether5 LAN"
set [ find default-name=ether6 ] arp=proxy-arp
set [ find default-name=ether7 ] arp=proxy-arp
set [ find default-name=ether8 ] arp=local-proxy-arp
set [ find default-name=ether9 ] arp=local-proxy-arp
set [ find default-name=ether10 ] arp=local-proxy-arp
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=assiraat.local login-by=mac,http-chap mac-auth-mode=\
mac-as-username-and-password name=hsprof1 use-radius=yes
add dns-name=assiraat.local hotspot-address=10.10.3.1 login-by=mac,http-chap \
mac-auth-mode=mac-as-username-and-password name=Fiber_profile use-radius=\
yes
/ip pool
add name=dhcp ranges=10.10.0.21-10.10.0.254
add name=hs-pool-11 ranges=10.5.50.20-10.5.50.254
add name=dhcp_Fiber ranges=10.10.3.20-10.10.3.154
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=10m name=dhcp1
add address-pool=hs-pool-11 interface=ether2 lease-time=10m name="proxy net"
add address-pool=dhcp_Fiber interface=Fiber-bridge lease-time=10m name=dhcp2
/ip hotspot
add address-pool=hs-pool-11 addresses-per-mac=1 disabled=no interface=ether2 \
name=hotspot1 profile=hsprof1
add address-pool=dhcp_Fiber addresses-per-mac=1 disabled=no interface=\
Fiber-bridge name=Fiber_hotspot profile=Fiber_profile
/ip hotspot user profile
add address-pool=hs-pool-11 name=2MB rate-limit=2M/2M
add address-pool=hs-pool-11 name=4MB rate-limit=4M/4M
add address-pool=hs-pool-11 name=1MB rate-limit=1M/1M
add address-pool=hs-pool-11 name=40MB rate-limit=40M/40M
add address-pool=dhcp_Fiber name=4MB_Fiber rate-limit=4M/4M
add address-pool=dhcp_Fiber name="2MB_ Fiber" rate-limit=1M/1M
add address-pool=dhcp_Fiber name=2MB_Fiber rate-limit=2M/2M
/port
set 0 name=serial0
/ppp profile
add dns-server=10.10.0.10,8.8.8.8 local-address=10.10.0.1 name=profile1 \
remote-address=dhcp
add dns-server=10.10.0.10,8.8.8.8 local-address=10.10.0.1 name=LPTP_profile \
remote-address=10.10.0.2
add local-address=10.10.0.1 name=LT2P_User remote-address=dhcp
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface="ether5 LAN"
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether6
add bridge=Fiber-bridge ingress-filtering=no interface=ether9
add bridge=Fiber-bridge ingress-filtering=no interface=ether8
add bridge=Fiber-bridge ingress-filtering=no interface=ether7
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=WAN-1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate=Server cipher=aes256-cbc enabled=yes \
require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=209.150.147.50/30 interface=WAN-1 network=209.150.147.48
add address=10.10.0.1/24 interface=bridge1 network=10.10.0.0
add address=10.5.50.1/24 comment="hotspot network" interface=ether2 network=\
10.5.50.0
add address=10.10.3.1/24 interface=Fiber-bridge network=10.10.3.0
/ip dhcp-server lease
add address=10.10.0.145 client-id=1:0:c:29:61:d6:dd mac-address=\
00:0C:29:61:D6:DD server=dhcp1
add address=10.5.50.125 client-id=1:48:4d:7e:e5:b:1b mac-address=\
48:4D:7E:E5:0B:1B server="proxy net"
add address=10.5.50.197 client-id=1:24:b7:2a:da:55:8e mac-address=\
24:B7:2A:DA:55:8E server="proxy net"
add address=10.5.50.12 client-id=1:48:4d:7e:e5:2b:f1 mac-address=\
