brpa71
January 29, 2025, 7:05pm
1
Good afternoon,
I am all new to this. Since 2 days on a “ccr2004-1g-12s+2xs”. Have some previous experience with PFSense/Opnsense, but none with Router OS or anything alike.
Actually everything is so far working pretty well, after struggling with some minor stuff I could all figure out.
Now I need external access to the router, my LAN, and need to be able to route internet traffic through the WG tunnel. So far everything works, I can access local machines, when I browse the internet it identifies with my home IP address… so far so good. But why can’t I see the router itself? When I try to open its webinterface or Winbox, it doesn’t work.
So I have enabled DDNS. The connection does work through it. Check.
My router is at 10.3.9.1. WG network is at 192.168.100/24. Allowed client IP 192.168.100.2.
There was a firewall rule created to allow Wireguard on udp 13231 and below another one to allow wireguard traffic from 192.168.100.0/24.
What else can I try?
If you want me to post configs, please let me know the commands to pull them and copy/paste them over… (am still a little bit lost).
Thank you !
A posted config would be much appreciated.
The command to export one is:
export file=anynameyouwish
After that, you copy it from the Files menu to your local machine and open it with Notepad to edit out some sensitive info like serial number, passwords, etc.
And please post back between code quotes, easier for readability.
anav
January 30, 2025, 1:58am
4
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
brpa71
January 30, 2025, 9:06am
5
Does this help?
# 2025-01-30 10:03:04 by RouterOS 7.17
# software id = 2NT2-84ZQ
#
# model = CCR2004-1G-12S+2XS
# serial number = xxx
/interface bridge
add name=lan
add name=wan protocol-mode=none
/interface ethernet
set [ find default-name=sfp28-2 ] fec-mode=fec91
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=WAN name=WAN
add comment=LAN name=LAN
/ip pool
add name=dhcp_pool0 ranges=10.3.9.2-10.3.9.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp_pool0 interface=lan name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=lan interface=sfp28-1
add bridge=wan interface=sfp28-2
add bridge=lan interface=sfp-sfpplus1
add bridge=lan interface=sfp-sfpplus2
add bridge=lan interface=sfp-sfpplus3
add bridge=lan interface=sfp-sfpplus4
add bridge=lan interface=sfp-sfpplus5
add bridge=lan interface=sfp-sfpplus6
add bridge=lan interface=sfp-sfpplus7
add bridge=lan interface=sfp-sfpplus8
add bridge=lan interface=sfp-sfpplus9
add bridge=lan interface=sfp-sfpplus10
add bridge=lan interface=sfp-sfpplus11
add bridge=lan interface=sfp-sfpplus12
add bridge=lan interface=ether1
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=WAN interface=wan list=WAN
add comment=wg interface=wireguard1 list=LAN
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface=sfp-sfpplus10 list=LAN
add interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add interface=sfp28-1 list=LAN
add interface=sfp28-2 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard1 name=peer1 public-key="**********"
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=192.168.88.0
add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=wan
/ip dhcp-server lease
add address=10.3.9.144 comment=NC_2.5gbps_probe mac-address=*** server=dhcp1
add address=10.3.9.6 client-id=1:e4:5f:1:c8:67:9f comment=PacaRaspbi mac-address=**** server=dhcp1
add address=10.3.9.50 client-id=1:ee:b7:0:19:ba:a9 comment="NanoPi 100mbps" mac-address=***** server=dhcp1
/ip dhcp-server network
add address=10.3.9.0/24 gateway=10.3.9.1
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24
add action=accept chain=input in-interface=lan
add action=fasttrack-connection chain=forward hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet address=10.3.9.0/24
set ftp address=10.3.9.0/24
set www address=10.3.9.0/24
set ssh address=10.3.9.0/24
set www-ssl address=10.3.9.0/24 disabled=no
set api address=10.3.9.0/24
set winbox address=10.3.9.0/24
set api-ssl address=10.3.9.0/24
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add interface=sfp-sfpplus1
/tool sniffer
set filter-interface=lan streaming-server=10.3.9.182
I saw one weird thing in the interface list:
/interface list member
add comment=WAN interface=wan list=WAN
add comment=wg interface=wireguard1 list=LAN
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface=sfp-sfpplus10 list=LAN
add interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add interface=sfp28-1 list=LAN
add interface=sfp28-2 list=LAN
sfp28-2 should be in the WAN list I guess? Will try to change that. But probably it’s not the cause here.
