VPN peer does not come up

Cas · January 24, 2019, 3:48pm

Hello support,

I am configuring VPN site to site between 2 mikrotik routers but my peers does not come up. Please help. Configuration below:

ROUTER 1(central):

[admin1@MtCent] > /export hide-sensitive
# jan/12/2019 12:51:13 by RouterOS 6.35.4
# software id = K1CW-W7Z6
#
/interface bridge
add comment="( VPN ) " name=bridge1
/interface ethernet
set [ find default-name=ether2 ] comment=\
    "( ! ) Orange LTE ( docelowo: Netia DSL )"
set [ find default-name=ether3 ] comment="( ! ) NIC ( docelowo: Serwer_1 )"
set [ find default-name=ether4 ] comment="( ! ) NIC ( docelowo: Serwer_2 )" \
    master-port=ether3
set [ find default-name=ether5 ] comment=\
    "( ! ) Nowy modem Netia DSL ( docelowo: nas1 )" master-port=ether3
set [ find default-name=ether6 ] comment="( ! ) NIC ( docelowo: nas2 )" \
    master-port=ether3
set [ find default-name=ether7 ] comment="Router WiFi" master-port=ether3
set [ find default-name=ether8 ] comment=Paw.Gembal master-port=ether3
set [ find default-name=ether9 ] comment="K1 [hidden]" master-port=ether3
set [ find default-name=ether10 ] comment="K2 [hidden]" master-port=ether3
set [ find default-name=ether11 ] comment="K3 [hidden]" master-port=ether3
set [ find default-name=ether12 ] comment="K4 [hidden]" master-port=ether3
set [ find default-name=ether13 ] comment="Go\9C\E6 \r\
    \n(Dynamiczny)" master-port=ether3
set [ find default-name=ether14 ] comment="Toshiba (printserver)" master-port=\
    ether3
set [ find default-name=ether15 ] comment="[hidden]" master-port=ether3
set [ find default-name=ether16 ] comment="[hidden]" master-port=\
    ether3
set [ find default-name=ether17 ] comment="[hidden]" master-port=\
    ether3
set [ find default-name=ether18 ] comment="[hidden]" master-port=ether3
set [ find default-name=ether19 ] comment="Router Produkcja" master-port=ether3
set [ find default-name=ether20 ] comment="[hidden]" master-port=ether3
set [ find default-name=ether21 ] comment=dyrektor master-port=ether3
set [ find default-name=ether22 ] comment=Sekretariat master-port=ether3
set [ find default-name=ether23 ] comment="SW szef" master-port=ether3
set [ find default-name=ether24 ] comment="[hidden]" master-port=ether3 \
    tx-flow-control=on
/ip neighbor discovery
set ether2 comment="( ! ) Orange LTE ( docelowo: Netia DSL )"
set ether3 comment="( ! ) NIC ( docelowo: Serwer_1 )"
set ether4 comment="( ! ) NIC ( docelowo: Serwer_2 )"
set ether5 comment="( ! ) Nowy modem Netia DSL ( docelowo: nas1 )"
set ether6 comment="( ! ) NIC ( docelowo: nas2 )"
set ether7 comment="Router WiFi"
set ether8 comment=[hidden]
set ether9 comment="K1 [hidden]"
set ether10 comment="K2 [hidden]"
set ether11 comment="K3 S.[hidden]"
set ether12 comment="K4 [hidden]"
set ether13 comment="[hidden]
    \n(Dynamiczny)"
set ether14 comment="Toshiba (printserver)"
set ether15 comment="Kadry1 [hidden]"
set ether16 comment="Kadry2 [hidden]"
set ether17 comment="Mistrz1 [hidden]"
set ether18 comment="Mistrz2 [hidden]"
set ether19 comment="Router Produkcja"
set ether20 comment="[hidden]"
set ether21 comment=dyrektor
set ether22 comment=Sekretariat
set ether23 comment="SW szef"
set ether24 comment="Antena Nadajnik"
set bridge1 comment="( VPN ) "
/interface ethernet
set [ find default-name=ether1 ] comment="( ! ) NIC ( docelowo : Orange LTE )" \
    master-port=ether3
/ip neighbor discovery
set ether1 comment="( ! ) NIC ( docelowo : Orange LTE )"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=pool1 ranges="10.10.0.71,10.10.0.72,10.10.0.73,10.10.0.74,10.10.0.75,10\
    .10.0.76,10.10.0.77,10.10.0.78,10.10.0.79,10.10.0.80,10.10.0.81,10.10.0.82,1\
    0.10.0.83,10.10.0.84,10.10.0.85,10.10.0.86,10.10.0.87,10.10.0.88,10.10.0.89"
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge1 name=dhcp1
/ppp profile
add bridge=bridge1 dns-server=10.10.0.1,10.10.0.100 name=ovpn1 use-encryption=\
    required
/system logging action
set 0 memory-lines=100
/interface bridge port
add bridge=bridge1 interface=ether3 priority=0x10
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/interface ovpn-server server
set certificate=server.crt_0 cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=ovpn1 enabled=yes mode=ethernet require-client-certificate=\
    yes
/ip address
add address=192.168.0.200/24 comment=WAN interface=ether2 network=192.168.0.0
add address=10.10.0.1/24 comment=LAN interface=bridge1 network=10.10.0.0
/ip dhcp-server lease
add address=10.10.0.12 comment=S06-KONSTR-2 mac-address=00:23:54:3C:74:58 \
    server=dhcp1
add address=10.10.0.21 always-broadcast=yes comment=S04-KADRY-2 mac-address=\
    00:1F:D0:14:C7:6C server=dhcp1
add address=10.10.0.40 comment=S09-KSIEGOWOSC mac-address=40:8D:5C:3B:D7:F0 \
    server=dhcp1
add address=10.10.0.31 comment=S02-SEKRETARIAT mac-address=FC:AA:14:1D:98:52 \
    server=dhcp1
add address=10.10.0.70 comment=SXX-SPAWALNIA mac-address=E8:94:F6:09:2F:AC \
    server=dhcp1
add address=10.10.0.50 always-broadcast=yes comment=S11-MISTRZ mac-address=\
    D8:CB:8A:3E:59:98 server=dhcp1
add address=10.10.0.11 comment=S05-KONSTR-1 mac-address=00:26:18:90:E1:A0 \
    server=dhcp1
add address=10.10.0.60 always-broadcast=yes comment=S12-ZAOPAT-1 mac-address=\
    40:8D:5C:33:04:8C server=dhcp1
add address=10.10.0.220 comment="Router WiFi (TL-WR1043)" disabled=yes \
