Wireguard works with devices, not other Mikrotik

RouterOS General
1

Hello All:

I’ve been trying to get a Mikrotik to Mikrotik Wireguard VPN tunnel to work, with puzzling and frustrating results.

The project is two radio repeater sites. I had done an IPSec link, but something happened and one side seemed to “forget” the settings for the link and I could no longer remotely access it. I put the system together prior to Wireguard being introduced to Mikrotik. So, I thought it would be a lot easier to set up Wireguard.

I set up a Wireguard instance and am able to reach it and access the radio at the “server” side, with my laptop as well as my cell phone. I had some issues at first, and poking around, I noticed that I was unable to ping the Wireguard remote IP. I fixed a few configuration errors and now they both work and can ping the remote WG IP.

The problem is that when I configured a new Mikrotik Hex S (2025) as a client, I can see that it’s transmitting to the “server” remote site, but the server isn’t responding. I know the remote site works, because of my other two devices. That tells me, it shouldn't be a firewall issue, I’m using WG IPs in the same network, so I don’t think it’s that. I’ve checked settings between working client profiles and the non-working ones and triple checked things like each router’s WG public key.

I can, of course, ping the local WG IP, but the remote WG IP is unreachable, which tells me there’s no tunnel forming. I set up a server instance here on the local router and my laptop works great on the WG link.

I’ve opened to input, the ports for the WG instance on both sides. But, I’m obviously missing something.

I’m reluctant to post configs due to the fact it’s a working (sorta) system and there would be a lot of editing required to obfuscate sensitive information.

Is there something missing from all the youtube videos, having to do with a Mikrotik to Mikrotik configuration?

2

I’ve got dozens of WG tunnels between routers, exactly for two-way radio traffic.

I set up a unique WG interface (and one peer for the remote side) for each tunnel so that you can use “0.0.0.0/0” in “Allowed IP addresses” (we run OSPF and advertise a number of routes across the tunnel). Make sure the remote router’s WG public key is in the local router’s peer entry. For my setup, one of them is the concentrator, so I enable “Responder” and don’t put in a remote Ip address or port. The remote, possibly “portable” router has the concentrator’s IP address and WG port set, along with a persistent keep alive of 5 seconds.

I assign the IP address I want to use on each end. You can use /32’s, with the remote router’s IP address as the “network” address.

3

Thank you for your reply.

I think I have done what you describe. When assigning the IP to the WG interface itself, do I want something like a /24? That’s how I have things configured.

It seems like there’s something special about using a Mikrotik as a client, since I can get in with windows an an android.That tells me it’s not the server side.

4

I guess I’m either not understanding the information I’m seeing, or maybe there’s some basic thing I’m missing altogether. So I broke out a pair of MT routers with default configs and set them up with a patch cord acting as the VPN connection on port 5 of each unit. I configured everything the same way as I’ve seen in different guides. The details seem to vary from one person to the next. This is the basic config as I understand it. I tried adding firewall settings allowing a path from each router’s LAN into the other’s.

Here’s the configs for each:

SITE A

# 2025-10-16 18:47:06 by RouterOS 7.18.2

# software id = CZAH-D0DT

# 

# model = E60iUGS

/interface bridge
add admin-mac=04:**:**:**:**:E2 auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=WG1 listen-port=13200 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="From Site B" interface=wireguard1 
name=site-b public-key="V12####################################nHAA=" 
responder=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=172.16.60.1/24 comment=WG1 interface=wireguard1 network=
172.16.60.0
add address=10.123.123.1/24 comment="Link to Site B" interface=ether5 
network=10.123.123.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="Allow WG init" dst-port=13200 
in-interface=ether5 protocol=udp
add action=accept chain=forward comment="WG - Allow Site B Traffic" 
dst-address=192.168.88.0/24 src-address=192.168.81.0/24
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" 
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" 
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" 
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" 
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat 
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" 
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" 
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" 
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" 
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="Site A - Server"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

