Community discussions

MikroTik App
 
leosedf
just joined
Topic Author
Posts: 16
Joined: Sun Nov 08, 2009 1:34 pm

Site to SIte VPN tunnel ok but router can't access subnets

Thu Jun 03, 2021 11:22 am

Hi, since i'm a noob i would like to ask you about 1-2 routers i have on my network that have no access to the remote subnets.
I have some other routers with the same config that seem to be able to access my home subnet.
The site to site traffic is working perfectly fine from my home subnet 192.168.0.0 to 10.181.64.0 and backwards, meaning all computers and equipment i have work fine between the subnets. The router however on remote subnet 10.181.64.0 RouterA cannot access anything on home subnet RouterB 192.168.0.0 not even my home router, even though the other traffic passes fine. I have even compared configurations to other remote routers that work but i am baffled. Can you guys spot anything that i didn't?

Remote router A is
# may/30/2021 12:48:11 by RouterOS 6.48.3
# software id = 
#
# model = CCR1009-7G-1C-1S+
# serial number = 
/interface bridge
add name="main bridge"
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-full,100M-full,1000M-full
/interface list
add name=WAN
add name=LAN
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256
add dh-group=modp4096,modp2048,modp1024,modp768 enc-algorithm=\
    aes-256,aes-192,aes-128,3des name=xxxxxx
add enc-algorithm=aes-256,aes-192,aes-128 name="xxxxx"
add dh-group=modp8192,modp4096,modp2048,modp1024,modp768 enc-algorithm=\
    aes-256,aes-192,aes-128 name=xxxxxx
add enc-algorithm=aes-256,aes-192,aes-128 name=xxxxxxx
/ip ipsec peer
add address=213.146.x.x/32 name=xxxxxxx profile=xxxxxxx
add address=185.214.x.x/32 exchange-mode=ike2 local-address=79.173.x.x \
    name="xxxxxx" profile="xxxxxx"
add address=87.81.x.x/32 exchange-mode=ike2 local-address=79.173.x.x \
    name=xxxxxxx profile=xxxxxxxx
add address=81.150.x.x/32 exchange-mode=ike2 local-address=79.173.x.x \
    name=xxxxxxx profile=xxxxxx
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms="ae\
    s-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-\
    128-cbc,aes-128-ctr,aes-128-gcm" lifetime=1d
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
    es-128-gcm" lifetime=1h name=xxxxxx-nomodp pfs-group=none
add auth-algorithms=sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-25\
    6-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-\
    gcm" lifetime=1d name="xxxxxx" pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
    es-128-gcm" lifetime=1d name=xxxxxxx pfs-group=none
add auth-algorithms=sha512,sha256,sha1 lifetime=1d name=xxxxxxx \
    pfs-group=none
/ip pool
add name=dhcp ranges=10.181.64.10-10.181.64.50
/ip dhcp-server
add address-pool=dhcp disabled=no interface="main bridge" name=dhcp1
# DHCP server can not run on slave interface!
add address-pool=dhcp disabled=no interface=ether2 name=dhcp2
/system logging action
set 0 disk-file-name=/disk1/syslog target=disk
set 1 disk-file-name=/disk1/syslog
add name=OTAPSERVER remote=192.168.0.70 src-address=10.181.64.1 target=remote
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set read policy="local,read,winbox,password,web,sensitive,api,tikapp,!telnet,!\
    ssh,!ftp,!reboot,!write,!policy,!test,!sniff,!romon,!dude"
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge="main bridge" interface=ether2
add bridge="main bridge" interface=ether3
add bridge="main bridge" interface=ether4
add bridge="main bridge" interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface="main bridge" list=LAN
/ip address
add address=10.181.64.1/24 comment=defconf interface="main bridge" network=\
    10.181.64.0
add address=79.173.xx.xx/29 interface=ether1 network=79.173.xxx.xx
/ip dhcp-server network
add address=10.181.64.0/24 gateway=10.181.64.1 netmask=24
/ip dns
set servers=8.8.8.8,83.143.xxx.xx,83.xxx.xxx.x
/ip firewall address-list
add list=Temporary
add list=Valid
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=add-src-to-address-list address-list=Temporary \
    address-list-timeout=20s chain=input dst-port=5555 protocol=tcp
add action=add-src-to-address-list address-list=Valid address-list-timeout=3h \
    chain=input dst-port=6699 protocol=tcp src-address-list=Temporary