    mac-address=10:FE:ED:AF:24:AF server=dhcp1
add address=10.10.0.20 always-broadcast=yes comment=S03-KADRY-1 mac-address=\
    FC:AA:14:3F:9A:CD server=dhcp1
add address=10.10.0.15 comment=S08-KONSTR-4 mac-address=78:24:AF:41:A0:19 \
    server=dhcp1
add address=10.10.0.13 comment=S07-KONSTR-3 mac-address=64:31:50:23:AC:F1 \
    server=dhcp1
add address=10.10.0.32 always-broadcast=yes comment=S01-DYREKTOR mac-address=\
    AC:22:0B:79:68:48 server=dhcp1
add address=10.10.0.30 comment=S00-SZEF mac-address=90:2B:34:13:EA:5A server=\
    dhcp1
add address=10.10.0.127 always-broadcast=yes comment="Router Produkcja (\?)" \
    mac-address=80:1F:02:41:33:31 server=dhcp1
add address=10.10.0.51 comment=L03-LAKIERNIA-1 mac-address=00:40:D0:D2:9C:6D \
    server=dhcp1
add address=10.10.0.99 comment=Serwer_testowy disabled=yes mac-address=\
    00:1E:67:FE:B4:41 server=dhcp1
add address=10.10.0.7 comment="router pentagram" disabled=yes mac-address=\
    00:04:ED:62:10:54 server=dhcp1
add address=10.10.0.191 comment="TP-Link Odbiornik A" disabled=yes mac-address=\
    64:70:02:6F:91:D4 server=dhcp1
add address=10.10.0.190 comment="TP-Link Nadajnik  B" disabled=yes mac-address=\
    64:70:02:6F:92:1A server=dhcp1
add address=10.10.0.126 always-broadcast=yes comment="Drukarka_Toshiba " \
    mac-address=00:80:91:4E:BB:0B server=dhcp1
add address=10.10.0.192 comment="TP-Link Odbiornik C" disabled=yes mac-address=\
    F4:F2:6D:8E:0D:02 server=dhcp1
add address=10.10.0.101 client-id=1:0:1e:67:fe:b4:41 comment=Serwer_2 disabled=\
    yes mac-address=00:1E:67:FE:B4:41 server=dhcp1
add address=10.10.0.105 client-id=1:0:1e:67:fe:b4:42 comment=Serwer_2 disabled=\
    yes mac-address=00:1E:67:FE:B4:42 server=dhcp1
add address=10.10.0.102 client-id=1:0:11:32:55:45:aa comment=CentimaNas_Lan1 \
    disabled=yes mac-address=00:11:32:55:45:AA server=dhcp1
add address=10.10.0.103 client-id=1:0:11:32:55:45:a9 comment=CentimaNas_Lan2 \
    disabled=yes mac-address=00:11:32:55:45:A9 server=dhcp1
add address=10.10.0.61 client-id=1:0:13:8f:b1:3d:c3 comment=S13-ZAOPAT-2 \
    mac-address=00:13:8F:B1:3D:C3 server=dhcp1
add address=10.10.0.230 comment="testowy jg" mac-address=08:9E:01:B7:2D:DC
add address=10.10.0.10 client-id=1:44:8a:5b:6d:c2:8e mac-address=\
    44:8A:5B:6D:C2:8E server=dhcp1
add address=10.10.0.19 client-id=1:44:8a:5b:6d:c2:8e mac-address=\
    28:B2:BD:10:1C:6A server=dhcp1
add address=10.10.0.104 client-id=1:8:94:ef:34:fd:c2 mac-address=\
    08:94:EF:34:FD:C2 server=dhcp1
add address=10.10.0.75 client-id=1:90:2b:34:13:eb:b6 mac-address=\
    90:2B:34:13:EB:B6 server=dhcp1
add address=10.10.0.125 comment="Drukarka Kadry" mac-address=18:60:24:C8:96:0F \
    server=dhcp1
/ip dhcp-server network
add address=10.10.0.0/24 comment=\
    "W przypadku awarii zmieni\E6 bram\EA mi\EAdzy 10.10.0.1 a 10.10.0.2" \
    dns-server=10.10.0.2,10.10.0.100 domain=CENTIMA gateway=10.10.0.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=\
    8.8.8.8,8.8.4.4,10.10.0.100
/ip firewall filter
add chain=input comment=sql dst-port=1433 protocol=tcp
add chain=input comment=sql dst-port=1434 protocol=udp
add chain=input comment=druk dst-port=9100 protocol=tcp
add action=drop chain=input comment="SPAM (wysycanie \B3\B9cza)" dst-port=53 \
    log-prefix=test2 protocol=udp
add chain=forward comment="wrigley dostep" dst-address=167.9.213.82
add chain=forward comment="dost\EAp Gajdecki" dst-address=87.205.99.112
add chain=input comment="winbox dost\EAp Gajdecki" dst-port=8291 in-interface=\
    ether2 protocol=tcp src-address=87.205.99.112
add chain=input comment="wrigley dostep" src-address=167.9.213.82
add action=drop chain=input comment="winbox drop" dst-port=8291 in-interface=\
    ether2 protocol=tcp
add chain=input connection-state=established
add action=drop chain=input comment="OCHRONA ROUTERA" connection-state=invalid
add action=drop chain=forward comment="OCHRONA SIECI" connection-state=invalid \
    protocol=tcp
add chain=forward connection-state=established,related protocol=tcp
add action=drop chain=forward comment="BLOKADA PORT\D3W" dst-port=\
    135-139,21,23,8291 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=udp
add action=drop chain=forward comment="BLOKADA SPAMEROW" dst-port=25 protocol=\
    tcp
add action=drop chain=forward dst-port=0-19 protocol=tcp
add action=drop chain=forward dst-port=0-19 protocol=udp
add action=drop chain=forward dst-port=161-162 protocol=tcp
add action=drop chain=forward dst-port=161-162 protocol=udp
add action=drop chain=forward dst-port=199 protocol=tcp
add action=drop chain=forward dst-port=199 protocol=udp
add action=drop chain=forward dst-port=391 protocol=tcp
add action=drop chain=forward dst-port=391 protocol=udp
add action=drop chain=forward dst-port=705 protocol=tcp
add action=drop chain=forward dst-port=705 protocol=udp
add action=drop chain=forward dst-port=1993 protocol=tcp
add action=drop chain=forward dst-port=1993 protocol=udp
add action=drop chain=forward dst-port=67-69 protocol=tcp
add action=drop chain=forward dst-port=67-69 protocol=udp
add action=drop chain=forward dst-port=111 protocol=tcp
add action=drop chain=forward dst-port=111 protocol=udp
add action=drop chain=forward dst-port=511-515 protocol=tcp
add action=drop chain=forward dst-port=511-515 protocol=udp