48:4D:7E:E5:2B:F1 server="proxy net"
add address=10.10.0.24 client-id=1:24:6e:96:40:ca:d8 mac-address=\
24:6E:96:40:CA:D8 server=dhcp1
/ip dhcp-server network
add address=10.5.50.0/24 dns-server=10.5.50.10 domain=assiraat.local gateway=\
10.5.50.1
add address=10.6.60.0/24 gateway=10.6.60.1
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.10.3.0/24 dns-server=10.10.3.10,8.8.8.8,4.4.4.4 domain=\
Assiraat.local gateway=10.10.3.1
add address=192.168.200.0/24 gateway=192.168.200.1
/ip dns
set servers=10.10.0.10,8.8.8.8,4.4.4.4
/ip firewall address-list
add address=10.5.50.0/24 list=Proxy-Net
add address=10.10.0.0/24 list=LAN
add address=209.150.147.50 list=WAN
/ip firewall filter
add action=drop chain=forward comment=Facebook dst-address-list=IP-Facebook \
src-address-list=Proxy-Net
add action=drop chain=forward comment="Block youtube" dst-address-list=\
IP-Youtube src-address-list=Proxy-Net
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=forward comment=FTP dst-port=21 protocol=tcp
add action=accept chain=forward dst-port=50000-51000 protocol=tcp
add action=accept chain=forward comment=L2TP dst-address=10.10.0.0/24 \
src-address=192.168.10.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add action=masquerade chain=srcnat out-interface=WAN-1
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.3.0/24
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=3389 protocol=\
tcp to-addresses=10.10.0.10 to-ports=3389
add action=dst-nat chain=dstnat comment="SQL Server" dst-address-list=WAN \
dst-port=1433 protocol=tcp to-addresses=10.10.0.10 to-ports=1433
add action=dst-nat chain=dstnat comment="FTP Server" dst-address-list=WAN \
dst-port=21 protocol=tcp to-addresses=10.10.0.10 to-ports=21
add action=dst-nat chain=dstnat comment="FTP Server port 2" dst-address-list=\
WAN dst-port=22 protocol=tcp to-addresses=10.10.0.10 to-ports=22
add action=dst-nat chain=dstnat comment=HIMS dst-address-list=WAN dst-port=80 \
protocol=tcp to-addresses=10.10.0.10 to-ports=80
add action=dst-nat chain=dstnat comment=HR dst-address-list=WAN dst-port=8080 \
protocol=tcp to-addresses=10.10.0.10 to-ports=8080
add action=masquerade chain=srcnat comment="L2TP/VPN Islamabad" dst-address=\
10.10.0.0/24 src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment="FTP account" dst-port=50000-51000 \
protocol=tcp to-addresses=10.10.0.10
/ip firewall raw
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting comment=Facebook \
content=.facebook.com dst-address-list=!Proxy-Net src-address-list=\
IP-Facebook
add action=add-dst-to-address-list address-list=IP-Youtube \
address-list-timeout=none-dynamic chain=prerouting comment=Youtube \
content=.youtube.com disabled=yes dst-address-list=!Proxy-Net \
src-address-list=Proxy-Net
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting comment=Facebook \
content=web.facebook.com disabled=yes dst-address-list=!Proxy-Net \
src-address-list=IP-Facebook
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting content=.facebook.net \
dst-address-list=!Proxy-Net src-address-list=Proxy-Net
