I select L2TP/IPsec with pre-shared key but where do I get that key ? I entered my password and when i tried to connect i get error message in windows saying: "The network connection between your computer and the VPN serrver could not be established because the remote server is not responding.
# jan/06/2022 06:55:02 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
/ppp secret
add name=<l2tpusername> password=<l2tppassword> profile=vpn service=l2tp
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes ipsec-secret=<ipsecsecret> use-ipsec=required
i've read that is not very secure
i would like to create VPN connection using Wiregurard.
is it better for me to add another router at home ?
This is an important point, the concept of server/peer is really only valid for the initial process of connecting. Once established one can move traffic back and forth only limited by your ability to configure the two ends of the tunnel (configs on MT routers). Very flexible!!WireGuard lets you treat either end as the "server" part. The choice of best configuration simply depends on which end is easier to point at. If one end has a stable public IP, that's the better end as compared to one behind NAT with a dynamic public IP.
Sort of yes, but the option to simply specify IPSec secret for L2TP server, and have system configure rest of IPSec automatically, makes the whole thing much easier. And it works, so it's good. Upside is that you don't have to install any extra software on client, it can sometimes help.Once you drill down past the one-click canned feature in MT's GUIs, you'll find that IPSec over L2TP is complicated.
# jan/06/2022 14:22:55 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = xxxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn profile=default-encryption service=l2tp
add name=l2tp profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept
add chain=input protocol=ipsec-esp action=accept
add chain=input protocol=udp dst-port=1701 ipsec-policy=in,ipsec action=accept
# jan/06/2022 16:03:04 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=500,450 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 ipsec-policy=in,ipsec protocol=\
udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn profile=default-encryption service=l2tp
add name=l2tp profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# jan/06/2022 17:28:06 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn profile=vpn service=l2tp
add name=l2tp profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
That is Mikrotik's own DDNS service.I thought that VPN address at Quickset page can be used instead of the dedicated DDNS service.
At my home test setup i use that address instead of DDNS and it was working.
# jan/12/2022 07:18:27 by RouterOS 7.1.1
# software id = J61H-4XD4
#
# model = RBwAPR-2nD
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface l2tp-client
add connect-to=xxxxxxxxxxxxxxxxxxxxxxx disabled=no name=l2tp-out1 use-ipsec=yes \
user="**************"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
MikroTik-7FCF0A wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.isp.provider ip-type=ipv4 name=ISPName
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
192.168.25.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
R1 (Office router)
[code]# jan/12/2022 07:24:41 by RouterOS 7.1.1
# software id = CD7M-66CD
#
# model = RB952Ui-5ac2nD
# serial number = xxxxxxxxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
distance=indoors frequency=2472 installation=indoor mode=ap-bridge ssid=\
"Fidens 2.4G" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid="Fidens 5G" \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=VPN_Ured remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN_Ured enabled=yes use-ipsec=\
required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip arp
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port 21 za FTP server" dst-address=\
192.168.10.8 dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
192.168.1.39 to-ports=21
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment="Divar IP kockica" disabled=yes \
dst-address=192.168.10.8 dst-port=442 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.139 to-ports=442
add action=dst-nat chain=dstnat comment="VDC BL2/0 - VPN" disabled=yes \
dst-address=192.168.10.8 dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.6 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.8 \
dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 \
