Hello,
I really need some help cleaning up my configs on my routers. I have a Wireguard tunnel which I use for my whole home network and I have an L2TP tunnel which I use to transport multicast IPTV from my provider in Country A to Country B where I am currently located for work reasons. I am also forwarding a VOIP telephone line with a Grandstream HT813 and HT801 combo.
So what I have going on is the following:
Country A router: RB4011iGS+
Connection: Local ISP Fiber, 300 mbps download 300mbps upload, very stable connection
Ports used:
Port 1 = WAN
Port 2 = VOIP IN (Wireguard)
Port 5 = IPTV IN (Multicast) (L2TP)
Every other port is on the local LAN.
Serves as Wireguard and L2TP server.
Country B router: RB5009UG+S+
Connection: Starling, 150-200mbps download, 15-20mbps upload, reasonably stable
Ports used:
Port 1 = WAN
Port 2 = Local LAN (Starlink)
Port 3 = Wireguard LAN
Port 4 = VOIP OUT (Grandstream HT801)
Port 5 = IPTV set-top-box OUT (Multicast through L2TP tunnel)
The rest of the ports are not used.
My problems are the following: my WIreguard tunnel’s speed on the local network seems to be cut in half, getting around 85-90mbps. I am almost certain that the problem is in the configuration of the 5009 router because if I connect to the Starlink router with my mobile phone and I connect to the Wireguard directly from the phone, I get almost the same speed as connected to the Starlink directly. I also have to have a mangle Change MSS rule for the Wireguard tunnel in the 5009 router otherwise some sites do not open. Strange issue.
Also, my LT2P tunnel works fine for the live TV channels which come through multicast on the set top box provided to me by the ISP in Country A. The problem is I cannot use the video library where there are movies available to pay for and rent or whatever it may be. It’s very slow, keeps pausing and the audio cuts out. So I’m not sure if hardware encryption is working for the IPSec or if there is some other way to make the tunnel work more optimally.
If someone could please look through these and let me know if they have suggestions, I’d highly appreciate it. Some stuff is left over from previous configuration tries but I have been reluctant to delete anything not to break it.
Country A Config (Server):
[admin@XXXXXXXXX] > export hide-sensitive
# 2024-03-01 17:30:55 by RouterOS 7.13.3
# software id = XXXXXXX
#
# model = RB4011iGS+
# serial number = XXXXXXXXXX
/interface bridge
add name=br-VPN
add admin-mac=XXXXXXXXXXX auto-mac=no comment=defconf name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-VOIP-OUT
set [ find default-name=ether5 ] name=ether5-IPTV-IN
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=l2tp-vpn ranges=192.168.89.2-192.168.89.255
add name=POOL-VPN ranges=10.10.0.1-10.10.0.255
/ip dhcp-server
add address-pool=dhcp interface=bridge-LAN lease-time=10m name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes local-address=192.168.89.1 name=l2tp remote-address=\
l2tp-vpn use-compression=yes use-ipv6=default
set *FFFFFFFE bridge=br-VPN use-compression=yes use-encryption=default \
use-ipv6=default
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" name=\
zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 \
name=zerotier1 network=XXXXXXXXX
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=\
ether2-VOIP-OUT
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether4
add bridge=br-VPN interface=ether5-IPTV-IN
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=\
sfp-sfpplus1
/ip firewall connection tracking
set udp-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp enabled=yes max-mru=1460 \
max-mtu=1460 mrru=1600 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wg1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set port=4430
/interface wireguard peers
add allowed-address=192.168.50.2/32,192.168.98.0/24,192.168.99.0/24 comment=\
"Router5009" interface=wg1 private-key=\
"XXXXX" public-key=\
"XXXXXX"
add allowed-address=192.168.50.101/32 comment=User1 interface=wg1 \
private-key="XXXXX" public-key=\
"XXXXXX"
add allowed-address=192.168.50.102/32 comment=User2 interface=wg1 private-key=\
"XXXXXX" public-key=\
"XXXXXX"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-LAN network=\
192.168.88.0
add address=192.168.50.1/24 interface=wg1 network=192.168.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1-WAN
add add-default-route=no interface=br-VPN
/ip dhcp-server lease
add address=192.168.88.7 client-id=XXXXXXX mac-address=\