Your firewall is hazardous for yourself! Unplug from the internet and add the following default rules:
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
After that, add the WG address to Winbox IP service and it should work:
/ip service
set winbox address=10.3.9.0/24,192.168.100.0/24
And change the WG peer allowed-address to a /32 from the WG subnet
brpa71
January 30, 2025, 12:10pm
7
Wow, wouldn’t know how to thank you for pointing out also the safety issue.
I have added the firewall rules, now looks as follows:
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24
add action=accept chain=input in-interface=lan
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
I hope that’s better?
Regarding the router access: When connected over WG, I can now use the Mikrotik App on the phone for instance, but the router admin page will not open in a browser.
Is there anything else, specially security wise, that I should be aware of?
Silly me, forgot the www service:
/ip service
set www address=10.3.9.0/24,192.168.100.0/24
Of course, if you need access through the other protocols via WG, you should add its subnet to every IP service needed.
Also, the firewall rules have duplicated themselves. You should remove one of two sets.
Last but not least, you can remove the following rules:
add action=accept chain=input comment=“allow WireGuard traffic” src-address=192.168.100.0/24
since they’re covered by the default “drop all not comimg from LAN”
and this one:
add action=fasttrack-connection chain=forward hw-offload=yes
since it’s covered by a default one a little bit further
brpa71
January 30, 2025, 12:48pm
9
The Webinterface access works perfect, Thanks
Am working on the firewall rules. Kind of hard to find an delete them…
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; allow WireGuard
chain=input action=accept protocol=udp dst-port=13231
2 ;;; allow WireGuard traffic
chain=input action=accept src-address=192.168.100.0/24
3 chain=input action=accept in-interface=lan log=no log-prefix=""
4 chain=forward action=fasttrack-connection hw-offload=yes
5 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
6 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
7 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
8 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
9 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
10 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
11 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
12 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
13 ;;; defconf: accept established,related,untracked
chain=forward action=accept connection-state=established,related,untracked
14 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
15 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
16 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
17 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
18 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
19 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
20 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
21 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
22 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
23 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
24 ;;; defconf: accept established,related,untracked
chain=forward action=accept connection-state=established,related,untracked
25 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
26 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Also I have many with state “invalid”. Is this fine? Am trying to find the doubles and the ones you recommend to remove,…
brpa71
January 30, 2025, 1:30pm
10
I assume I managed to clear the filters:
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
Also the WG access now works like a charm. THANK YOU VERY MUCH !!!
Of course in case you have more suggestions: Feel free
I’ll use the bestowed upon me freedom to give a few more suggestions
Disable detect-internet because it is almost always a pain in the behind:
/interface detect-internet
to
/interface detect-internet
Instead of listing out all of the sfp ports in the LAN bridge in the LAN interface list, you can reference just the bridge itself:
/interface list member
to
/interface list member
If you use L2TP, you could add the following rules to the firewall somewhere near that for Wireguard
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp comment="Allow IPsec IKE"
add action=accept chain=input dst-port=1701 protocol=udp comment="Allow L2TP"
add action=accept chain=input dst-port=4500 protocol=udp comment="Allow NAT-T"
add action=accept chain=input protocol=ipsec-esp comment="Allow IPsec ESP"
anav
January 30, 2025, 2:13pm
12
Post your latest FULL config for review.
brpa71
January 30, 2025, 6:39pm
13
Now I have a much weirder of an issue. I can no longer access the router from my PC, neiter by ssh nor by winbox nor by web browser.
If I connect to Wireguard from my phone, I can access it perfectly. Everything works.
When I connect to Wireguard on my PC, which is of course on the routers LAN, it does not work, it gives me “permission denied” in SSH.
The router hands out IP addresses etc, and internet and lan connections are working.
I’ll copy off anav and say the same: post your latest full config for review
brpa71
January 30, 2025, 6:57pm
15
I managed to get the config on my phone:
# 2025-01-30 19:45:14 by RouterOS 7.17
# software id = 2NT2-84ZQ
#
# model = CCR2004-1G-12S+2XS
# serial number =
/interface bridge
add name=lan
add name=wan protocol-mode=none
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=2.5G-baseT,10G-baseT
set [ find default-name=sfp28-2 ] fec-mode=fec91
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=WAN name=WAN
add comment=LAN name=LAN
/ip pool
add name=dhcp_pool0 ranges=10.3.9.2-10.3.9.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp_pool0 interface=lan name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=lan interface=sfp28-1
add bridge=wan interface=sfp28-2
add bridge=lan interface=sfp-sfpplus1
add bridge=lan interface=sfp-sfpplus2
add bridge=lan interface=sfp-sfpplus3
add bridge=lan interface=sfp-sfpplus4
add bridge=lan interface=sfp-sfpplus5
add bridge=lan interface=sfp-sfpplus6
add bridge=lan interface=sfp-sfpplus7
add bridge=lan interface=sfp-sfpplus8
add bridge=lan interface=sfp-sfpplus9
add bridge=lan interface=sfp-sfpplus10
add bridge=lan interface=sfp-sfpplus11
add bridge=lan interface=sfp-sfpplus12
add bridge=lan interface=ether1
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=WAN interface=wan list=WAN
add comment=wg interface=wireguard1 list=LAN
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface=sfp-sfpplus10 list=LAN
add interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add interface=sfp28-1 list=LAN
add interface=sfp28-2 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard1 name=peer1 public-key=\
"9YrOAToWS+4iakKGc1LPKa5rXFA7hpbzM7QVlwT/ZwA="
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=wan
/ip dhcp-server lease
add address=10.3.9.2 comment=Orbi_Main
add address=10.3.9.3 comment=Orbi_Satellite
add address=10.3.9.4 comment=Paca_Switch_1
add address=10.3.9.5 comment=Paca_Switch_2
add address=10.3.9.6 comment=pacaraspbi
add address=10.3.9.7 comment=pacaraspbiwlan
add address=10.3.9.8 comment=ProxUbuntu
add address=10.3.9.9 comment=ProxUbuntu032024
add address=10.3.9.10 comment=Macbook_Air_Alicia
B8:8D:12:11:EE:4E
add address=10.3.9.11 comment=FIRETV_Kids
add address=10.3.9.12 comment=iPad-SuS-pers-
74:15:F5:EF:A4:4F
add address=10.3.9.13 comment=MacAir13
add address=10.3.9.14 comment=FireTV4K_Kids_Neu2022
1C:12:B0:13:88:08
add address=10.3.9.15 comment=A55_alicia
add address=10.3.9.16 comment=Handy_Sofina
add address=10.3.9.17 comment=Galaxy-Tab-A
add address=10.3.9.20 comment=FireTV4K_Max_Wohnzimmer
B0:F7:C4:C9:07:0F
add address=10.3.9.21 comment=Chromecast_WZ
add address=10.3.9.22 comment=TV_WZ
add address=10.3.9.23 comment=Playstation_4
add address=10.3.9.24 comment=Playstation_4_WIFI
E8:9E:B4:9A:31:C1
add address=10.3.9.25 comment=DenonAmpWZ
add address=10.3.9.26 comment=googletv
add address=10.3.9.30 comment=SamsungS20_BRU
add address=10.3.9.31 comment=A54-de-Adriana
add address=10.3.9.32 comment=Air-De-Adriana
add address=10.3.9.40 comment=PacaDesktop
add address=10.3.9.41 comment=PacaDesktopWifi
add address=10.3.9.42 comment=pacadesktop2
add address=10.3.9.43 comment=BPSpectre_LAN
add address=10.3.9.44 comment=BPSpectre_WLAN
add address=10.3.9.45 comment=surfaceNC
add address=10.3.9.46 comment=usbcdock
add address=10.3.9.50 comment=NanoPiR1
add address=10.3.9.51 comment=NanoPiR1
add address=10.3.9.52 comment=Proxubuntu_ext_WIFI
90:DE:80:29:76:FD
add address=10.3.9.53 comment=NanoPiR1_LANETH_100mbps
4A:D3:F8:94:6A:F4
add address=10.3.9.55 comment=ProxKali
add address=10.3.9.88 comment=HyperVUbuntu1
add address=10.3.9.100 comment=Brother_Printer
add address=10.3.9.101 comment=Epson_Printer
add address=10.3.9.102 comment=ScanSnap
add address=10.3.9.103 comment=Deebot_VAC
add address=10.3.9.104 comment=BoschNyonEbike
add address=10.3.9.105 comment=sureflap
add address=10.3.9.106 comment=smartbulbwz
add address=10.3.9.110 comment=EchoDotKueche
add address=10.3.9.111 comment=EchodotBuro
add address=10.3.9.112 comment=EchoDotKids
add address=10.3.9.113 comment=EchoDotSchlafzimmer
50:07:C3:68:09:4A
add address=10.3.9.114 comment=EchoDotSchlafzimmer2
34:AF:B3:11:AB:74
add address=10.3.9.115 comment=EchoDotWohnzimmer
44:3D:54:DE:C4:47
add address=10.3.9.144 comment=DietPi
add address=10.3.9.150 comment=proxvpn
add address=10.3.9.250 comment=Paca_MT
add address=10.3.9.251 comment=synds212
add address=10.3.9.252 comment=UbuntuHVserver
add address=10.3.9.254 comment=Proxmox
add address=10.3.9.145 comment=DietPi_Nic2 \
server=dhcp1
/ip dhcp-server network
add address=10.3.9.0/24 gateway=10.3.9.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet address=10.3.9.0/24
set ftp address=10.3.9.0/24
set www address=10.3.9.0/24,192.168.100.0/24
set ssh address=10.3.9.0/24
set www-ssl address=10.3.9.0/24 certificate=he908hngmv5.routingthecloud.net \
disabled=no
set api address=10.3.9.0/24
set winbox address=10.3.9.0/24,192.168.100.0/24
set api-ssl address=10.3.9.0/24
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add interface=sfp-sfpplus1
/tool sniffer
set filter-interface=lan streaming-server=10.3.9.182
I removed
This should be removed:
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
This should be changed to interface=lan :
add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0
And the recommendations from my previous post
brpa71
January 30, 2025, 8:23pm
17
This should be removed:
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
This should be changed to interface=lan :
add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0
And the recommendations from my previous post
Can I add / remove this throgh webinterface? Need to do it from phone as otherwise I don’t get any access…
Am looking also in the android app from Mikrotik. Cannot find the interface sfp-sfpplus1 network rule mentioned. Also there is something I don’t really understand… why the sfpplus1 port particularely?
Update: Connected my PC to the phone’s hotspot and connected through Wireguard. Now I can access webinterface from PC, but SSH throws an error. But I guess I can at least use the terminal in the web interface to adjust some things.
brpa71
January 30, 2025, 8:46pm
18
Config after recommended changes:
# 2025-01-30 21:38:39 by RouterOS 7.17
# software id = 2NT2-84ZQ
#
# model = CCR2004-1G-12S+2XS
# serial number =
/interface bridge
add name=lan
add name=wan protocol-mode=none
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=2.5G-baseT,10G-baseT
set [ find default-name=sfp28-2 ] fec-mode=fec91
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=WAN name=WAN
add comment=LAN name=LAN
/ip pool
add name=dhcp_pool0 ranges=10.3.9.2-10.3.9.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp_pool0 interface=lan name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=lan interface=sfp28-1
add bridge=wan interface=sfp28-2
add bridge=lan interface=sfp-sfpplus1
add bridge=lan interface=sfp-sfpplus2
add bridge=lan interface=sfp-sfpplus3
add bridge=lan interface=sfp-sfpplus4
add bridge=lan interface=sfp-sfpplus5
add bridge=lan interface=sfp-sfpplus6
add bridge=lan interface=sfp-sfpplus7
add bridge=lan interface=sfp-sfpplus8
add bridge=lan interface=sfp-sfpplus9
add bridge=lan interface=sfp-sfpplus10
add bridge=lan interface=sfp-sfpplus11
add bridge=lan interface=sfp-sfpplus12
add bridge=lan interface=ether1
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=WAN interface=wan list=WAN
add comment=wg interface=wireguard1 list=LAN
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=sfp-sfpplus5 list=LAN
add interface=sfp-sfpplus6 list=LAN
add interface=sfp-sfpplus7 list=LAN
add interface=sfp-sfpplus8 list=LAN
add interface=sfp-sfpplus9 list=LAN
add interface=sfp-sfpplus10 list=LAN
add interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add interface=sfp28-1 list=LAN
add interface=sfp28-2 list=WAN
add interface=lan list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard1 name=peer1 public-key="********"
/ip address