SITE B

# 2025-10-16 19:04:28 by RouterOS 7.20.1

# software id = QVMF-H7ND

# 

# model = E50UG

/interface bridge
add admin-mac=F4:**:**:**:**:0A auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=WG1 listen-port=13200 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.81.10-192.168.81.200
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=172.16.60.2/32 comment="To Site A" endpoint-address=
10.123.123.1 endpoint-port=13200 interface=wg1 name=site-a 
persistent-keepalive=10s public-key=
"JWB####################################p/m0="
/ip address
add address=192.168.81.1/24 comment=defconf interface=bridge network=
192.168.81.0
add address=10.123.123.2/24 comment="Link to Site A" interface=ether5 
network=10.123.123.0
add address=172.16.60.2/24 comment=WG1 interface=wg1 network=172.16.60.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.81.0/24 comment=defconf dns-server=192.168.81.1 gateway=
192.168.81.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.81.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="WG - Allow Handshake" dst-port=13200 
protocol=udp
add action=accept chain=forward comment="Allow Site A Traffic" dst-address=
192.168.81.0/24 src-address=192.168.88.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" 
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" 
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" 
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" 
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat 
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" 
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" 
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" 
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="Site B - Client"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
5

Your allowed-address values in the peers' settings are wrong.

  • On Site A router, edit the allowed-address field of the peer with the comment "From Site B" to 172.16.60.2/32,192.168.81.0/24 (if you use WinBox, put the two addresses in two rows)

    /interface wireguard peers
set [find comment="From Site B"] allowed-address=172.16.60.2/32,192.168.81.0/24

  • On Site B router, edit the allowed-address field of the peer with the comment "To Site A" to 172.16.60.1/32,192.168.88.0/24 (if you use WinBox, put the two addresses in two rows)

    /interface wireguard peers
set [find comment="To Site A"] allowed-address=172.16.60.1/32,192.168.88.0/24

  • On Site A router, add the route to the IP -> Routes table:

    /ip route
add dst-address=192.168.81.0/24 gateway=172.16.60.2 check-gateway=ping

  • On Site B router, add the route to the IP -> Routes table:

    /ip route
add dst-address=192.168.88.0/24 gateway=172.16.60.1 check-gateway=ping

  • On Site A router, add mangle rule to adjust MSS

    /ip firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG" new-mss=1380 \
    out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535

  • On Site B route,r add mangle rule to adjust MSS

    /ip firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG" new-mss=1380 \
    out-interface=wg1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535

  • (Optional, if you want Site B's users to be able to manage Site A router) On Site A router, add wireguard1 to the interface list LAN:

    /interface list member
add interface=wireguard1 list=LAN

  • (Optional, if you want Site A's users to be able to manage Site B router) On Site B router, add wg1 to the interface list LAN:

    /interface list member
add interface=wg1 list=LAN
6

< fixed code quotes >

7

All I can think to say is THANK YOU!!!

Before I posted the configs, I swapped some IP addresses between routers, just because I thought it would come off less psycho. And I think I missed one.

I’d tried some allowed routes but was under the impression that each side had to match, for some reason. So that’s great information. I’m thinking if I had simply stopped there, I would have had a working connection. A poor one, but would have worked.

I looked up the subject of MSS and I get it, though I would probably never have figured it out on my own.

So, thank you again CGGXANNX and it looks like a big thanks to holvoetn for keeping me from pulling my hair out.

Thank you both so much.

Now, I think I can migrate those changes to my real setup.

8

All credit to CGGXANNX.

I was merely playing janitor here :laughing:

But ... to CGGXANNX:
None of my wireguard setups have this mss clamping yet all of them work as they should (at least from what I observe).
So why does it work for some without and is it needed for others ? What is the factor to look out for ?

9

The MSS clamping is not needed if you run the WG client on your devices. Like on your phone or your laptop. Because the applications on those clients will directly use the tunnel that the WG client creates, and the tunnel has the limited MTU, so the app will know about the MTU limitation (on WG mobile client it's even 1280 bytes only). It's the same when the router (which has the WG interface and knows about the MTU limit, in OP's case 1420), directly send something to the other side (packets on output chain).

But OP wants to setup a site-2-site tunnel, which means the tunnel will be used when, for example, a Laptop on Site B wants to download something from a NAS on Site A. The two routers will forward the packets.