XXXXXX server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.89.0/24 list=L2TP
add address=XXXXX list=Trusted
add address=XXXXX list=Trusted
add address=XXXXX list=Trusted
add address=XXXXX list=Trusted
add address=XXXXXXX list=Trusted
/ip firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=forward comment="For TESTS" disabled=yes dst-address=\
192.168.98.0/24
add action=accept chain=forward disabled=yes dst-address=8.8.8.8 log=yes \
src-address=192.168.99.0/24
add action=accept chain=forward log=yes src-address=8.8.8.8
add action=accept chain=input src-address=192.168.50.0/24
add action=accept chain=input dst-port=2000 protocol=tcp
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp \
src-address-list=Trusted
add action=accept chain=input in-interface=ether1-WAN protocol=gre
add action=accept chain=input dst-port=8291 in-interface=ether1-WAN protocol=\
tcp
add action=accept chain=input comment=WG dst-port=13231 in-interface=ether1-WAN \
protocol=udp
add action=accept chain=input dst-port=500 in-interface=ether1-WAN protocol=tcp
add action=accept chain=input in-interface=ether1-WAN protocol=ipsec-esp
add action=accept chain=input in-interface=ether1-WAN protocol=ipsec-ah
add action=accept chain=input dst-port=4500 in-interface=ether1-WAN protocol=\
tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
in-interface=ether1-WAN protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 in-interface=\
ether1-WAN protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 in-interface=\
ether1-WAN protocol=udp
add action=accept chain=input in-interface=ether1-WAN protocol=ipsec-esp
add action=accept chain=input comment="accept requests to mikrotik from vpn" \
src-address-list=L2TP
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=80,443 in-interface=all-ppp protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
out-interface=br-VPN src-address=192.168.89.0/24
add action=dst-nat chain=dstnat disabled=yes in-interface=ether5-IPTV-IN log=\
yes to-addresses=192.168.50.1
/ip route
add disabled=no dst-address=192.168.98.0/24 gateway=wg1 routing-table=main \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.99.0/24 gateway=wg1 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set www-ssl address=192.168.89.0/24 disabled=no
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both
/ip upnp
set enabled=yes
/ppp profile
add bridge=*10 local-address=10.10.0.0 name="SITE TO SITE L2VPN" \
remote-address=POOL-VPN
/ppp secret
add name=vpn
add local-address=1.1.1.5 name=sstp1 remote-address=1.1.1.6
add local-address=192.168.12.1 name=mikrotik remote-address=192.168.12.2 \
service=l2tp
add name=mikrotik-bcp profile="SITE TO SITE L2VPN" service=l2tp
add name=bcp profile="SITE TO SITE L2VPN" service=l2tp
add name=l2tp profile=default-encryption
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets="XXX/16,XXXX/16,XXXX/28,XXX\
XX/28,XXXX/28,XXXXXX/16,0.0.0.0/0" disabled=yes interface=\
ether5-IPTV-IN upstream=yes
add disabled=yes interface=wg1
/system clock
set time-zone-name=Europe/XXXXX
/system identity
set name=XXXXXXX
/system note
set note=XXXXXX
\n\r\
\nXXXX" show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=wg1 filter-stream=yes only-headers=yes streaming-enabled=\
yes streaming-server=XXXXXXX
[admin@XXXXXX] >
/code]
Country B Config (Remote):
[code]
admin@XXXXXX] > export hide-sensitive
# 2024-03-01 08:42:08 by RouterOS 7.14
# software id = XXXXX
#
# model = RB5009UG+S+
# serial number = XXXXXX
/interface bridge
add name=br-VPN port-cost-mode=short
add name=br_PBR port-cost-mode=short
add admin-mac=XXXXXX auto-mac=no comment=defconf name=bridge port-cost-mode=\
short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-WG-LAN
set [ find default-name=ether4 ] name=ether4-VOIP
set [ find default-name=ether5 ] name="ether5-IPTV STB"
/interface l2tp-client
add connect-to=addressXXXXXXX disabled=no name=l2tp-out1 use-ipsec=yes user=\
l2tp
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
add name=dhcp_pool2 ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=br_PBR lease-time=10m name=dhcp2
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
set *FFFFFFFE bridge=br-VPN use-compression=yes use-encryption=default use-ipv6=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-LAN \
internal-path-cost=10 path-cost=10
add bridge=br_PBR comment=defconf ingress-filtering=no interface=ether3-WG-LAN \
internal-path-cost=10 path-cost=10
add bridge=br_PBR comment=defconf ingress-filtering=no interface=ether4-VOIP \
internal-path-cost=10 path-cost=10
add bridge=br-VPN comment=defconf ingress-filtering=no interface="ether5-IPTV STB" \
internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes ingress-filtering=no interface=ether1-WAN \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wg1 list=LAN
add comment=defconf interface=br_PBR list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address="0.0.0.0/0,192.168.50.0/24,192.168.88.0/24,172.16.0.0/16,172.26.0.0/1\
6,XXXXX/28,XXXXXX/28" endpoint-address=addressXXXXXX \
endpoint-port=13231 interface=wg1 persistent-keepalive=25s public-key=\
"XXXXXXXX"
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=192.168.98.0
add address=10.0.0.2/24 disabled=yes interface=ether1-WAN network=10.0.0.0
add address=192.168.50.2/24 interface=wg1 network=192.168.50.0
add address=192.168.99.1/24 interface=br_PBR network=192.168.99.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1-WAN
add add-default-route=no interface=br-VPN
/ip dhcp-server lease
add address=192.168.99.7 client-id=XXX mac-address=XXX \
server=dhcp2
add address=192.168.99.183 client-id=XXXmac-address=XXX \
server=dhcp2
add address=192.168.99.151 client-id=XXXX mac-address=XXX \
server=dhcp2
add address=192.168.99.155 client-id=XXX mac-address=XXX \
server=dhcp2
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=192.168.98.1 gateway=192.168.98.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.98.0/24 list=local
add address=192.168.50.0/24 list=Trusted
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related \
disabled=yes hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input dst-port=8291 in-interface=ether1-WAN protocol=tcp
add action=accept chain=input src-address-list=Trusted
add action=accept chain=input comment="Accept IGMP" in-interface=wg1 protocol=igmp
add action=accept chain=forward comment="Forward IGMP" in-interface=wg1 protocol=udp
add action=accept chain=input in-interface=ether1-WAN protocol=gre
add action=accept chain=input in-interface=ether1-WAN protocol=ipsec-esp
add action=accept chain=input in-interface=ether1-WAN protocol=ipsec-ah
add action=accept chain=input dst-port=500 in-interface=ether1-WAN protocol=tcp
add action=accept chain=input dst-port=4500 in-interface=ether1-WAN protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=wg1 passthrough=\
yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1380 passthrough=yes protocol=\
tcp tcp-flags=syn tcp-mss=1381-65535
add action=mark-routing chain=prerouting disabled=yes in-interface=br-VPN log=yes \
new-routing-mark=wg passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=lo
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=br_PBR
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wg1 routing-table=main \
scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src="" routing-table=\
wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=172.16.0.0/16 gateway=wg1 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=172.26.0.0/16 gateway=wg1 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=XXXX/28 gateway=wg1 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=XXXX/28 gateway=wg1 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=8.8.4.4/32 gateway=wg1 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes dst-address=0.0.0.0/0 gateway=br_PBR routing-table=wg \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/mpls ldp
add disabled=no lsr-id=192.168.12.2 transport-addresses=192.168.12.2
/mpls ldp interface
add disabled=no interface="ether5-IPTV STB"
add disabled=no interface=lo
/ppp profile
add bridge=*E name=SITE-TO-SITE-L2VPN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets="172.16.0.0/16,172.26.0.0/16,XXXX16,XXXXX/28,XXXX\
XXXXX/28,XXXXX/28,0.0.0.0/0" disabled=yes interface=wg1 upstream=yes
add disabled=yes interface="ether5-IPTV STB"
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.99.101/32 table=main
add action=lookup comment="XXXXXX (Enable to bypass WG)" disabled=\
no src-address=192.168.99.183/32 table=main
add action=lookup src-address=192.168.99.155/32 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.99.0/24 src-address=\
192.168.99.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.99.0/24 table=wg
/system clock
set time-zone-name=America/XXXXX
/system identity
set name=XXXXXX
/system note
set show-at-login=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool sniffer
set filter-direction=tx filter-interface="ether5-IPTV STB" filter-stream=yes \
only-headers=yes streaming-enabled=yes streaming-server=XXXXX
[admin@XXXXXX] >