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting content=.fbcdn.net \
dst-address-list=!Proxy-Net src-address-list=Proxy-Net
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting content=.fbsbx.com \
dst-address-list=!Proxy-Net src-address-list=Proxy-Net
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting content=fb.com \
dst-address-list=!Proxy-Net src-address-list=Proxy-Net
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting content=fb.gg \
disabled=yes dst-address-list=!Proxy-Net src-address-list=Proxy-Net
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting content=fbwat.ch \
disabled=yes dst-address-list=!Proxy-Net src-address-list=Proxy-Net
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting content=messenger.com \
dst-address-list=!Proxy-Net src-address-list=Proxy-Net
add action=add-dst-to-address-list address-list=IP-Facebook \
address-list-timeout=none-dynamic chain=prerouting content=m.me \
dst-address-list=!Proxy-Net src-address-list=Proxy-Net
/ip hotspot user
add name=admin
add comment="Clinc-5 " mac-address=18:66:DA:16:16:1B name=18:66:DA:16:16:1B \
profile=2MB server=hotspot1
add address=10.5.50.4 comment="IT Office" mac-address=48:4D:7E:E5:6D:27 name=\
48:4D:7E:E5:6D:27 profile=4MB server=hotspot1
add address=10.5.50.19 comment="USB LAN Adapter" mac-address=\
00:E0:4C:68:0F:FC name=00:E0:4C:68:0F:FC profile=2MB server=hotspot1
add address=10.5.50.18 comment="Ali Majeed Mobile" mac-address=\
AC:73:52:BB:DE:C1 name=AC:73:52:BB:DE:C1 profile=1MB server=hotspot1
add comment="HR -PC (Hanan Sarfaraz)" mac-address=C8:D9:D2:1A:16:6E name=\
C8:D9:D2:1A:16:6E profile=4MB server=hotspot1
add address=10.5.50.21 comment="Furqan Javaid Laptop" mac-address=\
9C:B6:54:9E:11:08 name=9C:B6:54:9E:11:08 profile=1MB server=hotspot1
add address=10.5.50.22 comment="Admin Excutive-PC (Dilshad Nawaz)" \
mac-address=48:4D:7E:E5:0B:1B name=48:4D:7E:E5:0B:1B profile=4MB server=\
hotspot1
add address=10.5.50.23 comment="Percurement Officer -PC (M.Tahir)" \
mac-address=48:4D:7E:E5:30:01 name=48:4D:7E:E5:30:01 profile=1MB server=\
hotspot1
add address=10.5.50.24 comment="HR Officer Mobile (Hanan Sarfaraz)" \
mac-address=38:38:4B:CB:86:7E name=38:38:4B:CB:86:7E profile=1MB server=\
hotspot1
add address=10.5.50.25 comment="Pharmacy-PC (Furqan Javaid)" mac-address=\
48:4D:7E:E5:35:ED name=48:4D:7E:E5:35:ED profile=4MB server=hotspot1
add address=10.5.50.26 comment="Qazi Shafi Mobile" mac-address=\
18:E7:77:82:89:9F name=18:E7:77:82:89:9F profile=4MB server=hotspot1
add comment="Qazi Shafi Laptop" mac-address=04:6C:59:EF:4E:9E name=\
04:6C:59:EF:4E:9E profile=4MB_Fiber server=hotspot1
add address=10.5.50.28 comment="Percurement Officer-Mobile (M.Tahir)" \
mac-address=90:97:F3:B0:DF:68 name=90:97:F3:B0:DF:68 profile=1MB server=\
hotspot1
add address=10.5.50.29 comment="Furqan Javaid Mobile" mac-address=\
80:79:5D:E5:68:B9 name=80:79:5D:E5:68:B9 profile=1MB server=hotspot1
add address=10.5.50.16 comment="Dilshad Nawaz Mobile " mac-address=\
C4:A4:51:6B:03:8B name=C4:A4:51:6B:03:8B profile=1MB server=hotspot1
add comment="M.Waqas Civil Engnr" mac-address=B4:0F:B3:30:8D:EF name=\