add action=drop chain=forward dst-port=6667 protocol=tcp
add action=drop chain=forward dst-port=6667 protocol=udp
add action=drop chain=forward dst-port=1214 protocol=tcp
add action=drop chain=forward dst-port=1363 protocol=tcp
add action=drop chain=forward dst-port=1364 protocol=tcp
add action=drop chain=forward dst-port=1368 protocol=tcp
add action=drop chain=forward dst-port=1373 protocol=tcp
add action=drop chain=forward dst-port=1377 protocol=tcp
add action=drop chain=forward dst-port=2745 protocol=tcp
add action=drop chain=forward dst-port=2283 protocol=tcp
add action=drop chain=forward dst-port=2535 protocol=tcp
add action=drop chain=forward dst-port=2745 protocol=tcp
add action=drop chain=forward dst-port=3127-3128 protocol=tcp
add action=drop chain=forward dst-port=3410 protocol=tcp
add action=drop chain=forward dst-port=4444 protocol=tcp
add action=drop chain=forward dst-port=4444 protocol=udp
add action=drop chain=forward dst-port=5554 protocol=tcp
add action=drop chain=forward dst-port=8866 protocol=tcp
add action=drop chain=forward dst-port=9898 protocol=tcp
add action=drop chain=forward dst-port=10000 protocol=tcp
add action=drop chain=forward dst-port=10080 protocol=tcp
add action=drop chain=forward dst-port=12345 protocol=tcp
add action=drop chain=forward dst-port=17300 protocol=tcp
add action=drop chain=forward dst-port=27374 protocol=tcp
add action=drop chain=forward comment="DROP WSZYSTKIE 10.10.10.0" disabled=yes \
    dst-address=10.10.0.0/24
add action=drop chain=forward disabled=yes src-address=10.10.0.0/24
add action=drop chain=icmp
add chain=input dst-port=1723 protocol=tcp
add chain=input comment=0vpn dst-port=1194 protocol=tcp
/ip firewall nat
add chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=\
    10.10.0.0/24
add action=masquerade chain=srcnat comment="nar routing" src-address=\
    10.10.0.0/24
add action=dst-nat chain=dstnat comment="www z zewn\B9trz" disabled=yes \
    dst-address=192.168.0.200 dst-port=80 protocol=tcp to-addresses=10.10.0.104 \
    to-ports=8087
add action=dst-nat chain=dstnat comment="www z lan" disabled=yes dst-address=\
    5.185.69.23 dst-port=80 protocol=tcp to-addresses=10.10.0.100 to-ports=80
add action=dst-nat chain=dstnat comment=sql dst-address=192.168.0.200 dst-port=\
    1434 protocol=udp to-addresses=10.10.0.100 to-ports=1434
add action=dst-nat chain=dstnat comment="kontrola windows przez www" \
    dst-address=192.168.0.200 dst-port=8080 log=yes log-prefix=log8080 \
    protocol=tcp to-addresses=10.10.0.104 to-ports=8080
add action=dst-nat chain=dstnat comment=sql dst-address=192.168.0.200 dst-port=\
    1433 protocol=tcp to-addresses=10.10.0.100 to-ports=1433
add action=dst-nat chain=dstnat comment="nas - WebInterface http" dst-address=\
    192.168.0.200 dst-port=5000 protocol=tcp to-addresses=10.10.0.102 to-ports=\
    5000
add action=dst-nat chain=dstnat comment="nas - Web interface https" \
    dst-address=192.168.0.200 dst-port=5001 protocol=tcp to-addresses=\
    10.10.0.102 to-ports=5001
add action=dst-nat chain=dstnat comment="nas - openproject" dst-address=\
    192.168.0.200 dst-port=5005 protocol=tcp to-addresses=10.10.0.102 to-ports=\
    5005
add action=dst-nat chain=dstnat comment="Strefa Klienta" dst-address=\
    192.168.0.200 dst-port=8087 protocol=tcp to-addresses=10.10.0.104 to-ports=\
    8087
add action=dst-nat chain=dstnat comment="Drukarka Canon magazyn - sieciowa" \
    dst-address=192.168.0.200 dst-port=3702 protocol=tcp to-addresses=\
    15.10.0.238 to-ports=3702
/ip ipsec peer
add address=192.168.1.20/32 disabled=yes enc-algorithm=aes-128 mode-config=\
    request-only nat-traversal=no
/ip ipsec policy
add dst-address=192.168.88.0/24 sa-dst-address=192.168.1.20 sa-src-address=\
    192.168.0.200 src-address=10.10.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats-all read-only-mode=yes \
    touch-screen=disabled
/lcd screen
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/ppp secret
add local-address=10.10.0.1 name=grupamy1 profile=ovpn1 remote-address=\
    10.10.0.231
add local-address=10.10.0.1 name=mikrotik_paprotna profile=ovpn1 \
    remote-address=10.10.0.232
add local-address=10.10.0.1 name=ins profile=ovpn1 remote-address=10.10.0.22
add local-address=10.10.0.1 name=magazyn2 profile=ovpn1 remote-address=\
    10.10.0.24
add local-address=10.10.0.1 name=magazyn3 profile=ovpn1 remote-address=\
    10.10.0.25
add local-address=10.10.0.1 name=Infortes_1 profile=ovpn1 remote-address=\
    10.10.0.233
add local-address=10.10.0.1 name=Infortes_2 profile=ovpn1 remote-address=\
    10.10.0.234
add local-address=10.10.0.1 name=piogra profile=ovpn1 remote-address=\
    10.10.0.235
add local-address=10.10.0.1 name=BiuroRachunkowe profile=ovpn1 remote-address=\
    10.10.0.236
add local-address=10.10.0.1 name=Mabile_Admin remote-address=10.10.0.237
add local-address=10.10.0.1 name=Mobile_Admin_LocalNetwork profile=ovpn1 \
    remote-address=10.10.0.238
add local-address=10.10.0.1 name=magazyn2_Local profile=ovpn1 remote-address=\
    10.10.0.239
add local-address=10.10.0.1 name=dangem_Local profile=ovpn1 remote-address=\
    10.10.0.240
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MtCent
/system ntp client
set enabled=yes primary-ntp=212.244.36.227
/system routerboard settings
set protected-routerboot=disabled

ROUTER 2(remote):

[admin2@MikroTik] > /export hide-sensitive
# feb/19/2019 14:08:26 by RouterOS 6.43.2
# software id = SUXJ-7QWL
#
# model = 951G-2HnD
# serial number = 642E07AE34DD
/interface bridge
add admin-mac=64:D1:54:19:B7:B9 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-19B7BD wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=30s \
    dpd-maximum-failures=10 enc-algorithm=aes-128 lifetime=30m
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=10.10.0.0/24 \
    src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip ipsec peer
add address=192.168.0.200/32 compatibility-options=skip-peer-id-validation
/ip ipsec policy
add dst-address=10.10.0.0/24 sa-dst-address=192.168.0.200 sa-src-address=\
    192.168.1.20 src-address=192.168.88.0/24 tunnel=yes
set 1 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Warsaw
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin2@MikroTik] >

Cas · January 29, 2019, 9:12am

hello - anybody there? Please help

nescafe2002 · January 29, 2019, 9:25am

Replace screenshots with configuration export (/export hide-sensitive).

Enable ipsec logging (/system logging add topics=ipsec,!packet) and check/post the results (/log print or log window).

Cas · February 6, 2019, 12:31pm

How can I attache supout files? Forum does not allow to attach .rif extensions…

mkx · February 6, 2019, 1:05pm

You send supout files to support@mikrotik.com … which is actually the proper address to get support with suspected bugs … this is just a user forum and we may (or may not if we decide so) help with some expert knowledge.