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=forward protocol=icmp
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    Valid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    10.181.64.0/24
add action=notrack chain=prerouting dst-address=10.181.64.0/24 src-address=\
    192.168.0.0/24
add action=notrack chain=prerouting dst-address=10.171.0.0/16 src-address=\
    10.181.64.0/24
add action=notrack chain=prerouting dst-address=10.181.64.0/24 src-address=\
    10.171.0.0/16
add action=notrack chain=prerouting dst-address=10.180.120.0/23 src-address=\
    10.181.64.0/24
add action=notrack chain=prerouting dst-address=10.181.64.0/24 src-address=\
    10.180.120.0/23
add action=notrack chain=prerouting dst-address=172.19.120.0/24 src-address=\
    10.181.64.0/24
add action=notrack chain=prerouting dst-address=10.181.64.0/24 src-address=\
    172.19.120.0/24
add action=notrack chain=prerouting dst-address=10.173.128.0/22 src-address=\
    10.181.64.0/24
add action=notrack chain=prerouting dst-address=10.181.64.0/24 src-address=\
    10.173.128.0/22
add action=notrack chain=prerouting dst-address=10.181.64.0/24 src-address=\
    10.175.128.0/24
add action=notrack chain=prerouting dst-address=10.171.48.0/24 src-address=\
    10.181.64.0/24
add action=notrack chain=prerouting dst-address=19.181.64.0/24 src-address=\
    10.171.48.0/24
add action=notrack chain=prerouting dst-address=10.175.128.0/24 src-address=\
    10.181.64.0/24
add action=notrack chain=prerouting dst-address=10.181.64.0/24 src-address=\
    192.168.5.0/24
add action=notrack chain=prerouting dst-address=192.168.5.0/24 src-address=\
    10.181.64.0/24
add action=notrack chain=prerouting dst-address=10.181.64.0/24 src-address=\
    10.181.65.0/24
add action=notrack chain=prerouting dst-address=10.181.65.0/24 src-address=\
    10.181.64.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add notrack-chain=prerouting peer=xxxxx secret=xxxxxxxxxxx
add generate-policy=port-strict peer="xxxxx" secret=\
    "xxxxxxxxxxxxxx"
add peer=xxxxxxxxx secret=xxxxxxxxxxxxxxxxx
add peer=xxxxxx secret="xxxxxxxxxxxxxxxxxxxxxxxxx"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.171.0.0/16 peer=xxxxxxx proposal=xxxxxxx-nomodp src-address=\
    10.181.64.0/24 tunnel=yes
add dst-address=10.180.120.0/23 peer=xxxxx proposal=xxxxxxx-nomodp \
    src-address=10.181.64.0/24 tunnel=yes
add dst-address=172.19.120.0/24 peer=xxxxxxxxx proposal=xxxxxx-nomodp \
    src-address=10.181.64.0/24 tunnel=yes
add dst-address=10.172.0.0/16 peer=xxxxxxx proposal=xxxxxx-nomodp src-address=\
    10.181.64.0/24 tunnel=yes
add dst-address=10.175.128.0/24 peer=xxxxxx proposal=xxxxxx-nomodp \
    src-address=10.181.64.0/24 tunnel=yes
add dst-address=192.168.0.0/24 peer="xxxxxx" proposal="xxxxxx" \
    src-address=10.181.64.0/24 tunnel=yes
add dst-address=192.168.5.0/24 peer=xxxxxx src-address=10.181.64.0/24 \
    tunnel=yes
add dst-address=10.173.128.0/22 peer=xxxxx proposal=xxxxxx-nomodp \
    src-address=10.181.64.0/24 tunnel=yes
add dst-address=10.181.65.0/24 peer=xxxxxx proposal=xxxxxxx src-address=\
    10.181.64.0/24 tunnel=yes
/ip route
add distance=1 gateway=79.173.xxx.xx
add disabled=yes distance=1 dst-address=10.171.0.0/16 gateway="main bridge"
add disabled=yes distance=1 dst-address=10.173.128.0/22 gateway="main bridge"
add disabled=yes distance=1 dst-address=10.180.120.0/23 gateway="main bridge"
add distance=1 dst-address=10.181.65.0/24 gateway="main bridge"
add disabled=yes distance=1 dst-address=172.19.120.0/24 gateway="main bridge"
add distance=1 dst-address=192.168.0.0/24 gateway="main bridge"
add distance=1 dst-address=192.168.5.0/24 gateway="main bridge"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name="RouterA"
/system logging
set 0 action=disk disabled=yes
set 1 action=disk
set 2 action=disk
add action=OTAPSERVER prefix=MikroTik topics=!debug
add action=OTAPSERVER prefix=MikroTik topics=ipsec
add action=OTAPSERVER prefix=MikroTik topics=info
/system ntp client
set enabled=yes primary-ntp=79.135.97.79 secondary-ntp=143.210.16.201
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add disabled=yes interval=5m name="Data to Splunk" on-event=\
    Data_to_Splunk_using_Syslog policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/28/2021 start-time=23:46:15
/system script