to-ports=4500
/ip firewall service-port
set udplite ports=500
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name="Kre\9Ao@VPN" profile=VPN_Ured service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system ntp client
set enabled=yes
/system ntp client servers
add address=161.53.128.17
add address=45.87.77.15
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment="Divar IP3000 \"Kockica\"" host=192.168.1.139
add comment="NAS server" host=192.168.1.39
add comment="Biostar 2 server" host=192.168.1.20
add comment="Dinioin IP4000" down-script="Ispad kamere" host=192.168.20.108 \
up-script="Kamera ukljucena"
Office1
/ip/firewall/filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=192.168.80.1
Office2
/ip/firewall/filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=192.168.90.1
# jan/12/2022 12:50:10 by RouterOS 7.1.1
# software id = CD7M-66CD
#
# model = RB952Ui-5ac2nD
# serial number = ******************
/interface bridge
add admin-mac=************** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
distance=indoors frequency=2472 installation=indoor mode=ap-bridge ssid=\
"Fidens 2.4G" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid="Fidens 5G" \
wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=VPN_Ured remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN_Ured enabled=yes use-ipsec=\
required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.25.0/24 endpoint-address=\
+++++++++++++++.sn.mynetname.net endpoint-port=13231 interface=wireguard1 \
public-key="++++++++++++++++++++++++++++++++++++++++++++"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.255.255.1/30 interface=wireguard1 network=10.255.255.0
/ip arp
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.25.0/24
add action=accept chain=forward dst-address=192.168.25.0/24 src-address=\
192.168.1.0/24
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
10.3.191.181
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port 21 za FTP server" dst-address=\
192.168.10.8 dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
192.168.1.39 to-ports=21
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment="Divar IP kockica" disabled=yes \
dst-address=192.168.10.8 dst-port=442 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.139 to-ports=442
add action=dst-nat chain=dstnat comment="VDC BL2/0 - VPN" disabled=yes \
dst-address=192.168.10.8 dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.6 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.8 \
dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 \
to-ports=4500
/ip firewall service-port
set udplite ports=500
/ip route
add dst-address=192.168.25.0/24 gateway=wireguard1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name="+++++++++" profile=VPN_Ured service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system ntp client
set enabled=yes
/system ntp client servers
add address=161.53.128.17
add address=45.87.77.15
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
# jan/12/2022 12:56:13 by RouterOS 7.1.1
# software id = J61H-4XD4
#
# model = RBwAPR-2nD
# serial number = ++++++++++++
/interface bridge
add admin-mac=+++++++++++++ auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
MikroTik-7FCF0A wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.+++++++ ip-type=ipv4 name=++++++++++
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.1.0/24 endpoint-address=\
xxxxxxxxxxxxxxxx.sn.mynetname.net endpoint-port=13231 interface=wireguard1 \
public-key="++++++++++++++++++++++++++++++++++++++++++"
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
192.168.25.0
add address=10.255.255.2/30 interface=wireguard1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
++++++++++++++
add action=accept chain=forward dst-address=192.168.25.0/24 src-address=\
192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.25.0/24
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add dst-address=192.168.1.0/24 gateway=wireguard1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You can try but I doubt Google will participateHow can I point router towards something with static IP, and towards what ? Only thing that i can think of that is constant is DNS server (google for example)
Hello,@gigabyte091
I don't think that you need to add a new interface for that.@gigabyte091
Do you have one interface and two peers in every MT right now?@gigabyte091
Last time I checked my binary math:Two usable addresses, last one is broadcast.