If you decide to stick to forum, it is preferable to post configuration in plain text … which is obtainable executing command /export hide-sensitive . When posting in forum, put it in [code] environment, it helps with readability.

Cas · February 19, 2019, 2:32pm

hi Guys

Please see exported config for both routers. I appreciate Your help.

ROUTER 1(central):

[admin1@MtCent] > /export hide-sensitive
# jan/12/2019 12:51:13 by RouterOS 6.35.4
# software id = K1CW-W7Z6
#
/interface bridge
add comment="( VPN ) " name=bridge1
/interface ethernet
set [ find default-name=ether2 ] comment=\
    "( ! ) Orange LTE ( docelowo: Netia DSL )"
set [ find default-name=ether3 ] comment="( ! ) NIC ( docelowo: Serwer_1 )"
set [ find default-name=ether4 ] comment="( ! ) NIC ( docelowo: Serwer_2 )" \
    master-port=ether3
set [ find default-name=ether5 ] comment=\
    "( ! ) Nowy modem Netia DSL ( docelowo: nas1 )" master-port=ether3
set [ find default-name=ether6 ] comment="( ! ) NIC ( docelowo: nas2 )" \
    master-port=ether3
set [ find default-name=ether7 ] comment="Router WiFi" master-port=ether3
set [ find default-name=ether8 ] comment=Paw.Gembal master-port=ether3
set [ find default-name=ether9 ] comment="K1 [hidden]" master-port=ether3
set [ find default-name=ether10 ] comment="K2 [hidden]" master-port=ether3
set [ find default-name=ether11 ] comment="K3 [hidden]" master-port=ether3
set [ find default-name=ether12 ] comment="K4 [hidden]" master-port=ether3
set [ find default-name=ether13 ] comment="Go\9C\E6 \r\
    \n(Dynamiczny)" master-port=ether3
set [ find default-name=ether14 ] comment="Toshiba (printserver)" master-port=\
    ether3
set [ find default-name=ether15 ] comment="[hidden]" master-port=ether3
set [ find default-name=ether16 ] comment="[hidden]" master-port=\
    ether3
set [ find default-name=ether17 ] comment="[hidden]" master-port=\
    ether3
set [ find default-name=ether18 ] comment="[hidden]" master-port=ether3
set [ find default-name=ether19 ] comment="Router Produkcja" master-port=ether3
set [ find default-name=ether20 ] comment="[hidden]" master-port=ether3
set [ find default-name=ether21 ] comment=dyrektor master-port=ether3
set [ find default-name=ether22 ] comment=Sekretariat master-port=ether3
set [ find default-name=ether23 ] comment="SW szef" master-port=ether3
set [ find default-name=ether24 ] comment="[hidden]" master-port=ether3 \
    tx-flow-control=on
/ip neighbor discovery
set ether2 comment="( ! ) Orange LTE ( docelowo: Netia DSL )"
set ether3 comment="( ! ) NIC ( docelowo: Serwer_1 )"
set ether4 comment="( ! ) NIC ( docelowo: Serwer_2 )"
set ether5 comment="( ! ) Nowy modem Netia DSL ( docelowo: nas1 )"
set ether6 comment="( ! ) NIC ( docelowo: nas2 )"
set ether7 comment="Router WiFi"
set ether8 comment=[hidden]
set ether9 comment="K1 [hidden]"
set ether10 comment="K2 [hidden]"
set ether11 comment="K3 S.[hidden]"
set ether12 comment="K4 [hidden]"
set ether13 comment="[hidden]
    \n(Dynamiczny)"
set ether14 comment="Toshiba (printserver)"
set ether15 comment="Kadry1 [hidden]"
set ether16 comment="Kadry2 [hidden]"
set ether17 comment="Mistrz1 [hidden]"
set ether18 comment="Mistrz2 [hidden]"
set ether19 comment="Router Produkcja"
set ether20 comment="[hidden]"
set ether21 comment=dyrektor
set ether22 comment=Sekretariat
set ether23 comment="SW szef"
set ether24 comment="Antena Nadajnik"
set bridge1 comment="( VPN ) "
/interface ethernet
set [ find default-name=ether1 ] comment="( ! ) NIC ( docelowo : Orange LTE )" \
    master-port=ether3
/ip neighbor discovery
set ether1 comment="( ! ) NIC ( docelowo : Orange LTE )"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=pool1 ranges="10.10.0.71,10.10.0.72,10.10.0.73,10.10.0.74,10.10.0.75,10\
    .10.0.76,10.10.0.77,10.10.0.78,10.10.0.79,10.10.0.80,10.10.0.81,10.10.0.82,1\
    0.10.0.83,10.10.0.84,10.10.0.85,10.10.0.86,10.10.0.87,10.10.0.88,10.10.0.89"
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge1 name=dhcp1
/ppp profile
add bridge=bridge1 dns-server=10.10.0.1,10.10.0.100 name=ovpn1 use-encryption=\
    required
/system logging action
set 0 memory-lines=100
/interface bridge port
add bridge=bridge1 interface=ether3 priority=0x10
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/interface ovpn-server server
set certificate=server.crt_0 cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=ovpn1 enabled=yes mode=ethernet require-client-certificate=\
    yes
/ip address
add address=192.168.0.200/24 comment=WAN interface=ether2 network=192.168.0.0
add address=10.10.0.1/24 comment=LAN interface=bridge1 network=10.10.0.0
/ip dhcp-server lease
add address=10.10.0.12 comment=S06-KONSTR-2 mac-address=00:23:54:3C:74:58 \
    server=dhcp1
add address=10.10.0.21 always-broadcast=yes comment=S04-KADRY-2 mac-address=\
    00:1F:D0:14:C7:6C server=dhcp1
add address=10.10.0.40 comment=S09-KSIEGOWOSC mac-address=40:8D:5C:3B:D7:F0 \
    server=dhcp1
add address=10.10.0.31 comment=S02-SEKRETARIAT mac-address=FC:AA:14:1D:98:52 \
    server=dhcp1
add address=10.10.0.70 comment=SXX-SPAWALNIA mac-address=E8:94:F6:09:2F:AC \
    server=dhcp1
add address=10.10.0.50 always-broadcast=yes comment=S11-MISTRZ mac-address=\
    D8:CB:8A:3E:59:98 server=dhcp1
add address=10.10.0.11 comment=S05-KONSTR-1 mac-address=00:26:18:90:E1:A0 \
    server=dhcp1
add address=10.10.0.60 always-broadcast=yes comment=S12-ZAOPAT-1 mac-address=\