B4:0F:B3:30:8D:EF profile=1MB server=hotspot1
add address=10.50.5.14 comment="Reception-PC (Usman)" mac-address=\
48:4D:7E:E5:2E:37 name=48:4D:7E:E5:2E:37 profile=4MB server=hotspot1
add address=10.5.50.13 comment="Project Manager Ashraf shb" mac-address=\
6C:00:6B:07:56:93 name=6C:00:6B:07:56:93 profile=2MB server=hotspot1
add address=10.5.50.11 comment="Malik Ishaq Mobile" mac-address=\
2C:9D:65:64:AA:DA name=2C:9D:65:64:AA:DA profile=1MB server=hotspot1
add address=10.5.50.12 comment="Facility-Sup PC (Abdul Rehman)" mac-address=\
48:4D:7E:ED:A5:FD name=48:4D:7E:ED:A5:FD profile=4MB server=hotspot1
add address=10.5.50.9 comment="Finance Office (M.Jhanzaib)" mac-address=\
F4:02:28:6F:6A:5C name=F4:02:28:6F:6A:5C profile=4MB server=hotspot1
add address=10.5.50.8 comment="Facility-Sup (Abdul Rehman) Mobile" \
mac-address=BC:91:B5:ED:E5:A2 name=BC:91:B5:ED:E5:A2 profile=1MB server=\
hotspot1
add address=10.5.50.6 comment="PRO Officer (Farah) Mobile" mac-address=\
2C:9D:65:6A:09:D2 name=2C:9D:65:6A:09:D2 profile=1MB server=hotspot1
add address=10.5.50.5 comment="DM Admin (Mobile)" mac-address=\
B0:EB:57:C6:85:89 name=B0:EB:57:C6:85:89 profile=4MB server=hotspot1
add address=10.5.50.14 comment="M.shahriyar Account Officer Mobile" \
mac-address=D4:63:DE:FB:12:62 name=D4:63:DE:FB:12:62 profile=4MB server=\
hotspot1
add comment="Filter Clinic 1" mac-address=18:66:DA:2D:80:AF name=\
18:66:DA:2D:80:AF profile=4MB server=hotspot1
add comment="Vitals Nursing Room" mac-address=48:4D:7E:E5:6B:DA name=\
48:4D:7E:E5:6B:DA server=hotspot1
add comment="Deputy Manager Admin (PC)" mac-address=48:4D:7E:E5:0E:47 name=\
48:4D:7E:E5:0E:47 profile=4MB server=hotspot1
add comment="Filter Clinic-2" mac-address=64:00:6A:6F:90:97 name=\
64:00:6A:6F:90:97 profile=2MB server=hotspot1
add comment="Filter Clinic 3" mac-address=48:4D:7E:ED:A2:97 name=\
48:4D:7E:ED:A2:97 server=hotspot1
add comment="Consultant Room 1 PC" mac-address=48:4D:7E:E5:2C:FF name=\
48:4D:7E:E5:2C:FF server=hotspot1
add comment="Consultant Clinic-02" mac-address=48:4D:7E:E5:43:7C name=\
48:4D:7E:E5:43:7C server=hotspot1
add comment="Account Officer (Shahryar PC)" mac-address=48:4D:7E:ED:63:CA \
name=48:4D:7E:ED:63:CA profile=1MB server=hotspot1
add comment="Naveed Ali Raza BM Engr" mac-address=BE:AC:BF:A1:92:8B name=\
BE:AC:BF:A1:92:8B profile=2MB server=hotspot1
add comment="Naveed Ali Raza BM Engr Laptop" mac-address=F8:16:54:98:DA:37 \
name=F8:16:54:98:DA:37 profile=1MB server=hotspot1
add comment="Zahid cafe Mob" mac-address=50:77:05:B0:BD:E2 name=\
50:77:05:B0:BD:E2 profile=2MB server=hotspot1
add comment="Dr Usama" mac-address=8C:B8:4A:0E:56:E1 name=8C:B8:4A:0E:56:E1 \
profile=2MB server=hotspot1
add comment="M.Bashir Cashier PC" mac-address=48:4D:7E:E5:2B:F1 name=\
48:4D:7E:E5:2B:F1 profile=2MB server=hotspot1
add comment="Cafetairia System" mac-address=50:9A:4C:52:2D:8B name=\
50:9A:4C:52:2D:8B profile=1MB server=hotspot1
add comment="Junaid Nurse Aid" mac-address=28:D2:5A:D5:F2:7D name=\
28:D2:5A:D5:F2:7D profile=1MB server=hotspot1
add mac-address=F8:4E:73:6B:66:F4 name=F8:4E:73:6B:66:F4 profile=1MB server=\