Both the Laptop and NAS devices do not directly run a WG client, but are plugged into their respective LAN with the default 1500 MTU. So, the applications on the devices will assume that they can send IP packets up to 1500 bytes. It's only when the packet arrives at the router and needs to be sent through the tunnel that it turns out that the tunnel only has the 1420 byte per IP packet limit. Either the router will fragment the packets automatically (if the DF flag preventing fragmentation on the packet is not set), or the packet is not allowed to be fragmented (TCP usually turn the DF flag on), and the router will have to drop the packet and send the ICMP message back to the sender device in LAN. It then depends on whether the device correctly handle the fragmentation needed message.

So for TCP (which normally turns on DF) we clamp the MSS in the SYN packet (that is still small) before it's passed through the tunnel, so that after the TCP handshake both the Laptop and NAS will not generate IP packets bigger than 1420 bytes.

10

So, that’s why my devices worked, but the MT routers wouldn’t.

I take it that those mangle settings should be used or COULD be, without issue, on all WG setups?

And, are those same factors at play with things like IPSec, PPTP and maybe Zerotier?

11

No, if you only tested with ping then the MTU limit is not important because the ping ICMP packets are very small (unless you specify a large payload size).

Even if you tested with real data transfer (not only ping) between router A and router B (not between device in LAN A and device in LAN B) then the MSS clamping is also not relevant, because the party generating the packets are the routers themselves. And the routers know about the interface that only has MTU 1420, so they will not generate packet bigger than that. It's like one router is the phone with the WG client.

Which means the problem with the two routers not being able to talk with each other is not due to missing MSS clamping. It's probably due to wrong allowed-address or /ip route values.

The Clamp MSS rules are only there to improve performance. Because if packets need to be fragmented then there will be more overhead. Especially if ICMP fragmentation needed messages need to be constantly sent back to the sender (ICMP is normally rate limited). Of course, there are also cases where the sender application are unable to process ICMP fragmentation needed messages correctly, or the firewall blocks ICMP messages completely, then it will looks like massive packet loss and the connection might even timeout. But this is not something that causes a ping test to not work, because ping packets normally are far from the MTU limit and don't need to be fragmented.

Those mangle rules are safe to add for WG tunnel (the out-interface interface in the rule is a WG interface) and the MSS numbers (1380 and 1381) in the rule needs to be adjusted based on the MTU of that WG interface. For IPv4 MSS can be at most MTU - 40 bytes. If you use IPv6 and the rule is for IPv6 then you need to subtract 60 bytes, if WG has MTU 1420 then 1360 is the MSS limit:

/ipv6 firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG" new-mss=1360 \
    out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1361-65535

If your internet link use PPPoE for example, and RFC 4638 is not implemented, then normally the MTU is limited to 1492 bytes. In that case, such MSS adjustment is needed too. Because devices in LAN still think the MTU is 1500 and don't know that there is a bottleneck when the packets need to go out to the internet. But in RouterOS if you use the default PPP profile with your PPPoE client/server instances, then the router will does the MSS clamping to accommodate this reduced MTU automatically for you. This is the relevant setting on the default PPP profile:

image
image704×255 10.6 KB

But this only acts on IPv4. If you use PPPoE with MTU 1492 and IPv6 too, then you'll need to either announce this reduced MTU using IPv6 -> ND, or add the IPv6 mangle rules to clamp MSS to 1452.

Same thing should be done for other tunneling protocols that reduce the possible MTU.

12

Thank you for providing such clear instructions and explanations.

One last (I think) question.

On a WG server, since a road warrior might be on any random network, how does that change the allowed-addresses? Is that where the 0.0.0.0/0 comes in?

13

I figured it was something in that context.

I have an application on my NAS copying over about 11Gb data every day from a server somewhere else at work.
WG-tunnel is between RB5009 at home and RB5009 at work.
None of the RB5009's have mss clamping active.
But I do have a lower MTU set on that WG-interface (and now I remember, I did some MTU tweaking on that interface years ago when I first set it up).

14

When you have road warrior WG clients from anywhere connecting back to your router, then on the router, on the peers associated with them:

  • You usually set allowed-address to contain a single /32 address that you assigned to that remote peer inside the tunnel. In your example configuration, it would be 172.16.60.10/32 for phone 1, 172.16.60.20/32 for tablet 2, for example. A mistake often made is to use /24 as prefix length for this value in allowed-address. Doing so will prevent multiple road warrior clients to connect to the router at the same time. Same problem with using 0.0.0.0/0 here for road warrior clients.