add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=wan
/ip dhcp-server lease
add address=10.3.9.2 comment=Orbi_Main
add address=10.3.9.3 comment=Orbi_Satellite
add address=10.3.9.4 comment=Paca_Switch_1
add address=10.3.9.5 comment=Paca_Switch_2
add address=10.3.9.6 comment=pacaraspbi
add address=10.3.9.7 comment=pacaraspbiwlan
add address=10.3.9.8 comment=ProxUbuntu
add address=10.3.9.9 comment=ProxUbuntu032024
add address=10.3.9.10 comment=Macbook_Air_Alicia
add address=10.3.9.11 comment=FIRETV_Kids
add address=10.3.9.12 comment=iPad-SuS-pers-Palomares-Alicia
add address=10.3.9.13 comment=MacAir13
add address=10.3.9.14 comment=FireTV4K_Kids_Neu2022
add address=10.3.9.15 comment=A55_alicia
add address=10.3.9.16 comment=Handy_Sofina
add address=10.3.9.17 comment=Galaxy-Tab-A
add address=10.3.9.20 comment=FireTV4K_Max_Wohnzimmer
add address=10.3.9.21 comment=Chromecast_WZ
add address=10.3.9.22 comment=TV_WZ
add address=10.3.9.23 comment=Playstation_4
add address=10.3.9.24 comment=Playstation_4_WIFI
add address=10.3.9.25 comment=DenonAmpWZ
add address=10.3.9.26 comment=googletv
add address=10.3.9.30 comment=SamsungS20_BRU
add address=10.3.9.31 comment=A54-de-Adriana
add address=10.3.9.32 comment=Air-De-Adriana
add address=10.3.9.40 comment=PacaDesktop
add address=10.3.9.41 comment=PacaDesktopWifi
add address=10.3.9.42 comment=pacadesktop2
add address=10.3.9.43 comment=BPSpectre_LAN
add address=10.3.9.44 comment=BPSpectre_WLAN
add address=10.3.9.45 comment=surfaceNC
add address=10.3.9.46 comment=usbcdock
add address=10.3.9.50 comment=NanoPiR1
add address=10.3.9.51 comment=NanoPiR1
add address=10.3.9.52 comment=Proxubuntu_ext_WIFI
add address=10.3.9.53 comment=NanoPiR1_LANETH_100mbps
add address=10.3.9.55 comment=ProxKali
add address=10.3.9.88 comment=HyperVUbuntu1
add address=10.3.9.100 comment=Brother_Printer
add address=10.3.9.101 comment=Epson_Printer
add address=10.3.9.102 comment=ScanSnap
add address=10.3.9.103 comment=Deebot_VAC
add address=10.3.9.104 comment=BoschNyonEbike
add address=10.3.9.105 comment=sureflap
add address=10.3.9.106 comment=smartbulbwz
add address=10.3.9.110 comment=EchoDotKueche
add address=10.3.9.111 comment=EchodotBuro
add address=10.3.9.112 comment=EchoDotKids
add address=10.3.9.113 comment=EchoDotSchlafzimmer
add address=10.3.9.114 comment=EchoDotSchlafzimmer2
add address=10.3.9.115 comment=EchoDotWohnzimmer
add address=10.3.9.144 comment=DietPi
add address=10.3.9.150 comment=proxvpn
add address=10.3.9.250 comment=Paca_MT
add address=10.3.9.251 comment=synds212
add address=10.3.9.252 comment=UbuntuHVserver
add address=10.3.9.254 comment=Proxmox
add address=10.3.9.145 comment=DietPi_Nic2 \
/ip dhcp-server network
add address=10.3.9.0/24 gateway=10.3.9.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip service
set telnet address=10.3.9.0/24
set ftp address=10.3.9.0/24
set www address=10.3.9.0/24,192.168.100.0/24
set ssh address=10.3.9.0/24
set www-ssl address=10.3.9.0/24 certificate=he908hngmv5.routingthecloud.net disabled=no
set api address=10.3.9.0/24
set winbox address=10.3.9.0/24,192.168.100.0/24
set api-ssl address=10.3.9.0/24
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zurich
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add interface=sfp-sfpplus1
/tool sniffer
set filter-interface=lan streaming-server=10.3.9.182
What is weird now, I hooked up my wifi to the router and if I connect through the wifi AP, I can access router by web and ssh. If I go through LAN, I cannot.
Here is the thing you couldn’t find from above:
/ip address
add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0
Change the interface=sfp-sfpplus1 to interface=lan
brpa71
January 30, 2025, 9:01pm
20
Here is the thing you couldn’t find from above:
/ip address
add address=10.3.9.1/24 interface=sfp-sfpplus1 network=10.3.9.0
Change the interface=sfp-sfpplus1 to interface=lan
It tells me I already have that address:
[admin@MikroTik] /ip/address> print
ADDRESS NETWORK INTERFACE
0 S 10.3.9.1/24 10.3.9.0 sfp-sfpplus1
