i have 2 VPN, Zerotier and WireGuard for Site to Site backup and remote access.
i’m not the only one using it so i use Wireguard as backup in case someone messed up and locked me up from accessing the Site
i’m confuse onto why when i upload files from Site A to Site B using Zerotier (using IP), Wireguard Interface would be the one active (BW out in Wireguard Interface and CPU in Profile)
Mikrotik Site A
Local IP 192.168.10.0/24
Mikrotik Site B
Local IP 192.168.168.0/24
Zerotier IP Mikrotik Site A: 10.242.1.1
Zerotier IP Mikrotik Site B: 10.242.1.2
WireGuard IP Site A: 192.168.32.1
WireGuard IP Site B: 192.168.32.2
When i Upload using 10.242.1.2, the Wireguard Interface got the Tx which means i use Wireguard (profile get the same result WG cpu is up) instead of Zerotier.
This occur only when i am uploading from Site A to Site B not the Opposite
both Mikrotik is RB5009
# 2024-08-13 08:11:08 by RouterOS 7.15.3
# software id = CR4U-SDCT
#
# model = RB5009UG+S+
# serial number = ****
/interface bridge
add name=br-local port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-biznet
set [ find default-name=ether2 ] name=ether2-indibiz
/interface wireguard
add disabled=yes listen-port=50505 mtu=1420 name=WG-Griya
/interface list
add name=WAN1
add name=LAN
add name=WAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.10.50-192.168.10.125
add name="wireless pool" ranges=192.168.11.2-192.168.11.50
/ip dhcp-server
add address-pool=pool1 interface=br-local lease-time=2d name=dhcp1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=yes allow-managed=yes disabled=no instance=\
zt1 name=zerotier1 network=***
/interface bridge port
add bridge=br-local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether6 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether7 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether8 internal-path-cost=10 path-cost=10
add bridge=br-local interface=sfp-sfpplus1
/interface list member
add interface=ether1-biznet list=WAN1
add interface=ether2-indibiz list=WAN2
add interface=br-local list=LAN
add interface=WG-Griya list=WAN1
/interface wireguard peers
add allowed-address=192.168.32.2/32,192.168.168.0/24,192.168.32.0/24 \
client-address=192.168.32.2/32 client-dns=9.9.9.9 client-endpoint=\
****.sn.mynetname.net comment="To Home" endpoint-address=\
****.sn.mynetname.net endpoint-port=50505 interface=WG-Griya name=\
peer2 public-key="***"
/ip address
add address=192.168.10.1/24 comment="To Local Lan" interface=br-local \
network=192.168.10.0
add address=192.168.32.1/24 interface=WG-Griya network=192.168.32.0
add address=192.168.2.2/24 comment=Indibiz interface=ether2-indibiz network=\
192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-biznet use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.10.99 comment=Server-LAN1 mac-address=D8:BB:C1:54:21:ED
add address=192.168.10.100 comment=Server-LAN2 mac-address=F0:A7:31:D6:C1:41
add address=192.168.10.124 client-id=1:4c:bd:8f:9a:13:63 comment=\
"Hikvision CCTV" mac-address=4C:BD:8F:9A:13:63 server=dhcp1
add address=192.168.10.101 comment=Eric mac-address=F0:BF:97:14:43:E5
add address=192.168.10.111 comment=ServerKasir mac-address=D8:5E:D3:31:81:D8
add address=192.168.10.84 client-id=1:0:e:53:2e:21:75 comment="CCTV AVTECH" \
mac-address=00:0E:53:2E:21:75 server=dhcp1
add address=192.168.10.83 client-id=1:0:e:53:2f:a5:f3 comment="CCTV AVTECH" \
mac-address=00:0E:53:2F:A5:F3 server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8 use-doh-server=\
https://dnssilo.top/dns-query
/ip dns static
add address=10.242.1.1 name=mikrotikkantor.dnssilo.top
add address=10.242.1.2 name=mikrotikrmh.dnssilo.top
/ip firewall filter
add action=accept chain=input comment="ZT PASS" in-interface=zerotier1 \
protocol=udp
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input comment="Accept WireGuard Traffic" dst-port=\