    40:8D:5C:33:04:8C server=dhcp1
add address=10.10.0.220 comment="Router WiFi (TL-WR1043)" disabled=yes \
    mac-address=10:FE:ED:AF:24:AF server=dhcp1
add address=10.10.0.20 always-broadcast=yes comment=S03-KADRY-1 mac-address=\
    FC:AA:14:3F:9A:CD server=dhcp1
add address=10.10.0.15 comment=S08-KONSTR-4 mac-address=78:24:AF:41:A0:19 \
    server=dhcp1
add address=10.10.0.13 comment=S07-KONSTR-3 mac-address=64:31:50:23:AC:F1 \
    server=dhcp1
add address=10.10.0.32 always-broadcast=yes comment=S01-DYREKTOR mac-address=\
    AC:22:0B:79:68:48 server=dhcp1
add address=10.10.0.30 comment=S00-SZEF mac-address=90:2B:34:13:EA:5A server=\
    dhcp1
add address=10.10.0.127 always-broadcast=yes comment="Router Produkcja (\?)" \
    mac-address=80:1F:02:41:33:31 server=dhcp1
add address=10.10.0.51 comment=L03-LAKIERNIA-1 mac-address=00:40:D0:D2:9C:6D \
    server=dhcp1
add address=10.10.0.99 comment=Serwer_testowy disabled=yes mac-address=\
    00:1E:67:FE:B4:41 server=dhcp1
add address=10.10.0.7 comment="router pentagram" disabled=yes mac-address=\
    00:04:ED:62:10:54 server=dhcp1
add address=10.10.0.191 comment="TP-Link Odbiornik A" disabled=yes mac-address=\
    64:70:02:6F:91:D4 server=dhcp1
add address=10.10.0.190 comment="TP-Link Nadajnik  B" disabled=yes mac-address=\
    64:70:02:6F:92:1A server=dhcp1
add address=10.10.0.126 always-broadcast=yes comment="Drukarka_Toshiba " \
    mac-address=00:80:91:4E:BB:0B server=dhcp1
add address=10.10.0.192 comment="TP-Link Odbiornik C" disabled=yes mac-address=\
    F4:F2:6D:8E:0D:02 server=dhcp1
add address=10.10.0.101 client-id=1:0:1e:67:fe:b4:41 comment=Serwer_2 disabled=\
    yes mac-address=00:1E:67:FE:B4:41 server=dhcp1
add address=10.10.0.105 client-id=1:0:1e:67:fe:b4:42 comment=Serwer_2 disabled=\
    yes mac-address=00:1E:67:FE:B4:42 server=dhcp1
add address=10.10.0.102 client-id=1:0:11:32:55:45:aa comment=CentimaNas_Lan1 \
    disabled=yes mac-address=00:11:32:55:45:AA server=dhcp1
add address=10.10.0.103 client-id=1:0:11:32:55:45:a9 comment=CentimaNas_Lan2 \
    disabled=yes mac-address=00:11:32:55:45:A9 server=dhcp1
add address=10.10.0.61 client-id=1:0:13:8f:b1:3d:c3 comment=S13-ZAOPAT-2 \
    mac-address=00:13:8F:B1:3D:C3 server=dhcp1
add address=10.10.0.230 comment="testowy jg" mac-address=08:9E:01:B7:2D:DC
add address=10.10.0.10 client-id=1:44:8a:5b:6d:c2:8e mac-address=\
    44:8A:5B:6D:C2:8E server=dhcp1
add address=10.10.0.19 client-id=1:44:8a:5b:6d:c2:8e mac-address=\
    28:B2:BD:10:1C:6A server=dhcp1
add address=10.10.0.104 client-id=1:8:94:ef:34:fd:c2 mac-address=\
    08:94:EF:34:FD:C2 server=dhcp1
add address=10.10.0.75 client-id=1:90:2b:34:13:eb:b6 mac-address=\
    90:2B:34:13:EB:B6 server=dhcp1
add address=10.10.0.125 comment="Drukarka Kadry" mac-address=18:60:24:C8:96:0F \
    server=dhcp1
/ip dhcp-server network
add address=10.10.0.0/24 comment=\
    "W przypadku awarii zmieni\E6 bram\EA mi\EAdzy 10.10.0.1 a 10.10.0.2" \
    dns-server=10.10.0.2,10.10.0.100 domain=CENTIMA gateway=10.10.0.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=\
    8.8.8.8,8.8.4.4,10.10.0.100
/ip firewall filter
add chain=input comment=sql dst-port=1433 protocol=tcp
add chain=input comment=sql dst-port=1434 protocol=udp
add chain=input comment=druk dst-port=9100 protocol=tcp
add action=drop chain=input comment="SPAM (wysycanie \B3\B9cza)" dst-port=53 \
    log-prefix=test2 protocol=udp
add chain=forward comment="wrigley dostep" dst-address=167.9.213.82
add chain=forward comment="dost\EAp Gajdecki" dst-address=87.205.99.112
add chain=input comment="winbox dost\EAp Gajdecki" dst-port=8291 in-interface=\
    ether2 protocol=tcp src-address=87.205.99.112
add chain=input comment="wrigley dostep" src-address=167.9.213.82
add action=drop chain=input comment="winbox drop" dst-port=8291 in-interface=\
    ether2 protocol=tcp
add chain=input connection-state=established
add action=drop chain=input comment="OCHRONA ROUTERA" connection-state=invalid
add action=drop chain=forward comment="OCHRONA SIECI" connection-state=invalid \
    protocol=tcp
add chain=forward connection-state=established,related protocol=tcp
add action=drop chain=forward comment="BLOKADA PORT\D3W" dst-port=\
    135-139,21,23,8291 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=udp
add action=drop chain=forward comment="BLOKADA SPAMEROW" dst-port=25 protocol=\
    tcp
add action=drop chain=forward dst-port=0-19 protocol=tcp
add action=drop chain=forward dst-port=0-19 protocol=udp
add action=drop chain=forward dst-port=161-162 protocol=tcp
add action=drop chain=forward dst-port=161-162 protocol=udp
add action=drop chain=forward dst-port=199 protocol=tcp
add action=drop chain=forward dst-port=199 protocol=udp
add action=drop chain=forward dst-port=391 protocol=tcp
add action=drop chain=forward dst-port=391 protocol=udp
add action=drop chain=forward dst-port=705 protocol=tcp
add action=drop chain=forward dst-port=705 protocol=udp
add action=drop chain=forward dst-port=1993 protocol=tcp
add action=drop chain=forward dst-port=1993 protocol=udp
add action=drop chain=forward dst-port=67-69 protocol=tcp
add action=drop chain=forward dst-port=67-69 protocol=udp
add action=drop chain=forward dst-port=111 protocol=tcp
add action=drop chain=forward dst-port=111 protocol=udp
add action=drop chain=forward dst-port=511-515 protocol=tcp