/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1 store-on-disk=no
add interface=ether3 store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool user-manager database
set db-path=user-manager


And home router B is
# may/30/2021 13:03:28 by RouterOS 6.48.3
# software id = 
# model = RB1100Dx4
# serial number = 
/interface bridge
add name=main-bridge
add name=phone-bridge
add name=test-bridge
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/ip dhcp-server option
add code=43 name=unifi value=0x0104C0A8030A
/ip ipsec peer
add address=81.97.x.xx/32 local-address=185.214.xxx.xxx name=xxxx
/ip ipsec policy group
add name=RW
/ip ipsec profile
set [ find default=yes ] dh-group="ecp256,ecp384,ecp521,ec2n185,ec2n155,modp81\
    92,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768" \
    enc-algorithm=aes-256,aes-192,aes-128,3des
add enc-algorithm=aes-256,aes-192,aes-128 name=xxxxxx
add enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=xxx
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des name=xxxx
add dh-group=modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 \
    enc-algorithm=aes-256,aes-192,aes-128 name=lt2p
add dh-group=modp8192,modp4096,modp2048,modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128 name=xxxxx
add enc-algorithm=aes-256,aes-192,aes-128 name="xxxxxxxx"
add enc-algorithm=aes-256,aes-192,aes-128,3des name=xxxxxxx
/ip ipsec peer
add address=188.172.xxx.xx/32 exchange-mode=ike2 local-address=\
    185.214.181.xxx name=xxxxxxx profile=xxxxx
add address=87.81.xxx.xxx/32 exchange-mode=ike2 local-address=185.214.xxx.xxx \
    name=xxxxxxx profile=xxxxx
add address=86.14.xx.xxx/32 exchange-mode=ike2 local-address=185.214.xxx.xxx \
    name=xxxx profile=xxxxx
add address=81.187.xxx.xxx/32 exchange-mode=ike2 local-address=185.214.xxx.xxx \
    name=xxxxxxxx profile=xxxxx
add address=81.150.xx.xx/32 exchange-mode=ike2 local-address=185.214.xxx.xxx \
    name=xxxxxx passive=yes profile=xxxxx
add address=81.142.xxx.xxx/32 exchange-mode=ike2 local-address=185.214.xxx.xxx \
    name=xxxxxx profile=xxxxxx
add address=81.133.xxx.xxx/32 local-address=185.214.xxx.xxx name=\
    "xxxxxxxxx" passive=yes profile=xxxxxx
add address=79.173.xxx.xxx/32 exchange-mode=ike2 name="routerA" passive=yes \
    profile="xxxxxx"
add address=51.155.xxxx.xxx/32 exchange-mode=ike2 local-address=185.214.xxx.xxx \
    name=xxxx profile=xxxxxx
add address=31.129.xxx.xxx/32 comment=\
    "xxxxxxxxxxx, deactivate if not used" disabled=yes exchange-mode=\
    ike2 local-address=185.214.xxx.xxx name="xxxxxxxxx" profile=\
    phase2
add address=31.125.xxx.xxx/32 exchange-mode=ike2 local-address=185.214.xxx.xxx \
    name=xxxxxx profile=xxxxxx
add exchange-mode=ike2 name=xxxxxxxxx passive=yes profile=xxxxxx
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm \
    lifetime=1d
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
    es-128-gcm" lifetime=1d name=phase1 pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
    es-128-gcm" lifetime=1d name=xxxx
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
    es-128-gcm" lifetime=1d name=xxxxx pfs-group=none
add auth-algorithms=sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-25\
    6-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-\
    gcm" lifetime=1d name="xxxxxxxx" pfs-group=none
add auth-algorithms=sha512,sha256,sha1 lifetime=1d name=xxxxxxx pfs-group=\
    none
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.59
add name=RW ranges=192.168.99.2-192.168.99.100
add name=xxxxx ranges=192.168.6.120-192.168.6.180
add name=test-dhcp ranges=192.168.66.20-192.168.66.150
/ip dhcp-server
add address-pool=dhcp disabled=no interface=main-bridge lease-time=30m name=\
    dhcp1
add address-pool=test-dhcp disabled=no interface=test-bridge lease-time=30m \
    name=test-dhcp
/ip ipsec mode-config