50505 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="drop all else" connection-nat-state=\
!dstnat connection-state=new in-interface-list=!LAN
add action=drop chain=output comment="Test Failover" disabled=yes \
dst-address=1.1.1.1 protocol=icmp
/ip firewall nat
add action=accept chain=input comment="ZT ACCEPT 9993" protocol=udp src-port=\
9993
add action=masquerade chain=srcnat out-interface=zerotier1 src-address=\
10.242.1.0/24
add action=masquerade chain=srcnat comment="WG NAT" out-interface=WG-Griya \
src-address=192.168.32.0/24
add action=masquerade chain=srcnat comment="To internet"
add action=dst-nat chain=dstnat comment="ZT To VNC" dst-port=6201 \
in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.100 to-ports=\
6201
add action=dst-nat chain=dstnat comment="CCTV Hikvison" dst-port=5053 \
in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.124 to-ports=\
5053
add action=dst-nat chain=dstnat comment="CCTV AVTECH" dst-port=5051 \
in-interface=zerotier1 protocol=tcp to-addresses=192.168.10.83 to-ports=\
5051
add action=dst-nat chain=dstnat dst-port=5052 in-interface=zerotier1 \
protocol=tcp to-addresses=192.168.10.84 to-ports=5052
add action=dst-nat chain=dstnat comment="WG To VNC" dst-port=6201 \
in-interface=WG-Griya protocol=tcp to-addresses=192.168.10.100 to-ports=\
6201
add action=dst-nat chain=dstnat comment="WG to CCTV Hikvison" dst-port=5053 \
in-interface=WG-Griya protocol=tcp to-addresses=192.168.10.124 to-ports=\
5053
add action=dst-nat chain=dstnat comment="WG to CCTV AVTECH" dst-port=5051 \
in-interface=WG-Griya protocol=tcp to-addresses=192.168.10.83 to-ports=\
5051
add action=dst-nat chain=dstnat dst-port=5052 in-interface=WG-Griya protocol=\
tcp to-addresses=192.168.10.84 to-ports=5052
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment="Connection to MK2" disabled=no distance=1 dst-address=\
192.168.4.0/24 gateway=192.168.10.78 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=Indibiz disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.2.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=Biznet disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
192.168.1.1 routing-table=main scope=31 suppress-hw-offload=no \
target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall nat
add action=accept chain=input protocol=udp src-port=9993
add action=masquerade chain=srcnat out-interface=zerotier1
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=MandiriTik
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.1 enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=2m name=ScheduleWGToggle on-event=\
"/system script run ToggleWGPeer" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-07-29 start-time=15:50:00
add interval=1m name="Update DDNS" on-event=\
"/system script run test\r\
\n/system script run ForceUpdateddns" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-07-31 start-time=21:26:44
/system script
add dont-require-permissions=no name=ToggleWGPeer owner=TommyKing policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local wgcheckip 192.168.32.1\r\
\n:local endpointip ****.sn.mynetname.net\r\
\n#:log info \"wg check-ip \$wgcheckip \"\r\
\n:if ([/ping \$wgcheckip interval=1 count=5] =0) do={\r\
\n :log info \"WG down \$wgcheckip\"\r\
\n /interface/wireguard/peers/disable [find endpoint-address=\$endpointip\
];\r\
\n :delay 60\r\
\n /interface/wireguard/peers/enable [find endpoint-address=\$endpointip]\
;\r\
\n :log info \"WG up again \$wgcheckip\"\r\
\n}"
add dont-require-permissions=no name=ForceUpdateddns owner=TommyKing policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/ip cloud force-update"
add dont-require-permissions=no name=test owner=TommyKing policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
get current external IP\r\
\n:global currentIP [:resolve ****.sn.mynetname.net server=208.67.\
222.222];\r\
\n:global resolvedIP;\r\