add action=drop chain=forward dst-port=511-515 protocol=udp
add action=drop chain=forward dst-port=6667 protocol=tcp
add action=drop chain=forward dst-port=6667 protocol=udp
add action=drop chain=forward dst-port=1214 protocol=tcp
add action=drop chain=forward dst-port=1363 protocol=tcp
add action=drop chain=forward dst-port=1364 protocol=tcp
add action=drop chain=forward dst-port=1368 protocol=tcp
add action=drop chain=forward dst-port=1373 protocol=tcp
add action=drop chain=forward dst-port=1377 protocol=tcp
add action=drop chain=forward dst-port=2745 protocol=tcp
add action=drop chain=forward dst-port=2283 protocol=tcp
add action=drop chain=forward dst-port=2535 protocol=tcp
add action=drop chain=forward dst-port=2745 protocol=tcp
add action=drop chain=forward dst-port=3127-3128 protocol=tcp
add action=drop chain=forward dst-port=3410 protocol=tcp
add action=drop chain=forward dst-port=4444 protocol=tcp
add action=drop chain=forward dst-port=4444 protocol=udp
add action=drop chain=forward dst-port=5554 protocol=tcp
add action=drop chain=forward dst-port=8866 protocol=tcp
add action=drop chain=forward dst-port=9898 protocol=tcp
add action=drop chain=forward dst-port=10000 protocol=tcp
add action=drop chain=forward dst-port=10080 protocol=tcp
add action=drop chain=forward dst-port=12345 protocol=tcp
add action=drop chain=forward dst-port=17300 protocol=tcp
add action=drop chain=forward dst-port=27374 protocol=tcp
add action=drop chain=forward comment="DROP WSZYSTKIE 10.10.10.0" disabled=yes \
    dst-address=10.10.0.0/24
add action=drop chain=forward disabled=yes src-address=10.10.0.0/24
add action=drop chain=icmp
add chain=input dst-port=1723 protocol=tcp
add chain=input comment=0vpn dst-port=1194 protocol=tcp
/ip firewall nat
add chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=\
    10.10.0.0/24
add action=masquerade chain=srcnat comment="nar routing" src-address=\
    10.10.0.0/24
add action=dst-nat chain=dstnat comment="www z zewn\B9trz" disabled=yes \
    dst-address=192.168.0.200 dst-port=80 protocol=tcp to-addresses=10.10.0.104 \
    to-ports=8087
add action=dst-nat chain=dstnat comment="www z lan" disabled=yes dst-address=\
    5.185.69.23 dst-port=80 protocol=tcp to-addresses=10.10.0.100 to-ports=80
add action=dst-nat chain=dstnat comment=sql dst-address=192.168.0.200 dst-port=\
    1434 protocol=udp to-addresses=10.10.0.100 to-ports=1434
add action=dst-nat chain=dstnat comment="kontrola windows przez www" \
    dst-address=192.168.0.200 dst-port=8080 log=yes log-prefix=log8080 \
    protocol=tcp to-addresses=10.10.0.104 to-ports=8080
add action=dst-nat chain=dstnat comment=sql dst-address=192.168.0.200 dst-port=\
    1433 protocol=tcp to-addresses=10.10.0.100 to-ports=1433
add action=dst-nat chain=dstnat comment="nas - WebInterface http" dst-address=\
    192.168.0.200 dst-port=5000 protocol=tcp to-addresses=10.10.0.102 to-ports=\
    5000
add action=dst-nat chain=dstnat comment="nas - Web interface https" \
    dst-address=192.168.0.200 dst-port=5001 protocol=tcp to-addresses=\
    10.10.0.102 to-ports=5001
add action=dst-nat chain=dstnat comment="nas - openproject" dst-address=\
    192.168.0.200 dst-port=5005 protocol=tcp to-addresses=10.10.0.102 to-ports=\
    5005
add action=dst-nat chain=dstnat comment="Strefa Klienta" dst-address=\
    192.168.0.200 dst-port=8087 protocol=tcp to-addresses=10.10.0.104 to-ports=\
    8087
add action=dst-nat chain=dstnat comment="Drukarka Canon magazyn - sieciowa" \
    dst-address=192.168.0.200 dst-port=3702 protocol=tcp to-addresses=\
    15.10.0.238 to-ports=3702
/ip ipsec peer
add address=192.168.1.20/32 disabled=yes enc-algorithm=aes-128 mode-config=\
    request-only nat-traversal=no
/ip ipsec policy
add dst-address=192.168.88.0/24 sa-dst-address=192.168.1.20 sa-src-address=\
    192.168.0.200 src-address=10.10.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats-all read-only-mode=yes \
    touch-screen=disabled
/lcd screen
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/ppp secret
add local-address=10.10.0.1 name=grupamy1 profile=ovpn1 remote-address=\
    10.10.0.231
add local-address=10.10.0.1 name=mikrotik_paprotna profile=ovpn1 \
    remote-address=10.10.0.232
add local-address=10.10.0.1 name=ins profile=ovpn1 remote-address=10.10.0.22
add local-address=10.10.0.1 name=magazyn2 profile=ovpn1 remote-address=\
    10.10.0.24
add local-address=10.10.0.1 name=magazyn3 profile=ovpn1 remote-address=\
    10.10.0.25
add local-address=10.10.0.1 name=Infortes_1 profile=ovpn1 remote-address=\
    10.10.0.233
add local-address=10.10.0.1 name=Infortes_2 profile=ovpn1 remote-address=\
    10.10.0.234
add local-address=10.10.0.1 name=piogra profile=ovpn1 remote-address=\
    10.10.0.235
add local-address=10.10.0.1 name=BiuroRachunkowe profile=ovpn1 remote-address=\
    10.10.0.236
add local-address=10.10.0.1 name=Mabile_Admin remote-address=10.10.0.237
add local-address=10.10.0.1 name=Mobile_Admin_LocalNetwork profile=ovpn1 \
    remote-address=10.10.0.238
add local-address=10.10.0.1 name=magazyn2_Local profile=ovpn1 remote-address=\
    10.10.0.239
add local-address=10.10.0.1 name=dangem_Local profile=ovpn1 remote-address=\
    10.10.0.240
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MtCent
/system ntp client
set enabled=yes primary-ntp=212.244.36.227
/system routerboard settings
set protected-routerboot=disabled

ROUTER 2(remote):

[admin2@MikroTik] > /export hide-sensitive
# feb/19/2019 14:08:26 by RouterOS 6.43.2
# software id = SUXJ-7QWL
#
# model = 951G-2HnD
# serial number = 642E07AE34DD
/interface bridge
add admin-mac=64:D1:54:19:B7:B9 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-19B7BD wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=30s \
    dpd-maximum-failures=10 enc-algorithm=aes-128 lifetime=30m
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=10.10.0.0/24 \
    src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip ipsec peer
add address=192.168.0.200/32 compatibility-options=skip-peer-id-validation
/ip ipsec policy
add dst-address=10.10.0.0/24 sa-dst-address=192.168.0.200 sa-src-address=\
    192.168.1.20 src-address=192.168.88.0/24 tunnel=yes
set 1 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/system clock
set time-zone-name=Europe/Warsaw
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin2@MikroTik] >

One think which I do not understand with those routers that they have private Ip addresses I just wonder how that suppose to work - usually we terminate Ip sec tunnels at public Ip addresses. Both routers are connected to ISP router which connect to public internet and has public Ip address + perform NAT. Both routers are in different location - so to summary network topology look like this:

Mikrotik router 1 site 1–ISP router site 1–Internet cloud–ISP router site 2–Mikrotik router 2 site 2

Cas · February 21, 2019, 10:37am

hi Guys,

Any thoughts on those?