hotspot1
add comment="clinc 4" mac-address=48:4D:7E:E5:2E:C8 name=48:4D:7E:E5:2E:C8 \
server=hotspot1
add comment=Laboratory mac-address=48:4D:7E:EE:03:5B name=48:4D:7E:EE:03:5B \
profile=4MB server=hotspot1
add comment="Pharmacy 2nd system" mac-address=48:4D:7E:DE:0F:2B name=\
48:4D:7E:DE:0F:2B profile=4MB server=hotspot1
add comment="accounts printer" mac-address=74:97:79:1E:A0:62 name=\
74:97:79:1E:A0:62 profile=2MB server=hotspot1
add comment=Clinic-5 mac-address=48:4D:7E:E4:60:4B name=48:4D:7E:E4:60:4B \
profile=2MB server=hotspot1
add comment="Dr Usman private" mac-address=78:F2:38:7E:21:84 name=\
78:F2:38:7E:21:84 profile=2MB server=hotspot1
add comment="Dr Qanita private" mac-address=FC:A5:D0:86:C6:0B name=\
FC:A5:D0:86:C6:0B profile=2MB server=hotspot1
add comment="Dr Adil Ranjha" mac-address=64:17:CD:7F:3B:0E name=\
64:17:CD:7F:3B:0E profile=2MB server=hotspot1
add comment="Dr Sana private" mac-address=FC:29:E3:55:75:67 name=\
FC:29:E3:55:75:67 profile=2MB server=hotspot1
add comment="Abdul Raheem IT Officer" mac-address=C0:10:B1:93:A4:37 name=\
C0:10:B1:93:A4:37 profile=2MB server=hotspot1
add comment="Clinic- 7" mac-address=48:4D:7E:ED:63:6F name=48:4D:7E:ED:63:6F \
server=hotspot1
add comment="USG Room FF" mac-address=48:4D:7E:EE:04:F0 name=\
48:4D:7E:EE:04:F0 server=hotspot1
add comment="Naveed Ali Raza BM PC" mac-address=EC:F4:BB:64:DD:2A name=\
EC:F4:BB:64:DD:2A profile=2MB server=hotspot1
add comment="Muzamil Lab" mac-address=4C:EA:AE:DE:FF:A9 name=\
4C:EA:AE:DE:FF:A9 profile=1MB server=hotspot1
add comment="Dr. Irfan khan hematologist" mac-address=80:86:F2:55:08:A2 name=\
80:86:F2:55:08:A2 profile=2MB server=hotspot1
add comment="Dr adeel anjum" mac-address=80:9F:F5:C3:E0:FD name=\
80:9F:F5:C3:E0:FD profile=2MB server=hotspot1
add comment="Dr Rida" mac-address=9C:82:81:04:4C:43 name=9C:82:81:04:4C:43 \
profile=2MB server=hotspot1
add comment="Dr zahra " mac-address=F4:BE:EC:B2:88:03 name=F4:BE:EC:B2:88:03 \
profile=1MB server=hotspot1
add comment="Dr Saima CC" mac-address=DC:DC:E2:34:9C:08 name=\
DC:DC:E2:34:9C:08 profile=1MB server=hotspot1
add comment="Dr farooq" mac-address=A4:F8:41:AB:91:C0 name=A4:F8:41:AB:91:C0 \
profile=1MB server=hotspot1
add comment="Dr Anfaal" mac-address=9C:82:81:15:69:FB name=9C:82:81:15:69:FB \
profile=1MB server=hotspot1
add comment="Dr Asim radiologist" mac-address=10:3F:44:61:F5:DE name=\
10:3F:44:61:F5:DE profile=2MB server=hotspot1
add comment="Dr Salman Lashari" mac-address=F8:8F:07:9C:4E:E1 name=\
F8:8F:07:9C:4E:E1 profile=2MB server=hotspot1
add comment="Dr Hashim" mac-address=B4:20:5B:2D:6E:D5 name=B4:20:5B:2D:6E:D5 \
profile=2MB server=hotspot1
add comment="New pc Furqan" mac-address=8C:DC:D4:46:06:2E name=\
8C:DC:D4:46:06:2E profile=4MB server=hotspot1
add comment="Dr Arzo Sajjad" mac-address=5C:17:CF:1D:B8:F3 name=\
5C:17:CF:1D:B8:F3 profile=2MB server=hotspot1
add comment="Qazi Shafi MOb" mac-address=00:9C:C0:6E:B3:29 name=\
00:9C:C0:6E:B3:29 profile=40MB server=hotspot1
add comment="Cafetairia System" mac-address=DC:4A:3E:97:C9:E3 name=\
DC:4A:3E:97:C9:E3 profile=1MB server=hotspot1
add comment="Dr Wqarda Mobile" mac-address=44:F2:1B:14:35:BD name=\
44:F2:1B:14:35:BD profile=2MB server=hotspot1
add comment="Hanan Sarfraz HR officer" mac-address=1C:7A:CF:FB:D9:D5 name=\
1C:7A:CF:FB:D9:D5 profile=2MB server=hotspot1
add comment="Solar panel" mac-address=7C:87:CE:D9:CC:54 name=\
7C:87:CE:D9:CC:54 profile=2MB server=hotspot1
add comment="DR Mohsin " mac-address=A8:DB:03:64:6C:F3 name=A8:DB:03:64:6C:F3 \
profile=4MB server=hotspot1
add comment="Dr Usama Ibrahim" mac-address=36:1C:80:DD:A6:27 name=\
36:1C:80:DD:A6:27 profile=4MB server=hotspot1
add comment="Mr. Bashir" mac-address=B8:C9:B5:C2:2B:E7 name=B8:C9:B5:C2:2B:E7 \
profile=2MB server=hotspot1
add comment="Abdul Rehman IT office ASPHS" mac-address=C4:A4:51:69:C1:73 \
name=C4:A4:51:69:C1:73 profile=4MB server=hotspot1
add comment="Dr. Salman physio" mac-address=78:36:CC:3E:72:21 name=\
78:36:CC:3E:72:21 profile=2MB server=hotspot1
add comment="Dr irfan khan new" mac-address=A8:6F:36:E2:63:13 name=\
A8:6F:36:E2:63:13 profile=4MB server=hotspot1
add comment="Dr. babar ali" mac-address=88:C0:8B:28:CE:00 name=\
88:C0:8B:28:CE:00 profile=2MB server=hotspot1
add comment="Dr maria WMO" mac-address=E4:9C:67:0E:74:02 name=\
E4:9C:67:0E:74:02 profile=2MB server=hotspot1
add comment=LED mac-address=1A:93:9B:EC:30:5D name=1A:93:9B:EC:30:5D profile=\
4MB server=hotspot1
add comment="Ehsan Ilahi" mac-address=14:99:3E:7F:3C:7E name=\
14:99:3E:7F:3C:7E profile=4MB server=hotspot1
add comment="Abdul Shakoor USG DPT" mac-address=6C:1E:D7:C1:D1:8D name=\
6C:1E:D7:C1:D1:8D profile=2MB server=hotspot1
add comment="Dr. Rashid" mac-address=88:F8:72:3F:E6:49 name=88:F8:72:3F:E6:49 \
profile=2MB server=hotspot1
add comment="Pharmacy System" mac-address=C8:D9:D2:1A:7C:4B name=\
C8:D9:D2:1A:7C:4B profile=4MB server=hotspot1
add comment="Pharmacy Manager PC" mac-address=C8:D9:D2:1A:29:75 name=\
C8:D9:D2:1A:29:75 profile=2MB server=hotspot1
add comment="DC Server" mac-address=24:6E:96:88:1F:32 name=24:6E:96:88:1F:32 \
server=hotspot1
add comment="Accounts Officer PC" mac-address=48:4D:7E:EE:04:4B name=\
48:4D:7E:EE:04:4B profile=4MB server=hotspot1
add comment=test mac-address=48:4D:7E:EE:06:BC name=48:4D:7E:EE:06:BC server=\
hotspot1
add comment="dr asim" name=A2:46:8D:66:FF:76 profile=2MB server=hotspot1
add comment="dr tahira" name=B0:54:76:D0:CB:90 profile=2MB server=hotspot1
add comment=tariq mac-address=9C:5A:81:D2:7E:50 name=9C:5A:81:D2:7E:50 \
profile=4MB server=hotspot1
add comment="dr adnan sarwar" name=B8:3B:CC:30:97:29 profile=2MB server=\
hotspot1
add comment=abdullah name=F0:6C:5D:57:E1:E2 profile=2MB server=hotspot1
add comment="dr shumaila naz" name=80:9F:F5:7D:ED:73 profile=2MB server=\
hotspot1
add comment="dr adil" name=58:20:71:16:7B:E0 profile=2MB server=hotspot1
add comment="Store System" mac-address=48:4D:7E:E5:3D:9D name=\
48:4D:7E:E5:3D:9D profile=4MB server=hotspot1
add comment="attendance machine" mac-address=00:17:61:10:99:99 name=\
00:17:61:10:99:99 profile=1MB server=hotspot1
add comment="abdul raheem" name=C8:D9:D2:1A:1E:83 profile=4MB server=hotspot1