add address-pool=RW name=RW split-include=192.168.0.0/24 static-dns=8.8.8.8 \
    system-dns=no
/interface bridge port
add bridge=main-bridge interface=ether2
add bridge=main-bridge interface=ether3
add bridge=main-bridge interface=ether4
add bridge=main-bridge interface=ether5
add bridge=main-bridge interface=ether6
add bridge=main-bridge interface=ether7
add bridge=main-bridge interface=ether8
add bridge=main-bridge interface=ether9
add bridge=phone-bridge interface=ether11
add bridge=phone-bridge interface=ether12
add bridge=phone-bridge interface=ether13
add bridge=test-bridge interface=ether10
/ip settings
set accept-source-route=yes
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=xxxxxxxxxx use-ipsec=\
    required
/interface list member
add interface=ether1 list=WAN
add interface=main-bridge list=LAN
add interface=phone-bridge list=LAN
add interface=test-bridge list=LAN
/ip address
add address=185.214.xxx.xxx/24 comment=defconf interface=ether1 network=\
    185.214.xxx.0
add address=192.168.0.1/24 interface=main-bridge network=192.168.0.0
add address=192.168.6.2/24 interface=xxxxxxxx network=192.168.6.0
add address=192.168.66.1/24 interface=test-bridge network=192.168.66.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1 \
    netmask=24
add address=192.168.6.0/24 dns-server=8.8.8.8 gateway=192.168.6.1
add address=192.168.66.0/24 dns-server=8.8.8.8 gateway=192.168.66.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.222 name=xxxxxx.xxxxxx.xxx
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Winbox remote management " dst-port=\
    8291 protocol=tcp
add action=accept chain=forward comment="PPP traffic " in-interface=all-ppp
add action=accept chain=input comment="L2TP UDP VPN traffic" dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=FI_D_port-test
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment=\
    "xxxxxxxxxxxxxxxx" dst-address=\
    192.168.88.0/24 src-address=192.168.6.0/24
add action=accept chain=srcnat comment=\
    " notrack rule" dst-address=192.168.6.0/24 \
    src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="Main NAT function for xxxxx" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
    "NAT between xxxxxxxxxxxxxxxxx" dst-address=192.168.6.0/24 \
    src-address=192.168.0.0/24
/ip firewall raw
add action=notrack chain=prerouting comment="xxxxxxxxxx" dst-address=\
    192.168.41.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting comment="xxxxxxxxx" dst-address=\
    192.168.0.0/24 src-address=192.168.41.0/24
add action=notrack chain=prerouting dst-address=192.168.88.0/24 src-address=\
    192.168.0.0/24
add action=notrack chain=prerouting comment="xxxxxxxx" dst-address=\
    192.168.0.0/24 src-address=192.168.88.0/24
add action=notrack chain=prerouting comment="xxxxxxxxxx" dst-address=\
    192.168.26.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting comment="xxxxxxxxxx" dst-address=\
    192.168.0.0/24 src-address=192.168.26.0/24
add action=notrack chain=prerouting comment="xxxxxxxxxx" dst-address=\
    10.181.64.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting comment="xxxxxxxxxx" dst-address=\
    192.168.0.0/24 src-address=10.181.64.0/24
add action=notrack chain=prerouting comment="xxxxxxxxxxx" dst-address=\
    192.168.10.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting comment="xxxxxxxxxx" dst-address=\
    192.168.0.0/24 src-address=192.168.10.0/24
add action=notrack chain=prerouting comment="xxxxxxxxx" dst-address=\
    192.168.89.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    192.168.89.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    192.168.10.0/24
add action=notrack chain=prerouting dst-address=192.168.10.0/24 src-address=\
    192.168.6.0/24
add action=notrack chain=prerouting dst-address=192.168.6.0/24 src-address=\
    192.168.10.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    192.168.4.0/24
add action=notrack chain=prerouting dst-address=192.168.4.0/24 src-address=\
    192.168.0.0/24
add action=notrack chain=prerouting comment="xxxxxxxxxxxxxxxx" \
    dst-address=192.168.0.0/24 src-address=10.181.66.0/24
add action=notrack chain=prerouting comment="xxxxxxxxxxxxxx" \
    dst-address=10.181.66.0/24 src-address=192.168.0.0/24
add action=notrack chain=prerouting disabled=yes dst-address-list=\
    192.168.6.0/24 src-address-list=192.168.88.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    192.168.70.0/24
add action=notrack chain=prerouting dst-address=192.168.70.0/24 src-address=\
    192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.5.0/24 src-address=\
    192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    192.168.5.0/24
add action=notrack chain=prerouting dst-address=10.181.65.0/24 src-address=\
    192.168.0.0/24
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    10.181.65.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-timeout=7h
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip ipsec policy
set 0 disabled=yes
add comment="xxxxxxxxxxx" dst-address=192.168.88.0/24 peer=xxxxxx \
    proposal=xxxxxxxx src-address=192.168.0.0/24 tunnel=yes
add comment="xxxxxxxxxxx" dst-address=192.168.41.0/24 peer=xxxx \
    proposal=xxxxxxxx src-address=192.168.0.0/24 tunnel=yes
add comment="xxxxxxxxx" dst-address=192.168.10.0/24 peer=xxx proposal=\
    phase1 src-address=192.168.0.0/24 tunnel=yes
add comment="xxxxxxxxxxxxx" dst-address=192.168.5.0/24 peer=\
    xxxxxxxxxx proposal=xxxxxxxxxxx src-address=192.168.0.0/24 tunnel=yes
add comment="xxxxxxxxxxxxxx" dst-address=10.181.66.0/24 peer=\
    xxxxxxxxxxx proposal=xxxxxxx src-address=192.168.0.0/24 tunnel=yes
add comment="xxxxxxxxxxxxxxxxx" dst-address=\
    10.181.64.0/24 peer="xxxxxxx" proposal="xxxxxxxx" src-address=\
    192.168.0.0/24 tunnel=yes
add comment="xxxxxxxx" dst-address=192.168.34.0/24 \
    peer=xxxxxxx src-address=192.168.0.0/24 tunnel=yes
add comment="xxxxxxxxxxxx" dst-address=192.168.89.0/24 peer=\
    xxxxxx proposal=xxxxxxx src-address=192.168.0.0/24 tunnel=yes
add comment=TEST disabled=yes dst-address=192.168.88.0/24 level=unique peer=\
    xxxxx proposal=xxxxxxxxx src-address=192.168.6.0/24 tunnel=yes
add comment="xxxxxxxxxxxxx" dst-address=192.168.26.0/24 peer=\
    siobhan src-address=192.168.6.0/24 tunnel=yes
add comment="xxxxxxxxxxxxxxx" dst-address=192.168.26.0/24 peer=\
    siobhan src-address=192.168.0.0/24 tunnel=yes
add comment="xxxxxxxxxxx" dst-address=\
    192.168.4.0/24 peer="xxxxxxxxx" proposal=xxxxxxx src-address=\
    192.168.0.0/24 tunnel=yes
add comment="xxxxxxxxxxxxxx" disabled=yes \
    dst-address=192.168.70.0/24 peer="xxxxxxxxxxx" proposal=xxxxxx \
    src-address=192.168.0.0/24 tunnel=yes
add group=RW proposal=l2tp template=yes
add dst-address=10.181.65.0/24 peer=xxxxxxx proposal=xxxxxxx src-address=\
    192.168.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=185.214.181.130
add distance=1 dst-address=10.181.64.0/24 gateway=main-bridge
add distance=1 dst-address=10.181.65.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.4.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.5.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.10.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.26.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.34.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.41.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.70.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.88.0/24 gateway=main-bridge
add distance=1 dst-address=192.168.89.0/24 gateway=main-bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes show-dummy-rule=no
/system clock
set time-zone-name=Europe/London
/system identity
set name="xxxxxxxx"

Thank you

Who is online

Users browsing this forum: Google [Bot] and 45 guests