    The values in allowed-address for the peers of an WG interface should not overlap. If you give them individual /32 then they will not overlap. But if you give them address/24 then they will overlap and you have problem. And because 0.0.0.0/0 overlaps with every possible IPv4 address, you have even bigger problem when you give your road warrior peers allowed-address=0.0.0.0/0.

    Note: that on the phone, in the WG client, you can set AllowedIPs=0.0.0.0/0 without problem. Because that phone usually only has one WG peer setup in its WG app (the router peer) so no issue with overlapping peers.

  • For road warrior peers, the thing that is unpredictable and can be anything, is the Endpoint Address and Endpoint Port, because they are the public side IP addresses and ports of the client peers (mobile phone IP address or internet café's public address), that's why you usually don't fill those fields for RW peers.

I wrote more about what allowed-address means in this older post.

16

Ok. Then, for a road-warrior peer setting on the server, would I want to ONLY add the tunnel IP with a /32 for that user and no other allowed-address?

1 Like
17

Exactly, and an IPv6 address with prefix length too if you want IPv6. Because this address is normally hardcoded (like the IPv4 address is hardcoded in the peer), it is not practical with dynamic IPv6 prefix, so you'll probably use static ULA prefix or a static GUA prefix that you own, or can get from Hurricane Electric.

For IPv6 same rules applies. No overlapping range. But because the address space is vast, you are not forced to assign /128 static addresses to the road warrior peers. You can give each of them a /80 prefix length for example, as long as those /80 prefixes are distinct, and each RW clients can choose a random 48-bit suffix at will, and all the 2^48 addresses belong to the peer.

Here is an example from one of my tablets:

image

The IPv4 address is a .22/32 address. Then the table get two IPv6 GUA prefixes. The part that is grayed out is a 64bit prefix, then the next 16 bit is to identify the peer among the peers, that 0016 hex is 22 dec. On the tablet I can then choose a hardcoded address 24xx:xxxx:xxxx:xxxx:16:yyyy:yyyy:yyyy. The yyyy:yyyy:yyyy part I can change periodically on the tablet at will to make my tablet harder to track (because the remote hosts see the full IPv6 address of each device, unlike IPv4 with NAT).

18

Thank you.

I’m working on the changes in my setup.

I really appreciate your generosity.

19

I migrated the settings to my wannabe working setup. It worked! Until I decided to test it by rebooting. It stopped working after that. I’ve checked things for the last couple days and just can’t find the issue. The East side unit is existing. I upgraded the ROS and added the Wireguard. It has a lot of unused stuff from the IPSEC setup.

A question.

The mangle rule only works on TCP packets, but the firewall has to allow UDP. I don’t see any traffic on the mangle rules. How does a TCP rule help?

Here are the exports:

2025-10-19 18:35:42 by RouterOS 7.20.1

software id = TJEA-BPU1

model = E60iUGS

serial number =

/caps-man channel
add comment=2.4Ghz control-channel-width=10mhz frequency=2412,2437,2462 name=
US-WiFi
/interface bridge
add admin-mac=##:##:##:##:##:## auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface wireguard
add comment=WG-East-West listen-port=13400 mtu=1420 name=wg-east-west
add comment=WG-Management listen-port=13231 mtu=1420 name=wg-manage
/caps-man datapath
add bridge=bridge name=datapath1
/caps-man security
add authentication-types=wpa2-psk name=security1
/caps-man configuration
add country="united states3" datapath=datapath1 installation=any mode=ap
name=cfg1 security=security1 ssid=ridge
/caps-man interface
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=##:##:##:##:##:##
master-interface=none name=cap1 radio-mac=##:##:##:##:##:## radio-name=
D401C3ACA22A
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=##:##:##:##:##:##
master-interface=none name=cap2 radio-mac=##:##:##:##:##:## radio-name=
D401C3ACA22B
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add country="United States" disabled=no mode=ap name=cfg1 ssid=crguest
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.7.50-192.168.7.250
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge name=dhcp1
/zerotier
set zt1 disabled=no disabled=no
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=
zt1 name=zerotier1 network=################
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=
suggest-same-version
/caps-man provisioning
add action=create-enabled master-configuration=cfg1
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defcon interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Allow ZT to LAN" interface=zerotier1 list=LAN
add comment="Allow East West Traffic" interface=wg-east-west list=LAN
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=ether5,ether4
package-path="" require-peer-certificate=no upgrade-policy=
suggest-same-version
/interface wireguard peers
add allowed-address=172.16.50.3/32 comment=2ndry-HP interface=wg-manage
name=2nd-hp public-key=
"##########################################=" responder=yes
add allowed-address=172.16.60.1/32 comment=WG-2-StH endpoint-address=
###.###.###.### endpoint-port=13400 interface=wg-east-west name=wg-sh
persistent-keepalive=10s public-key=
"##########################################="
/ip address
add address=172.16.50.10/24 comment=WG-Mgmnt-IP interface=wg-manage network=
172.16.50.0
add address=192.168.7.1/24 comment=LAN interface=bridge network=192.168.7.0
add address=172.16.60.2/24 comment=WG-East-West-Net interface=wg-east-west
network=172.16.60.0
/ip dhcp-client
add comment=House interface=ether1
/ip dhcp-server lease
add address=192.168.7.250 client-id=1:##:##:##:##:##:## mac-address=
##:##:##:##:##:## server=dhcp1
/ip dhcp-server network
add address=192.168.7.0/24 comment=mainconf dns-server=192.168.7.1 gateway=
192.168.7.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="Allow ZT-Mgmnt" src-address=
10.244.0.0/16
add action=accept chain=forward comment="Allow ZT 2 LAN:Management"
src-address=10.244.0.0/16
add action=accept chain=input comment="Allow WG :Mgmnt" dst-port=13231
in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow WG-EW-Mgmnt" dst-port=13400
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow WG :Management" src-address=
172.16.50.0/24
add action=accept chain=input comment="Allow WG :Coast" src-address=
172.16.60.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG-Manage"
new-mss=1380 out-interface=wg-manage protocol=tcp tcp-flags=syn tcp-mss=
1381-65535
add action=change-mss chain=forward comment="reduce MSS for WG-East-West"
log=yes new-mss=1380 out-interface=wg-east-west protocol=tcp tcp-flags=
syn tcp-mss=1381-65535
add action=change-mss chain=forward comment="reduce MSS for Zerotier"
new-mss=1380 out-interface=zerotier1 protocol=tcp tcp-flags=syn tcp-mss=
1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Rout to East end LAN" disabled=no distance=1
dst-address=192.168.6.0/24 gateway=172.16.60.1 routing-table=main scope=
30 suppress-hw-offload=no target-scope=10
/ip service
set winbox address=172.16.50.0/24,192.168.6.0/24,192.168.7.0/24,10.244.0.0/16
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