add comment="dr adeela" name=30:50:CE:FC:3A:F6 profile=2MB server=hotspot1
add comment=dilshad mac-address=3C:6A:A7:99:E8:0F name=3C:6A:A7:99:E8:0F \
profile=4MB server=hotspot1
add comment="ultra sound doctor laptop" mac-address=4C:BB:58:2C:F8:E7 name=\
4C:BB:58:2C:F8:E7 profile=2MB server=hotspot1
add mac-address=80:E8:2C:55:69:52 name=80:E8:2C:55:69:52 profile=4MB_Fiber \
server=Fiber_hotspot
add comment="AHSD008 Computer LAB PC 1" mac-address=C8:D9:D2:1A:0C:4F name=\
C8:D9:D2:1A:0C:4F profile=4MB_Fiber server=Fiber_hotspot
add comment="CC-PC 1" mac-address=DC:4A:3E:97:C9:E3 name=DC:4A:3E:97:C9:E3 \
profile=4MB_Fiber server=Fiber_hotspot
add comment="Domain Controller Fiber pool" mac-address=24:6E:96:88:1F:34 \
name=24:6E:96:88:1F:34 server=Fiber_hotspot
add comment="AHSD002 COMPUTER LAB PC-2" mac-address=C8:D9:D2:19:E6:CF name=\
C8:D9:D2:19:E6:CF profile=4MB_Fiber server=Fiber_hotspot
add comment="khizar Factory" mac-address=BC:91:B5:78:5A:27 name=\
BC:91:B5:78:5A:27 profile=2MB server=hotspot1
add comment="AHSD007 IT OFFICER SCHOOL" mac-address=C8:D9:D2:19:E9:C4 name=\
C8:D9:D2:19:E9:C4 server=Fiber_hotspot
add comment="AHSD018 COMPUTER LAB PC-18" mac-address=C8:D9:D2:19:F1:44 name=\
C8:D9:D2:19:F1:44 profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD020 COMPUTER LAB PC-20" mac-address=C8:D9:D2:1A:2E:42 name=\
C8:D9:D2:1A:2E:42 profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD019 COMPUTER PC-19" mac-address=C8:D9:D2:1A:35:F9 name=\
C8:D9:D2:1A:35:F9 profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD010 COMPUTER LAB PC-10" mac-address=C8:D9:D2:1A:36:74 name=\
C8:D9:D2:1A:36:74 profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD021 COMPUTER LAB PC-21" mac-address=C8:D9:D2:19:F8:42 name=\
C8:D9:D2:19:F8:42 profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD016 COMPUTER LAB PC-016" mac-address=C8:D9:D2:19:FE:E8 name=\
C8:D9:D2:19:FE:E8 profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD012 COMPUTER LAB PC-012" mac-address=C8:D9:D2:1A:0F:0B name=\
C8:D9:D2:1A:0F:0B profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD013 COMPUTER LAB PC-13" mac-address=C8:D9:D2:19:E6:5E name=\
C8:D9:D2:19:E6:5E profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD017 COMPUTER LAB PC-17" mac-address=C8:D9:D2:19:EC:BB name=\
C8:D9:D2:19:EC:BB profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD014 COMPUTER LAB PC-14" mac-address=C8:D9:D2:1A:2D:F9 name=\
C8:D9:D2:1A:2D:F9 profile=4MB_Fiber server=Fiber_hotspot
add comment="AHSD015 COMPUTER LAB PC-15" mac-address=C8:D9:D2:1A:59:1B name=\
C8:D9:D2:1A:59:1B profile=4MB_Fiber server=Fiber_hotspot
add comment="tenda router Community Center" mac-address=D8:32:14:1A:A0:B8 \
name=D8:32:14:1A:A0:B8 profile=4MB_Fiber server=Fiber_hotspot
add comment="abdul raheem' cc mobile" mac-address=8A:68:C2:B2:A3:F8 name=\
8A:68:C2:B2:A3:F8 profile=4MB_Fiber server=Fiber_hotspot
add comment="Community Center NVR" mac-address=DC:07:F8:31:DC:31 name=\
DC:07:F8:31:DC:31 profile=4MB_Fiber server=Fiber_hotspot
add comment="zahid sb cc" mac-address=52:2A:80:03:61:3B name=\
