Code: Select all
respond new phase 1 (Identity Protection): WAN IP[500]<=>216.218.206.106[58955]
216.218.206.106 failed to get valid proposal
216.218.206.106 failed to pre-process ph1 packet (side: 1,status 1).
216.218.206.106 phase1 negotiation failed.
The IP belongs to The Shadow Server Foundation.
Do you suggest additional precautions here?
Below is the settings for the RB4011. . .
Code: Select all
# aug/18/2021 10:26:57 by RouterOS 6.48.3
# software id = FW5U-5K9I
#
# model = RB4011iGS+
# serial number = D4455667773333
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
/interface vlan
add interface=ether5 name=ether5-911 vlan-id=911
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether5-911 \
keepalive-timeout=60 name=pppoe-wan user=\
1234567890@broadband.com
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 name=AdBlock value="'192.168.50.50'"
/ip ipsec policy group
add name=vpn
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name=dhcp ranges=192.168.50.100-192.168.50.254
add name=pool1-L2TP_users ranges=10.0.50.2-10.0.50.20
add name=vpn ranges=10.22.22.10-10.22.22.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name=defconf
/ip ipsec mode-config
add address-pool=vpn name=vpn
/ppp profile
add idle-timeout=1m local-address=10.0.50.1 name=profile1-L2TP_users \
remote-address=pool1-L2TP_users session-timeout=0s use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-wan list=WAN
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=\
192.168.50.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=23h59m59s update-time=no
/ip dhcp-client
add comment=defconf interface=ether5-911 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.50.3 client-id=1:84:d8:1b:59:0:92 mac-address=\
84:D8:1B:59:00:92 server=defconf
add address=192.168.50.12 client-id=1:78:24:af:82:df:b3 dhcp-option=\
AdBlock mac-address=78:24:AF:82:DF:B3 server=defconf
add address=192.168.50.11 client-id=1:78:24:af:82:df:b2 dhcp-option=\
AdBlock mac-address=78:24:AF:82:DF:B2 server=defconf
add address=192.168.50.58 dhcp-option=AdBlock mac-address=\
10:CE:A9:50:87:C0 server=defconf
add address=192.168.50.15 client-id=1:0:18:dd:25:f:d1 mac-address=\
00:18:DD:25:0F:D1 server=defconf
add address=192.168.50.16 client-id=1:0:18:dd:25:12:1e mac-address=\
00:18:DD:25:12:1E server=defconf
add address=192.168.50.2 client-id=1:8:55:31:26:f8:1d mac-address=\
08:55:31:26:F8:1D server=defconf
add address=192.168.50.56 dhcp-option=AdBlock mac-address=\
C8:3A:6B:F6:74:D4 server=defconf
add address=192.168.50.63 client-id=1:3c:5c:c4:43:a:14 dhcp-option=\
AdBlock mac-address=3C:5C:C4:43:0A:14 server=defconf
add address=192.168.50.44 client-id=1:b4:a3:82:f:6:1b mac-address=\
B4:A3:82:0F:06:1B server=defconf
add address=192.168.50.43 client-id=1:b4:a3:82:f:5:da mac-address=\
B4:A3:82:0F:05:DA server=defconf
add address=192.168.50.42 client-id=1:b4:a3:82:f:7:29 mac-address=\
B4:A3:82:0F:07:29 server=defconf
add address=192.168.50.18 client-id=1:74:da:88:32:c1:bf mac-address=\
74:DA:88:32:C1:BF server=defconf
add address=192.168.50.17 client-id=1:74:da:88:14:2d:b9 mac-address=\
74:DA:88:14:2D:B9 server=defconf
add address=192.168.50.5 client-id=1:60:32:b1:97:a4:86 mac-address=\
60:32:B1:97:A4:86 server=defconf
add address=192.168.50.4 client-id=1:60:32:b1:97:a4:70 mac-address=\
60:32:B1:97:A4:70 server=defconf
add address=192.168.50.6 client-id=1:60:32:b1:d1:63:40 mac-address=\
60:32:B1:D1:63:40 server=defconf
add address=192.168.50.51 client-id=1:ae:b6:6a:cd:4a:88 dhcp-option=\
AdBlock mac-address=AE:B6:6A:CD:4A:88 server=defconf