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=10.3.191.181
# jan/17/2022 09:44:17 by RouterOS 7.1.1
# software id = CD7M-66CD
#
# model = RB952Ui-5ac2nD
# serial number = **********
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
distance=indoors frequency=2472 installation=indoor mode=ap-bridge ssid=\
"Fidens 2.4G" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid="Fidens 5G" \
wireless-protocol=802.11
/interface wireguard
add listen-port=***** mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=VPN_Ured remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN_Ured enabled=yes use-ipsec=\
required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.25.0/24,10.255.255.0/24 endpoint-address=\
**********.sn.mynetname.net endpoint-port=***** interface=wg1 \
public-key="********************************************"
add allowed-address=192.168.20.0/24,10.255.255.0/24 endpoint-address=\
**********.sn.mynetname.net endpoint-port=***** interface=wg1 \
public-key="********************************************"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.255.255.1/29 interface=wg1 network=10.255.255.0
/ip arp
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment=\
"Wireguard FWD GRAWE_VDC_HEINZELOVA -> URED" dst-address=192.168.1.0/24 \
src-address=192.168.25.0/24
add action=accept chain=forward comment=\
"Wireguard FWD URED -> GRAWE_VDC_HEINZELOVA" dst-address=192.168.25.0/24 \
src-address=192.168.1.0/24
add action=accept chain=forward comment="Wireguard FWD FIDENS_LTE - > URED" \
dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard FWD URED -> FIDENS_LTE" \
dst-address=192.168.20.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port 21 za FTP server" dst-address=\
192.168.10.8 dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
192.168.1.39 to-ports=21
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment="Divar IP kockica" disabled=yes \
dst-address=192.168.10.8 dst-port=442 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.139 to-ports=442
add action=dst-nat chain=dstnat comment="VDC BL2/0 - VPN" disabled=yes \
dst-address=192.168.10.8 dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.6 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.8 \
dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 \
to-ports=4500
/ip firewall service-port
set udplite ports=500
/ip route
add dst-address=192.168.25.0/24 gateway=wg1
add dst-address=192.168.20.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name="********" profile=VPN_Ured service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system ntp client
set enabled=yes
/system ntp client servers
add address=161.53.128.17
add address=45.87.77.15
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment="Divar IP3000 \"Kockica\"" host=192.168.1.139
add comment="NAS server" host=192.168.1.39
add comment="Biostar 2 server" host=192.168.1.20
add comment="Dinioin IP4000" down-script="Ispad kamere" host=192.168.20.108 \
up-script="Kamera ukljucena"
# jan/17/2022 09:55:08 by RouterOS 7.1.1
# software id = J61H-4XD4
#
# model = RBwAPR-2nD
# serial number = **********
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
MikroTik-7FCF0A wireless-protocol=802.11
/interface wireguard
add listen-port=***** mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=********************* ip-type=ipv4 name=Telemach
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.1.0/24,10.255.255.0/24 endpoint-address=\
**********.sn.mynetname.net endpoint-port=30700 interface=wg1 \
public-key="********************************************"
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
192.168.25.0
add address=10.255.255.2/30 interface=wg1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment="fwd wireguard" dst-address=\
192.168.25.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="fwd wireguard" dst-address=\
192.168.1.0/24 src-address=192.168.25.0/24
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
src-address=192.168.1.20
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow ipsec-esp" disabled=yes \
protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add dst-address=192.168.1.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=GRAWE_VDC_HEINZELOVA
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And about "this is the one that don't want to connect if there is nothing connected to it", WG is by default silent, it only connects when there are some data to be sent. If you want it to be more active, setting keepalive for peer should do the trick.
I think I get it, so interface address is the same for example as address that laptop, and other devices gets from the router and they have their subnet, (in our case we assign that address manually) but allowed address says router where to send our data, and it must be only one address, that's why we are using /32 subnet so that data from 10.255.255.1/32 end up at 10.255.255.2/32 like is supposed to, but if i leave that at /24 then data can end up where is not suppose to.There are two things, peer's allowed-address and routes (that can be also created dynamically from IP address). They are related, but not the same.
IP addresses and routes are same as with regular interfaces. You can have R1 with .1/29, R2 with .2/29, R3 with .3/29, etc. It just says that other addresses from that subnet are reachable on that interface where this IP address is. It's definitely true for R1, which can reach both R2 and R3 on same WG interface. It may be also true for R2 and R3, only without direct link, communication between them will have to go via R1.
But then you have allowed-address, and it's slightly different, it belongs to peer and says what can come from peer and what can be sent to peer. So for R1, definition for R2 must be only .2/32 (plus its LAN subnet), because you don't want R2 sending traffic from e.g. R3's .3. Same for R3, peer's definition on R1 should be only .3/32 (plus LAN). In your config you have 0/24 for both, that wouldn't work, because router wouldn't know if it should send e.g. .2 to R2 or R3. On R2 and R3 it can be different, they can have full subnet for R1 as peer, because that allows also routing between them via R1.
Because if I use /32 then 10.255.255.1 would be separate network ? Then it wouldn't be reachable from /29, for eg. 10.255.255.2/29If R1 has 10.255.255.1/29, it knows that 10.255.255.2 and 10.255.255.3 are reachable using WG interface. With 10.255.255.1/32 it wouldn't know that.
So that i can understand better, you were trying to access the R1 that is behind the ISPs Router from your home using the ISPs Public IP ?Here it is, it's not much but i tried to give as much details as possible.
Drawing1.jpg
Office R1 is in DMZ because due to or office connection (DSL/LTE hybrid) we can't put router into the bridge mode.
/ip firewall mangle
add chain=output dst-address=10.255.255.1 action=log
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=input comment="allow LAN access" in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward \
connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Nothing wrong with UPnP .... I and many of my clients use it ... and have been doing that for many Years .... many many years ... The only people afraid of UPnP are those that do ot know how to exploit it and more importantly implement it properly with effective firewall controls .....Got it your stuck with UPNP due to 'being forced' to use less than stellar devices stuck in the middle ages.
Thanks Mozerd, for the refresher. What special considerations for security should be taken, that are not already dealt with in standard firewall rules etc..Nothing wrong with UPnP .... I and many of my clients use it ... and have been doing that for many Years .... many many years ... The only people afraid of UPnP are those that do ot know how to exploit it and more importantly implement it properly with effective firewall controls .....Got it your stuck with UPNP due to 'being forced' to use less than stellar devices stuck in the middle ages.
The only people stuck in the middle ages are those that are tied to Lamas and elephants
Many moons ago @Sob provided me with some important info related to MikroTik and UPnP …. Following is the threadThanks Mozerd, for the refresher. What special considerations for security should be taken, that are not already dealt with in standard firewall rules etc..
add action=accept chain=forward comment=\
"Wireguard FWD GRAWE_VDC_HEINZELOVA -> URED" dst-address=192.168.1.0/24 \
src-address=192.168.25.0/24
add action=accept chain=forward comment=\
"Wireguard FWD URED -> GRAWE_VDC_HEINZELOVA" dst-address=192.168.25.0/24 \
src-address=192.168.1.0/24
add action=accept chain=forward comment="Wireguard FWD FIDENS_LTE - > URED" \
dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard FWD URED -> FIDENS_LTE" \
dst-address=192.168.20.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"Wireguard FWD DECATHLON_VDC_ZADAR -> URED" dst-address=192.168.1.0/24 \
src-address=192.168.25.0/24
add action=accept chain=forward comment=\
"Wireguard FWD URED -> DECATHLON_VDC_ZADAR" dst-address=192.168.25.0/24 \
src-address=192.168.1.0/24
add action=accept chain=forward comment="Wireguard FWD LTE -> Ured" \
dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard Ured -> LTE" dst-address=\
192.168.20.0/24 src-address=192.168.1.0/24
# jan/26/2022 06:36:59 by RouterOS 7.1.1
# software id = CD7M-66CD
#
# model = RB952Ui-5ac2nD
# serial number = **********
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
distance=indoors frequency=2472 installation=indoor mode=ap-bridge ssid=\
"Fidens 2.4G" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid="Fidens 5G" \
wireless-protocol=802.11
/interface wireguard
add listen-port=30700 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=VPN_Ured remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN_Ured enabled=yes use-ipsec=\
required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.25.0/24,10.255.255.2/29 comment=\
GRAWE_VDC_HEINZELOVA endpoint-address=**********.sn.mynetname.net \
endpoint-port=30700 interface=wg1 persistent-keepalive=30s public-key=\
"********************************************"
add allowed-address=192.168.20.0/24,10.255.255.3/29 comment=FIDENS_LTE \
endpoint-address=**********.sn.mynetname.net endpoint-port=30700 \
interface=wg1 persistent-keepalive=30s public-key=\
"********************************************"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.255.255.1/29 comment=VPN interface=wg1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment=\
"Wireguard FWD GRAWE_VDC_HEINZELOVA -> URED" dst-address=192.168.1.0/24 \
src-address=192.168.25.0/24
add action=accept chain=forward comment=\
"Wireguard FWD URED -> GRAWE_VDC_HEINZELOVA" dst-address=192.168.25.0/24 \
src-address=192.168.1.0/24
add action=accept chain=forward comment="Wireguard FWD FIDENS_LTE - > URED" \
dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard FWD URED -> FIDENS_LTE" \
dst-address=192.168.20.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port 21 za FTP server" dst-address=\
192.168.10.8 dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
192.168.1.39 to-ports=21
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.8 \
dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 \
to-ports=4500
/ip firewall service-port
set udplite ports=500
/ip route
add dst-address=192.168.25.0/24 gateway=wg1
add dst-address=192.168.20.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name="**********" profile=VPN_Ured service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system ntp client
set enabled=yes
/system ntp client servers
add address=161.53.128.17
add address=45.87.77.15
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool netwatch
add comment=DECATHLON_VDC_ZADAR host=192.168.20.1 interval=5m
add comment=GRAWE_VDC_HENZELOVA host=192.168.25.1 interval=5m
# jan/26/2022 06:39:09 by RouterOS 7.1.1
# software id = J61H-4XD4
#
# model = RBwAPR-2nD
# serial number = **********
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
MikroTik-7FCF0A wireless-protocol=802.11
/interface wireguard
add listen-port=30700 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=******************** ip-type=ipv4 name=Telemach
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.1.0/24,10.255.255.1/29 endpoint-address=\
************.sn.mynetname.net endpoint-port=30700 interface=wg1 \
persistent-keepalive=30s public-key=\
"********************************************"
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
192.168.25.0
add address=10.255.255.2/29 comment=VPN interface=wg1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment=\
"Wireguard FWD DECATHLON_VDC_ZADAR -> URED" dst-address=192.168.1.0/24 \
src-address=192.168.25.0/24
add action=accept chain=forward comment=\
"Wireguard FWD URED -> DECATHLON_VDC_ZADAR" dst-address=192.168.25.0/24 \
src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=WinBox dst-port=8291 in-interface=wg1 \
protocol=tcp src-address=192.168.1.20
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add dst-address=192.168.1.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=GRAWE_VDC_HEINZELOVA
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=RUTER_URED host=192.168.1.1
# jan/26/2022 06:38:20 by RouterOS 7.1.1
# software id = P3N3-9GCJ
#
# model = RBwAPR-2nD
# serial number = **********
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface wireguard
add listen-port=30700 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=***************** name=Telemach \
use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm mode=dynamic-keys name=WPA/WPA2 supplicant-identity="" \
unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
distance=indoors frequency=auto mode=ap-bridge security-profile=WPA/WPA2 \
ssid=Fidens_Hotspot wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.20.248-192.168.20.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=192.168.1.0/24,10.255.255.1/32 endpoint-address=\
**********.sn.mynetname.net endpoint-port=30700 interface=wg1 \
persistent-keepalive=30s public-key=\
"********************************************"
/ip address
add address=192.168.20.1/24 comment=defconf interface=bridge network=\
192.168.20.0
add address=10.255.255.3/29 comment=VPN interface=wg1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf dns-server=192.168.20.1 gateway=\
192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.20.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment="Wireguard FWD LTE -> Ured" \
dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard Ured -> LTE" dst-address=\
192.168.20.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Winbox " dst-port=8291 protocol=tcp \
src-address=192.168.1.20
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=192.168.1.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=DECATHLON_VDC_ZADAR
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
xBox = multiplayer gaming and chat over the internetMy question is, did you use UPNP so that devices could talk to what where?? (use cases being solved)
NAS?
Apple Time Capsule?
Xbox?
Yea I can confirm that, almost, if not all of vendors have UPnP enabled devices, especially if they provide cloud based storage and mobile apps. And some vendors although they have UPnP (Bosch for example), that UPnP is not working as it should (Bosch for example) so you have to manually open about 3 or 4 ports on the router for cloud services to work.Also the majority of IoT devices are UPnP enabled like my security cameras etc. etc etc.