2025-10-19 18:36:26 by RouterOS 7.20.1

software id = ATH4-TBKK

model = RB960PGS

serial number =

/interface bridge
add admin-mac=##:##:##:##:##:## auto-mac=no comment=defconf name=bridge
port-cost-mode=short
add comment="Bridge for remote logins for maintenance." name=bridge-maint-vpn
port-cost-mode=short
/interface wireguard
add comment=WG-East-West listen-port=13400 mtu=1420 name=wg-east-west
add comment="WG=Management" listen-port=13231 mtu=1420 name=wg-manage
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Neighbor
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name="group vpn.cxxx.cr"
add name="group vpn.maint"
add name="group vpn.cxxxx.selfip.com"
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048,modp1536,modp1024 dpd-interval=2m dpd-maximum-failures=
5 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=
"profile vpn.cxxxx.cr" prf-algorithm=sha256
add dh-group=modp2048,modp1536,modp1024 dpd-interval=2m dpd-maximum-failures=
5 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=
"profile vpn.maint"
add dh-group=modp2048,modp1536,modp1024 dpd-interval=2m dpd-maximum-failures=
5 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=
"profile cxxxxx.selfip.com"
/ip ipsec peer
add address=vpn.cxxxxx.selfip.com exchange-mode=ike2 name=
"peer vpn.crcxxxxx.selfip.com" profile="profile crcxxxxx.selfip.com"
add address=###.###.####.##6/32 disabled=yes exchange-mode=ike2 name=
"peer ###.###.####.##6" profile="profile vpn.cxxx.cr"
add disabled=yes exchange-mode=ike2 local-address=192.168.177.107 name=
"peer 192.168.177.107" passive=yes profile="profile vpn.maint"
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm"
lifetime=8h name="proposal vpn.cxxxxx.cr" pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm"
lifetime=8h name="proposal maint.vpn.sxxxxx.cr" pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr
,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a
es-128-gcm" lifetime=8h name="proposal vpn.crcxxxxx.selfip.com" pfs-group=
none
/ip pool
add name=dhcp ranges=192.168.6.100-192.168.6.199
add comment="Pool for Maintenance VPN logins" name="Pool Maint-Login" ranges=
10.0.101.0/24
add name=Pool-vpn ranges=192.168.89.100-192.168.89.199
/ip ipsec mode-config
add address-pool="Pool Maint-Login" address-prefix-length=32 name=
"modeconf maint.vpn.sxxxxx.cr" split-include=0.0.0.0/0 static-dns=
10.0.101.1 system-dns=no
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add name=PPTP-cxxxxx
set *FFFFFFFE local-address=192.168.89.1 remote-address=Pool-vpn
/interface pptp-client
add connect-to=###.###.####.##6 keepalive-timeout=disabled max-mtu=1360 name=
pptp-out-2-cxxxxx profile=PPTP-cxxxxx user=EastEnd
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing rip instance
add name=rip-instance-4 originate-default=always redistribute=
connected,static route-gc-timeout=120 route-timeout=180 routing-table=
main update-interval=30
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=Neighbor
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Allow cxxxxx Traffic" interface=wg-east-west list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:66:DC:E5:79:6C name=ovpn-server1
/interface pptp-server server

PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead

set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=172.16.50.3/32,192.168.6.0/24,192.168.7.0/24 client-dns=
8.8.8.8 comment=Bobs-Secondary-HP endpoint-port=13231 interface=wg-manage
name=Bob-2ndry-HP preshared-key=
"##########################################=" public-key=
"##########################################=" responder=yes
add allowed-address=172.16.50.4/32 comment="Bobs Phone" interface=wg-manage
name=Bobs_Phone preshared-key=
"##########################################=" public-key=
"##########################################="
add allowed-address=172.16.60.1/32 comment=WG-E-W endpoint-port=13400
interface=wg-east-west name=wg-e-w public-key=
"##########################################=" responder=yes
add allowed-address=172.16.60.7/32 comment=WG-SRCa disabled=yes
endpoint-address=XXX.XXX.XXX.XXX endpoint-port=13400 interface=
wg-east-west name=wg-srca persistent-keepalive=10s public-key=
"##########################################="
/ip address
add address=192.168.6.1/24 comment="LAN Network" interface=bridge network=
192.168.6.0
add address=10.0.101.1/24 comment="IP Address for Maint VPN Bridge."
interface=bridge-maint-vpn network=10.0.101.0
add address=10.1.1.3 comment="IPIP Tunnel endoints" interface=*E network=
10.1.1.1
add address=208.53.87.125 comment="Public IP Address" interface=ether1
network=208.53.87.125
add address=192.168.0.50/24 comment="DIgiPath's LAN IP for our router"
interface=ether1 network=192.168.0.0
add address=172.16.50.1/24 comment=WG-Mgmnt-IP interface=wg-manage network=
172.16.50.0
add address=172.16.60.1/24 comment=WG-cxxxxx-Net interface=wg-east-west
network=172.16.60.0
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip dhcp-server network
add address=192.168.6.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4
gateway=192.168.6.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="Colorado IP addresses 23.0.0.0" log=yes
log-prefix="Colorado Hacker 23.0" src-address=23.0.0.0/8
add action=drop chain=input comment="Polish IP addresses 87.0.0.0" log=yes
log-prefix="Polish Hacker 87.0" src-address=87.0.0.0/8
add action=drop chain=input comment="Colorado IP addresses 107.0.0.0.0" log=
yes log-prefix="Colorado Hacker" src-address=107.0.0.0/8
add action=accept chain=input comment="Wireguard in allow" dst-port=13231
in-interface=ether1 protocol=udp
add action=accept chain=input comment="Wireguard in allow" dst-port=13400
in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow WG Road Warrior to East-End"
dst-address=192.168.6.1 in-interface=wg-manage src-address=172.16.50.0/24
add action=accept chain=input comment="Allow WG Road Warrior to East-End"
dst-address=192.168.6.1 in-interface=wg-east-west src-address=
172.16.60.0/24
add action=accept chain=forward comment="Allow WG Road Warrior to cxxxxx"
dst-address=192.168.7.1 in-interface=wg-manage src-address=172.16.50.0/24
add action=accept chain=forward comment="Allow WG Road Warrior to cxxxxx"
dst-address=192.168.7.1 src-address=172.16.50.0/24
add action=accept chain=forward comment=
"Allow WG Mgmnt traffic onto local LAN" dst-address=192.168.6.0/24
src-address=172.16.50.0/24
add action=accept chain=forward comment=
"Allow WG cxxxxx traffic onto local LAN" dst-address=192.168.6.0/24
src-address=172.16.55.0/24
add action=accept chain=forward comment=
"Allow dot 7 connections from WG users." dst-address=192.168.7.0/24
src-address=172.16.60.0/24
add action=accept chain=input comment=
"Allow admin connections from Dot 7 addresses" dst-address=192.168.6.1
src-address=192.168.7.0/24
add action=accept chain=forward comment=
"Allow connections on the Dot 6 net from Dot 7 addresses" dst-address=
192.168.6.0/24 src-address=192.168.7.0/24
add action=accept chain=forward comment=
"Allow connections on the Dot 6 net from WG addresses" dst-address=
192.168.6.0/24 in-interface=wg-manage src-address=172.16.50.0/24
add action=accept chain=forward comment=
"Allow connections from Dot 7 addresses" dst-address=192.168.7.0/24
src-address=192.168.6.0/24
add action=accept chain=forward comment=
"Allow cxxxxx VPN users to access the Dot 6 LAN" disabled=yes dst-address=
192.168.90.0 out-interface=*E src-address=192.168.6.0/24
add action=accept chain=input comment=
"Allow Admin connections from PPTP clients" dst-address=192.168.6.1
src-address=192.168.89.0/24
add action=accept chain=forward comment=
"Allow dot 7 connections from PPTP VPN users." disabled=yes dst-address=
192.168.7.0/24 src-address=192.168.89.0/24
add action=accept chain=forward comment=
"Allow dot 7 connections from WG users." dst-address=192.168.7.0/24
src-address=172.16.50.0/24
add action=accept chain=forward comment=
"Allow dot 6 connections from PPTP VPN users." disabled=yes dst-address=
192.168.89.0 src-address=192.168.89.0/24
add action=accept chain=forward comment=