\n\r\
\n# Determine if DNS update is needed\r\
\n:if (\$currentIP != \$resolvedIP) do={\r\
\n:log info (\"Mynetname update needed: Current-IP: \$currentIP Resolved-I\
P: \$resolvedIP\")\r\
\n/ip cloud force-update\r\
\n:global resolvedIP [:resolve ****.sn.mynetname.net server=208.67\
.222.222];\r\
\n} else={\r\
\n:log info (\"Mynetname: No update needed (\$currentIP=\$resolvedIP)\")\r\
\n}"
/system watchdog
set watchdog-timer=no
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=\
"/ip route disable [find comment=\"Indibiz\"]\r\
\n" host=1.1.1.1 http-codes="" interval=5s name=test1 test-script="" \
type=icmp up-script="/ip route enable [find comment=\"Indibiz\"]"
SITE B Mikrotik
# 2024-08-13 10:24:59 by RouterOS 7.15.3
# software id = L65L-QJ0Z
#
# model = RB5009UG+S+
# serial number = ****
/interface bridge
add name=br-local port-cost-mode=short
/interface wireguard
add listen-port=50505 mtu=1420 name=WG-Home
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.168.2-192.168.168.50
/ip dhcp-server
add address-pool=dhcp_pool0 interface=br-local lease-time=1d name=dhcp1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zerotier1 network=***
/interface bridge port
add bridge=br-local interface=ether1 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether6 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether7 internal-path-cost=10 path-cost=10
add bridge=br-local interface=ether8 internal-path-cost=10 path-cost=10
add bridge=br-local interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/interface list member
add interface=br-local list=LAN
add interface=ether2 list=WAN
add interface=WG-Home list=LAN
add interface=zerotier1 list=LAN
/interface wireguard peers
add allowed-address=192.168.32.1/32,192.168.10.0/24,192.168.32.0/24 \
client-address=192.168.32.1/32 client-dns=9.9.9.9 client-endpoint=\
.sn.mynetname.net endpoint-address=\
.sn.mynetname.net endpoint-port=50505 interface=WG-Home name=\
"WG to Griya" persistent-keepalive=10s public-key=\
"***"
/ip address
add address=192.168.168.1/24 interface=br-local network=192.168.168.0
add address=192.168.32.2/24 interface=WG-Home network=192.168.32.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.168.10 client-id=1:54:af:97:22:b1:7d mac-address=\
54:AF:97:22:B1:7D server=dhcp1
add address=192.168.168.3 client-id=1:2c:f0:5d:d6:11:c3 mac-address=\
2C:F0:5D:D6:11:C3 server=dhcp1
add address=192.168.168.2 client-id=1:90:9:d0:2a:7b:53 mac-address=\
90:09:D0:2A:7B:53 server=dhcp1
add address=192.168.168.4 client-id=1:90:9:d0:2a:7b:54 mac-address=\
90:09:D0:2A:7B:54 server=dhcp1
add address=192.168.168.18 client-id=1:32:b8:ac:c7:46:6c mac-address=\
32:B8:AC:C7:46:6C server=dhcp1
add address=192.168.168.17 client-id=1:98:f1:12:68:b8:eb mac-address=\
98:F1:12:68:B8:EB server=dhcp1
add address=192.168.168.6 client-id=1:6c:f1:7e:ec:b7:46 mac-address=\
6C:F1:7E:EC:B7:46 server=dhcp1
add address=192.168.168.11 client-id=1:6c:f1:7e:ec:b7:f7 mac-address=\
6C:F1:7E:EC:B7:F7 server=dhcp1
add address=192.168.168.13 client-id=1:6c:f1:7e:88:4f:f4 mac-address=\
6C:F1:7E:88:4F:F4 server=dhcp1
add address=192.168.168.14 client-id=1:6c:f1:7e:88:4f:f5 mac-address=\
6C:F1:7E:88:4F:F5 server=dhcp1
add address=192.168.168.15 client-id=1:6c:f1:7e:88:4f:80 mac-address=\
6C:F1:7E:88:4F:80 server=dhcp1
add address=192.168.168.50 client-id=1:a0:36:bc:ad:dd:69 mac-address=\
A0:36:BC:AD:DD:69 server=dhcp1
/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 gateway=192.168.168.1 \
ntp-server=192.168.168.1,119.110.74.102
/ip dns
set allow-remote-requests=yes servers=8.8.8.8 use-doh-server=\
https://dns.google/dns-query
/ip dns static
add address=10.242.1.1 name=mikrotikkantor.dnssilo.top
add address=10.242.1.2 name=mikrotikrmh.dnssilo.top
/ip firewall filter
add action=accept chain=forward comment="ZT accept Traffic" in-interface=\
zerotier1
add action=accept chain=input in-interface=zerotier1 protocol=udp
add action=accept chain=input comment="Wireguard HandShake" dst-port=50505 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
/ip firewall nat
add action=accept chain=input comment="ZT to Internet" protocol=udp src-port=\
9993
add action=masquerade chain=srcnat out-interface=zerotier1
add action=masquerade chain=srcnat comment="MASQ Local to Internet"
add action=dst-nat chain=dstnat comment="ZT to Synology" dst-port=20050 \
in-interface=zerotier1 protocol=tcp to-addresses=192.168.168.2 to-ports=\
20050
add action=dst-nat chain=dstnat comment="ZT to PLEX" dst-port=32666 \
in-interface=zerotier1 protocol=tcp to-addresses=192.168.168.2 to-ports=\
32400
add action=dst-nat chain=dstnat comment="ZT to kavita" dst-port=8685 \
in-interface=zerotier1 protocol=tcp to-addresses=192.168.168.2 to-ports=\
8685
add action=dst-nat chain=dstnat comment="ZT to FTP" dst-port=24522 \
in-interface=zerotier1 protocol=tcp to-addresses=192.168.168.2 to-ports=\
24522
add action=dst-nat chain=dstnat comment="WG to FTP" dst-port=24522 \
in-interface=WG-Home protocol=tcp to-addresses=192.168.168.2 to-ports=\
24522
add action=dst-nat chain=dstnat comment="WG to Synology" dst-port=20050 \
in-interface=WG-Home protocol=tcp to-addresses=192.168.168.2 to-ports=\
20050
add action=dst-nat chain=dstnat comment="WG to PLEX" dst-port=32666 \
in-interface=WG-Home protocol=tcp to-addresses=192.168.168.2 to-ports=\
32400
add action=dst-nat chain=dstnat comment="WG to kavita" dst-port=8685 \
in-interface=WG-Home protocol=tcp to-addresses=192.168.168.2 to-ports=\
8685
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=zerotier1 type=external
/ip route
add disabled=no dst-address=192.168.10.0/24 gateway=10.242.1.1 routing-table=\
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=zerotier1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input in-interface=zerotier1
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall nat
add action=accept chain=input protocol=udp src-port=9993
add action=masquerade chain=srcnat out-interface=zerotier1
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.168.1 enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1m name=ddns on-event=\
"/system script run test\r\
\n/system script run cloudupdate" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-01-21 start-time=14:09:01
add disabled=yes interval=1m name=ToggleWGPeer on-event=\
"/system script run checkWG" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-07-29 start-time=16:38:11
add name=schedule1 on-event="/system script run ZTPeers" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add dont-require-permissions=no name=checkWG owner=TommyKing policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local wgcheckip 192.168.50.1\r\
\n:local endpointip .sn.mynetname.net\r\
\n#:log info \"wg check-ip \$wgcheckip \"\r\
\n:if ([/ping \$wgcheckip interval=1 count=5] =0) do={\r\
\n :log info \"WG down \$wgcheckip\"\r\
\n /interface/wireguard/peers/disable [find endpoint-address=\$endpointip\
];\r\
\n :delay 60\r\
\n /interface/wireguard/peers/enable [find endpoint-address=\$endpointip]\
;\r\
\n :log info \"WG up again \$wgcheckip\"\r\
\n}"
add dont-require-permissions=no name=cloudupdate owner=TommyKing policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/ip cloud force-update"
add dont-require-permissions=no name=test owner=TommyKing policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
get current external IP\r\
\n:global currentIP [:resolve ****.sn.mynetname.net server=208.67.2\
22.222];\r\
\n:global resolvedIP;\r\
\n\r\
\n# Determine if DNS update is needed\r\
\n:if (\$currentIP != \$resolvedIP) do={\r\
\n:log info (\"Mynetname update needed: Current-IP: \$currentIP Resolved-I\
P: \$resolvedIP\")\r\
\n/ip cloud force-update\r\
\n:global resolvedIP [:resolve ****.sn.mynetname.net server=208.67.\
222.222];\r\
\n} else={\r\
\n:log info (\"Mynetname: No update needed (\$currentIP=\$resolvedIP)\")\r\
\n}"
add dont-require-permissions=no name=ZTPeers owner=TommyKing policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global ZTPEERS\r\
\n:set ZTPEERS do={\r\
\n # params\r\
\n :local warnlatency 100ms\r\
\n :local warnpeerdelay 10s\r\
\n :local pingspeedlen 5s\r\
\n :local pingspeedint 250ms\r\
\n\r\
\n # find \"active\" peers from /zeroteir/peer\r\
\n :local activePeerIds [/zerotier/peer/find path~\"active\"]\r\
\n\r\
\n # get data for each peer into an array\r\
\n :local activePeers [:toarray \"\"]\r\
\n :for i from=0 to=([:len \$activePeerIds]-1) do={\r\
\n :set (\$activePeers->\$i) [/zerotier/peer get (\$activePeerIds->\
\$i)]\r\
\n } \r\
\n\r\
\n # loop though each peer to do some checks\r\
\n :foreach ztpeer in=\$activePeers do={\r\
\n # parse the \"path\" to find ip/port\r\
\n :local addrport (\$ztpeer->\"path\"->2)\r\
\n :local addr [:pick \$addrport 0 [:find \$addrport \"/\"]]\r\
\n :local port [:pick \$addrport ([:find \$addrport \"/\"]+1) [:len\
\_\$addrport] ]\r\
\n :set (\$ztpeer->\"ipaddr\") \"\$addr:\$port\"\r\
\n\r\
\n # humanize latency \"time\"\r\
\n :local platency [:tostr (\$ztpeer->\"latency\")]\r\
\n :local platency (\"\" . [:pick \$platency 6 8] . \"s \" . [:pick\
\_\$platency 9 13] . \"ms\") \r\
\n\r\
\n # output headers \r\
\n # note: colorize output is from /terminal/styles...\r\
\n /terminal/style syntax-old\r\
\n :put \"\$(\$ztpeer->\"role\")\\t\$platency\\t\$addrport\" \r\
\n # warn on high latency by colorizing it\r\
\n :if ((\$ztpeer->\"latency\") > \$warnlatency) do={\r\
\n # reprint latency in RED\r\
\n /terminal/cuu\r\
\n /terminal/style error\r\
\n :put \"\\t\$platency\"\r\
\n }\r\
\n \r\
\n # run a ping-speed \r\
\n /terminal/style \"syntax-noterm\" \r\
\n :put \"\\t PING-SPEED test \$addr \$([:pick \$pingspeedlen 6 8\
])s@\$([:pick \$pingspeedint 9 13])ms\"\r\
\n :local pingresults [/tool/ping-speed address=\$addr duration=\$p\
ingspeedlen interval=\$pingspeedint as-value]\r\
\n :local avgpingkb ((\$pingresults->\"average\")/1024) \r\
\n /terminal/cuu\r\
\n :if (avgpingkb < 1000) do={ \r\
\n /terminal/style error\r\
\n :put \"\\t\\t\\t got <1Mb/s, average: \$avgpingkb Kb/s \
\"\r\
\n } else={\r\
\n /terminal/style \"syntax-noterm\" \r\
\n :put \"\\t\\t\\t average: \$avgpingkb Kb/s \
\_ \"\r\
\n }\r\
\n\r\
\n # output last tx/rx time from peer\r\
\n # TODO: colorize long times in last peer packet times \r\
\n :local rxtime [:totime [:pick (\$ztpeer->\"path\"->3) 6 32 ]]\r\
\n :local txtime [:totime [:pick (\$ztpeer->\"path\"->4) 5 32 ]]\r\
\n {\r\
\n /terminal/style ambiguous\r\
\n :put \"\\t\\t\$(\$ztpeer->\"path\"->3)\"\r\
\n /terminal/cuu\r\
\n :put \"\\t\\t\\t\\t\\t\$(\$ztpeer->\"path\"->4)\"\r\
\n }\r\
\n :if (\$rxtime>\$warnpeerdelay) do={\r\
\n { /terminal/cuu; /terminal/style error; :put \"\\t\\t\$(\$zt\
peer->\"path\"->3)\" }\r\
\n }\r\
\n :if (\$txtime>\$warnpeerdelay) do={\r\
\n { /terminal/cuu; /terminal/style error; :put \"\\t\\t\\t\\t\
\\t\$(\$ztpeer->\"path\"->4)\" }\r\
\n }\r\
\n /terminal/style none\r\
\n\r\
\n\r\
\n # output connections associated with ZT\r\
\n :local ztconns [/ip/firewall/connection/find dst-address=\$addrp\
ort]\r\
\n :if ([:len ztconns] > 0) do={\r\
\n :set (\$ztpeer-\"conntrack\") [/ip/firewall/connection/print\
\_as-value where dst-address=\$addrport]\r\
\n } else={\r\
\n {/terminal/style error; :put \"\\tno associated connections \
found in firewall\"}\r\
\n }\r\
\n /ip/firewall/connection/print where dst-address=(\$ztpeer->\"ipa\
ddr\")\r\
\n :put \"\"\r\
\n }\r\
\n}\r\
\n\r\
\n[code]"
/tool netwatch
add disabled=yes down-script=":log info \"!!!Warning VPN Down!!!\"" host=\
192.168.32.1 http-codes="" interval=1m packet-count=5 test-script="" \
thr-loss-count=5 type=icmp up-script=":log info \"VPN to Home Up\""