add address=192.168.50.52 client-id=1:8e:35:76:45:bd:c4 dhcp-option=\
AdBlock mac-address=8E:35:76:45:BD:C4 server=defconf
add address=192.168.50.54 client-id=1:8c:83:e1:b:f8:94 dhcp-option=\
AdBlock mac-address=8C:83:E1:0B:F8:94 server=defconf
add address=192.168.50.59 dhcp-option=AdBlock mac-address=\
40:06:A0:A7:CD:E0 server=defconf
add address=192.168.50.62 client-id=1:a0:d0:dc:d4:b0:b dhcp-option=\
AdBlock mac-address=A0:D0:DC:D4:B0:0B server=defconf
add address=192.168.50.61 client-id=1:38:f7:3d:a9:c4:dc dhcp-option=\
AdBlock mac-address=38:F7:3D:A9:C4:DC server=defconf
add address=192.168.50.64 client-id=1:0:4:4b:b1:da:f9 comment=shield_TV \
dhcp-option=AdBlock mac-address=00:04:4B:B1:DA:F9 server=defconf
add address=192.168.50.60 client-id=1:64:16:66:8f:d4:46 dhcp-option=\
AdBlock mac-address=64:16:66:8F:D4:46 server=defconf
add address=192.168.50.65 client-id=1:8c:83:e1:c4:e2:a8 dhcp-option=\
AdBlock mac-address=8C:83:E1:C4:E2:A8 server=defconf
add address=192.168.50.41 client-id=1:0:2a:2a:4b:8d:a8 mac-address=\
00:2A:2A:4B:8D:A8 server=defconf
add address=192.168.50.67 client-id=1:5c:a3:9d:2d:a8:ad comment=small_TV \
dhcp-option=AdBlock mac-address=5C:A3:9D:2D:A8:AD server=defconf
add address=192.168.50.57 client-id=1:d6:2d:76:4e:aa:21 dhcp-option=\
AdBlock mac-address=D6:2D:76:4E:AA:21 server=defconf
add address=192.168.50.53 client-id=1:68:3e:26:38:96:45 dhcp-option=\
AdBlock mac-address=68:3E:26:38:96:45 server=defconf
add address=192.168.50.50 client-id=1:0:15:17:dd:cf:ae dhcp-option=\
AdBlock mac-address=00:15:17:DD:CF:AE server=defconf
add address=192.168.50.55 client-id=1:c:c4:7a:42:45:e0 mac-address=\
0C:C4:7A:42:45:E0 server=defconf
add address=192.168.50.68 client-id=1:24:f5:a2:8c:51:10 dhcp-option=\
AdBlock mac-address=24:F5:A2:8C:51:10 server=defconf
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf dns-server=1.1.1.2,1.0.0.2 \
gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip dns static
add address=192.168.50.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.22.22.10-10.22.22.20 comment=VPN list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" \
dst-port=500,4500 log=yes log-prefix=IPSEC/IKE2 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
"Masquerade VPN traffic so devices see connections made from router IP" \
log=yes src-address=10.22.22.10-10.22.22.20
add action=dst-nat chain=dstnat comment="emby forwarding" dst-port=8096 \
in-interface=pppoe-wan log=yes log-prefix=emby_CONNECT protocol=tcp \
to-addresses=192.168.50.11 to-ports=8096
add action=dst-nat chain=dstnat comment="channels forwarding" dst-port=8089 \
in-interface=pppoe-wan log=yes log-prefix=channels protocol=tcp \
to-addresses=192.168.50.11 to-ports=8089
/ip ipsec identity
add auth-method=digital-signature certificate="Home server" comment=\
"Home client1" generate-policy=port-strict match-by=certificate \
mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
"VPN1"
add auth-method=digital-signature certificate="Home server" comment=\
"Home client2" generate-policy=port-strict match-by=certificate \
mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
"VPN2"
/ip ipsec policy
add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 \
template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.50.55/32
set ssh disabled=yes port=2369
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=VPN_NAME profile=profile1-L2TP_users service=l2tp
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=51.89.151.183 secondary-ntp=178.62.250.107
/system ntp server
set enabled=yes manycast=no multicast=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN