When I connect to the office over L2TP/IPSEC I can ping the Mikrotik but nothing else.Do I need to set up a different type of connection? EOIP? I tried enabling proxy-arp to no avail. I don't see how to add the Connection to the Bridge or tag it to a Vlan. Thanks in advance for the help.
Learning as fast as I can :)
Office
Code: Select all
# may/12/2021 10:20:55 by RouterOS 6.45.9
# software id =
#
# model = RB4011iGS+5HacQ2HnD
# serial number =
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] frequency=auto mode=ap-bridge ssid=Office
/interface ethernet
set [ find default-name=ether1 ] mac-address=bb:73:6a:ec:33:a0
/interface l2tp-server
add name=Frank_L2TP user=John
add name=Gary_L2TP user=Sally
add name=Walter_L2TP user=Stephan
/interface vlan
add interface=BR1 name=Guest_VLAN vlan-id=45
add arp=proxy-arp interface=BR1 name=Office_VLAN vlan-id=44
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] mode=ap-bridge security-profile=guest ssid=\
Office_Guest
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
add enc-algorithms=aes-256-cbc name=Home1
add enc-algorithms=aes-256-cbc name=Home
add enc-algorithms=aes-256-cbc name=Office
add enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=L2TP/IpSec
/ip pool
add name=Office_POOL ranges=192.168.44.1-192.168.44.100
add name=Guest_POOL ranges=10.0.20.2-10.0.20.254
add name=L2TP-Pool ranges=192.168.44.180-192.168.44.189
add name=SSTP_Server_Pool ranges=10.0.0.1-10.0.0.5
add name="SSTP Remote Pool" ranges=10.0.0.10-10.0.0.15
add name=DMZ-Pool ranges=172.16.15.2-172.16.15.6
/ip dhcp-server
add address-pool=Office_POOL interface=Office_VLAN name=Office_DHCP
add address-pool=Guest_POOL disabled=no interface=Guest_VLAN name=Guest_DHCP
/ppp profile
add change-tcp-mss=yes dns-server=192.168.44.252,192.168.44.254 \
local-address=192.168.44.254 name=L2TP remote-address=L2TP-Pool \
use-encryption=yes
add change-tcp-mss=yes dns-server=192.168.44.252,192.168.44.254 \
local-address=192.168.44.254 name=SSTP-Profile remote-address=L2TP-Pool \
use-encryption=yes
add local-address=SSTP_Server_Pool name=SSTP-VPN remote-address=\
"SSTP Remote Pool" use-encryption=yes
add change-tcp-mss=yes local-address=10.0.0.1 name=SSTP-Video remote-address=\
10.0.0.2 use-encryption=yes
add bridge=BR1 change-tcp-mss=yes local-address=10.0.0.1 name=profile1 \
remote-address=10.0.0.4 use-encryption=yes
/system logging action
add disk-file-name=Attack disk-lines-per-file=50000 name=AttackLog target=\
disk
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan1 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=45
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=wlan2 pvid=45
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=44
add bridge=BR1 tagged=BR1 untagged=ether4,wlan2 vlan-ids=45
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP enabled=yes use-ipsec=\
required
/interface list member
add interface=ether1 list=WAN
add interface=Office_VLAN list=VLAN
add interface=Guest_VLAN list=VLAN
/interface sstp-server server
set authentication=mschap2 default-profile=SSTP-Video enabled=yes port=4443
/ip address
add address=192.168.44.254/24 interface=Office_VLAN network=192.168.44.0
add address=10.0.20.1/24 interface=Guest_VLAN network=10.0.20.0
add address=12.34.167.189/30 interface=ether1 network=12.34.167.188/30
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=192.168.44.254 gateway=10.0.20.1
add address=192.168.44.0/24 dns-server=192.168.44.254 gateway=192.168.44.254
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip firewall address-list
add address=119.60.5.37 list="Port Scanner"
add address=45.129.136.15 list="Port Scanner"
add address=89.248.165.6 list="Port Scanner"
/ip firewall filter
add action=log chain=forward log=yes log-prefix=Attack src-address=\
89.187.171.246
add action=drop chain=forward src-address=89.187.171.246
add action=drop chain=forward disabled=yes src-address=75.143.105.46
add action=drop chain=input src-address=89.187.171.246
add action=drop chain=input in-interface-list=WAN src-address-list=\
"Port Scanner"
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment=\
"Port scanners to block List" in-interface-list=WAN protocol=tcp psd=\
20,3s,3,1 tcp-flags=""
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment=\
"NMAP FIN Stealth scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment="SYN/FIN scan" \
in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment="SYN/RST scan" \
in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment=\
"FIN/PSH/URG scan - Block TCP Null scan" in-interface-list=WAN protocol=\
tcp psd=20,3s,3,1 tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment="ALL/ALL scan" \
in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment=\
"Block TCP Xmas scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment="NMAP NULL scan" \
in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
address-list-timeout=none-static chain=input comment="Drop TCP RST" \
in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=rst
add action=drop chain=input comment="dropping port scanners" \
in-interface-list=WAN src-address-list="Port Scanner"
add action=drop chain=input comment="Drop pings" connection-mark=ping \
in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"only admin should be able to fully access the router" protocol=icmp
add action=accept chain=input comment="(only provide access to lan users for s\
pecific services, most common -DNS SERVICES, NTP services" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="(only provide access to lan users for s\
pecific services, most common -DNS SERVICES, NTP services" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="(only provide access to lan users for s\
pecific services, most common -DNS SERVICES, NTP services" dst-port=8291 \
in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="\"drop all else\""
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow port forwarding - optional rule\
\_can be disabled if no port forwarding is used" connection-nat-state=\
dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
connection-state=new disabled=yes in-interface-list=VLAN src-address=\
192.168.254.100
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward disabled=yes out-interface-list=WAN protocol=\
tcp src-address=192.168.9.2
add action=drop chain=forward comment=\
"Drop all traffic that goes to multicast or broadcast addresses" \
dst-address-type=broadcast,multicast
add action=drop chain=forward comment=Drop
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 proposal=L2TP/IpSec
/ip route
add distance=1 gateway=12.34.167.188
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=Walter profile=L2TP service=l2tp
add name=Frank profile=L2TP service=l2tp
add name=SSTP profile=SSTP-Profile service=sstp
add name=User1 profile=profile1 service=sstp
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=Office
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add action=AttackLog prefix=Attack topics=firewall