I recently got a HexS and am using it behind my ISP's device (specifically a Bell HomeHub 2000) as the router for my network.
Any tips on troubleshooting what is going on here?
The ISP device has the HexS in a DMZ.
Current network setup:
- Static IP from ISP
ISP device LAN 192.168.2.0/24
HexS LAN 192.168.5.0/24
Pings to google.com from devices behind the router seem reasonable (< 10 ms).
Here's an example speed test run:
Code: Select all
matt@ubuntu18:~$ curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python -
Retrieving speedtest.net configuration...
Testing from Bell Canada (XXX.XXX.XXX.XXX)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Bell Mobility (North York, ON) [X km]: 6.081 ms
Testing download speed................................................................................
Download: 0.15 Mbit/s
Testing upload speed................................................................................................
Upload: 3.06 Mbit/sSorry for cluttering the export output with the VPN junk.
Code: Select all
[admin@matthexs] > export hide-sensitive
# apr/16/2021 10:30:49 by RouterOS 6.48
# software id = 5KD8-JNT4
#
# model = RB760iGS
# serial number = E1F20D30F823
/interface bridge
add admin-mac=08:55:31:FE:6A:6A auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=192.168.5.192-192.168.5.254
add name=vpn-pool ranges=10.100.100.2-10.100.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=10.100.100.1 local-address=10.100.100.1 name=vpn remote-address=vpn-pool use-encryption=required
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=matthexs-ovpn cipher=aes256 default-profile=vpn enabled=yes require-client-certificate=yes
/ip address
add address=192.168.5.1/24 comment=defconf interface=bridge network=192.168.5.0
add address=192.168.6.1/24 interface=bridge network=192.168.6.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.5.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment=IPSec port=1701,500,4500 protocol=udp
add action=accept chain=input comment=IPSec protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward dst-address=192.168.6.0/24 in-interface=bridge out-interface=bridge src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 in-interface=bridge out-interface=bridge src-address=192.168.6.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="VPN access to router" src-address=10.100.100.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ppp secret
<my users>
/system clock
set time-zone-name=America/Toronto
/system identity
set name=matthexs
/system logging
add topics=ovpn,debug,!packet
add topics=firewall,debug
add topics=ipsec,debug,!packet
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set default-group=full use-radius=yes