"Allow dot 6 connections from cxxxxx Dot 91 (IKEv2) VPN users." disabled=
yes dst-address=192.168.89.0 src-address=10.0.91.0/24
add action=accept chain=input comment="allow IPsec NAT" disabled=yes
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701
protocol=udp
add action=accept chain=input comment="allow pptp from any network" dst-port=
1723 protocol=tcp
add action=accept chain=input comment=
"allow pptp data transfer from any network" protocol=gre
add action=accept chain=input comment="allow pptp from any network" protocol=
ipencap
add action=accept chain=input comment="allow pptp from ISPs LAN network"
dst-address=192.168.0.50 dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow pptp from Public IP"
dst-address=208.53.87.125 dst-port=1723 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN"
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="reduce MSS for WG-Manage"
new-mss=1380 out-interface=wg-manage protocol=tcp tcp-flags=syn tcp-mss=
1381-65535
add action=change-mss chain=forward comment="reduce MSS for WG-cxxxxx"
new-mss=1380 out-interface=wg-east-west protocol=tcp tcp-flags=syn
tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ip firewall raw
add action=drop chain=prerouting dst-address=192.168.0.50 log=yes log-prefix=
"CO Hackr IP" src-address=23.139.224.114
add action=drop chain=prerouting comment="Raw Colorado Hacker Drop" log=yes
log-prefix="Raw - Colorado Hacker" src-address=23.0.0.0/8
add action=drop chain=prerouting comment="Raw - Polish Hacker 87.0.0.0 Drop "
log=yes log-prefix="Raw - Polish Hacker Drop" src-address=87.0.0.0/8
add action=drop chain=prerouting comment="Raw - Colo Hacker 107 Drop" log=yes
log-prefix="Raw Drop 107" src-address=107.0.0.0/8
add action=drop chain=prerouting comment="Raw Netherlands Hacker" log=yes
log-prefix="Raw - Netherlands" src-address=94.0.0.0/8
add action=drop chain=prerouting comment="Raw Santa Clara Hacker" log=yes
log-prefix="Raw - Santa Clara" src-address=216.218.0.0/16
add action=drop chain=prerouting comment="Some unknown Hacker" log=yes
log-prefix="Raw - Santa Clara" src-address=45.61.150.38
add action=drop chain=prerouting comment="Raw unknown Hacker" log=yes
log-prefix="Raw - Santa Clara" src-address=3.137.73.221
add action=drop chain=prerouting comment="Raw unknown Hacker" log=yes
log-prefix="Raw - Santa Clara" src-address=103.203.0.0/16
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=CA.sxxxxx comment=Admin
disabled=yes generate-policy=port-strict match-by=certificate
mode-config="modeconf maint.vpn.sxxxxx.cr" peer="peer 192.168.177.107"
policy-template-group="group vpn.maint" remote-certificate=newadmin
remote-id=ignore
add auth-method=digital-signature certificate=
rf001@vpn.crcxxxxx.selfip.com.p12 generate-policy=port-strict mode-config=
request-only my-id=user-fqdn:rf001@vpn.crcxxxxx.selfip.com peer=
"peer vpn.crcxxxxx.selfip.com" policy-template-group=
"group vpn.crcxxxxx.selfip.com" remote-id=fqdn:vpn.crcxxxxx.selfip.com
/ip ipsec policy
add dst-address=10.0.101.1/32 group="group vpn.maint" proposal=
"proposal maint.vpn.sxxxxx.cr" src-address=0.0.0.0/0 template=yes
add dst-address=XXX.XXX.XXX.XXX/32 group="group vpn.crcxxxxx.selfip.com"
proposal="proposal vpn.crcxxxxx.selfip.com" src-address=0.0.0.0/0
template=yes
add disabled=yes dst-address=XXX.XXX.XXX.XXX/32 peer=
"peer vpn.crcxxxxx.selfip.com" proposal="proposal vpn.crcxxxxx.selfip.com"
src-address=192.168.177.107/32 tunnel=yes
add comment="Policy Template vpn.crcxxxxx.selfip.com" dst-address=0.0.0.0/0
group="group vpn.crcxxxxx.selfip.com" proposal=
"proposal vpn.crcxxxxx.selfip.com" src-address=10.0.88.0/24 template=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1
add disabled=no dst-address=0.0.0.0/0 gateway=###.###.###.### routing-table=
main suppress-hw-offload=no
add check-gateway=ping comment=WG-West-End disabled=no distance=1
dst-address=192.168.7.0/24 gateway=172.16.60.2 routing-table=main scope=
30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www address=192.168.89.0/32,192.168.6.0/32,192.168.7.0/32 disabled=yes
set winbox address="172.16.50.0/24,192.168.6.0/24,192.168.7.0/24,172.16.55.0/2
4,192.168.89.0/24"
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ppp secret
add name=vpn
add name=sxxxxx profile=default-encryption remote-address=XXX.XXX.XXX.XXX
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rip interface-template
add instance=rip-instance-4 interfaces=*E
/routing rule
add action=lookup disabled=yes dst-address=0.0.0.0/0 interface=bridge
src-address=192.168.6.0/24 table=main
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=cr.East-End
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/tool e-mail
set from="" port=587 server=XX@XXX.CCC tls=starttls user=
xxxxx@xxxx.xxx
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1 traffic=received