52:2A:80:03:61:3B profile=4MB_Fiber server=Fiber_hotspot
add comment="ABDULLAH HO CC" mac-address=F0:6C:5D:57:E1:E2 name=\
F0:6C:5D:57:E1:E2 profile=4MB_Fiber server=Fiber_hotspot
add comment="ABDUL REHMAN IT OFFICER CC" mac-address=12:42:15:29:48:4A name=\
12:42:15:29:48:4A profile=4MB_Fiber server=Fiber_hotspot
add comment="ASPHS NVR" mac-address=FC:9F:FD:0F:10:00 name=FC:9F:FD:0F:10:00 \
profile=4MB_Fiber server=Fiber_hotspot
add comment="Hotspt LED" mac-address=00:E0:20:30:B9:AE name=00:E0:20:30:B9:AE \
profile=4MB server=hotspot1
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
209.150.147.49
add check-gateway=ping disabled=no dst-address=192.168.10.0/24 gateway=\
10.10.0.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=5556
set ssh disabled=yes
set api disabled=yes
set winbox port=5555
set api-ssl disabled=yes
/ppp secret
add name=***** profile=profile1 service=pptp
add name=**** profile=profile1 service=pptp
add name=**** profile=LPTP_profile service=l2tp
add name=**** profile=LT2P_User service=l2tp
/radius
add address=127.0.0.1 service=hotspot
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name=RouterOS
/system logging
add topics=interface,info
add topics=interface,info
add topics=interface,info
/system note
set show-at-login=no
If this router is not behind a stronger firewall, then my condolences to you (revert to a default firewall filter because your network is as open as a door in a field). Then we will discuss the matter of the VPNs
I don’t have a firewall in front of the router. Could you guide me through the default firewall rules that should be applied to the router? Also, why can LAN-to-LAN devices not ping each other?
These are the default firewall rules which you should have present in the order in which they are posted, i.e. input rules at the top, after that forward rules whereby these three rules:
add action=accept chain=forward comment=FTP dst-port=21 protocol=tcp
add action=accept chain=forward dst-port=50000-51000 protocol=tcp
add action=accept chain=forward comment=L2TP dst-address=10.10.0.0/24 \
src-address=192.168.10.0/24
are redundant and the rest of your existing rules should be placed somewhere before the “defconf: accept established,related, untracked” rule. Only the input rule add action=accept chain=input dst-port=1723 protocol=tcp should be placed before the “defconf: drop all not coming from LAN” one:
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
In addition to all of this, three other input rules allowing UDP 500,1701,4500 and IPsec-ESP should be added in order for the L2TP VPN to work properly:
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp place-before=[ find comment="defconf: drop all not coming from LAN" ]
add action=accept chain=input protocol=ipsec-esp place-before=[ find comment="defconf: drop all not coming from LAN" ]
Appreciate your assistance. Do I need additional security measures for my router and network or is the current setup enough?
The default firewall covers security pretty good, but if you want to strengthen it:
https://help.mikrotik.com/docs/spaces/ROS/pages/328513/Building+Advanced+Firewall