Code: Select all
# oct/21/2022 09:26:16 by RouterOS 7.6
# software id = W809-WKMN
#
# model = RB2011UiAS
# serial number =
/interface bridge
add admin-mac=64:D1:54:13:88:1C auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireguard
add comment=Wireguard listen-port=13235 mtu=1420 name=wg99
/interface vlan
add comment=GUEST interface=bridge name=GUEST vlan-id=3
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] name=GUEST
/ip pool
add comment=LAN name=dhcp ranges=172.16.1.1-172.16.1.200
add comment=GUEST name=DHCP-GUEST ranges=192.168.0.100-192.168.0.150
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge name=DHCP-LAN
add address-pool=DHCP-GUEST interface=GUEST name=DHCP-GUEST
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes name=OVPN-client only-one=yes use-encryption=required use-mpls=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
add addresses=0.0.0.0/0,::/0 authentication-protocol=SHA1 encryption-protocol=AES name=monitoring security=private write-access=yes
/user group
add name=homeassistant policy=read,write,policy,test,api,!local,!telnet,!ssh,!ftp,!reboot,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-master
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6-master
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface=ether8
add bridge=bridge ingress-filtering=no interface=ether9
add bridge=bridge ingress-filtering=no interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=FIRST.EXTERNAL.VPN.IP endpoint-port=51820 interface=wg99 persistent-keepalive=25s public-key="[REDACTED]"
/ip address
add address=172.16.0.1/22 comment=LAN interface=bridge network=172.16.0.0
add address=192.168.0.1/24 comment=GUEST interface=GUEST network=192.168.0.0
add address=172.16.1.1 comment=PIA-OpenVPN-Gateway disabled=yes interface=bridge network=172.16.1.1
add address=EXTERNAL.VPN.IP.HERE comment=Wireguard interface=wg99 network=EXTERNAL.VPN.IP.HERE
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=172.16.1.200 client-id=1:34:2:86:b3:26:c1 mac-address=34:02:86:B3:26:C1 server=DHCP-LAN
add address=172.16.1.105 client-id=1:60:6d:c7:1e:7c:f7 comment="Sony Bravia TV" mac-address=60:6D:C7:1E:7C:F7 server=DHCP-LAN
add address=172.16.0.30 comment="HP T620" mac-address=7C:D3:0A:10:9B:8B server=DHCP-LAN
add address=172.16.3.10 client-id=1:ec:71:db:6b:d0:99 mac-address=EC:71:DB:6B:D0:99 server=DHCP-LAN
add address=172.16.3.50 comment="Tuya WiFi Kotlownia" disabled=yes mac-address=84:E3:42:4E:34:34 server=DHCP-LAN
add address=172.16.3.100 client-id=1:50:eb:f6:5:98:89 comment="Wideodomofon - Client AP" mac-address=50:EB:F6:05:98:89 server=DHCP-LAN
add address=172.16.3.101 client-id=1:72:91:41:23:3d:56 comment="Wideodomofon - Tuya" mac-address=72:91:41:23:3D:56 server=DHCP-LAN
/ip dhcp-server network
add address=172.16.0.0/22 comment=LAN dns-server=172.16.0.2,172.16.0.3 domain=my-domain.ovh gateway=172.16.0.1 netmask=22
add address=192.168.0.0/24 comment=GUEST dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=120 max-concurrent-tcp-sessions=30 servers=172.16.0.2
/ip dns static
add address=172.16.0.1 name=mikrotik.lan
add address=172.16.1.200 name=uBox.lan
add address=172.16.0.30 disabled=yes regexp="^(.*\\.my-domain\\.ovh)\$"
add address=172.16.0.30 name=hp.srv
add address=172.16.0.2 name=raspberry.lan
add address=172.16.0.10 name=switch.lan
add address=172.16.0.20 name=ubiquiti1.lan
add address=172.16.0.20 name=ubiquiti2.lan
add address=172.16.0.99 name=printer.lan
add address=192.168.8.1 name=lte.lan
add address=172.16.0.40 name=pve.my-domain.ovh
/ip firewall address-list
add address=172.16.0.0/12 list=LAN
add address=192.168.0.0/16 list=LAN
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=SNMP dst-port=161 in-interface=bridge protocol=udp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat comment="DMZ to Photon" disabled=yes dst-address=EXTERNAL.VPN.IP.HERE dst-port=80,443 protocol=tcp to-addresses=172.16.0.42
add action=dst-nat chain=dstnat disabled=yes dst-address=EXTERNAL.VPN.IP.HERE protocol=icmp to-addresses=172.16.0.42
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.0.0/24
/ip service
set telnet address=172.16.0.0/22
set ftp address=172.16.0.0/22
set www address=172.16.0.0/22
set ssh address=172.16.0.0/22
set www-ssl address=172.16.0.0/22 disabled=no
set api address=172.16.0.0/22 disabled=yes
set winbox address=172.16.0.0/22
set api-ssl address=172.16.0.0/22 certificate="Self-signed API certificate"
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/lcd
set time-interval=weekly
/routing rule
add action=lookup-only-in-table disabled=no dst-address=172.16.0.0/22 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.8.0/30 table=main
/snmp
set contact=Upgreydd enabled=yes location=Rack trap-version=3
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-ip-address=EXTERNAL.VPN.IP.HERE/32
SERVER SIDE Wireguard Config:
[Interface]
Address = 10.200.200.1
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -t nat -A PREROUTING -p udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i mikrotik -o enp4s0 -j ACCEPT; iptables -A FORWARD -i enp4s0 -o mikrotik -j ACCEPT
PostDown = iptables -t nat -D PREROUTING -p udp --dport 51820 -j ACCEPT; iptables -D FORWARD -i mikrotik -o enp4s0 -j ACCEPT; iptables -D FORWARD -i enp4s0 -o mikrotik -j ACCEPT
# Mikrotik router
[Peer]
PublicKey = [REDACTED]
AllowedIPs = EXTERNAL.VPN.IP.HERE/32
PersistentKeepalive = 25
I have a server with 2 external IPs, first IP is used for services, and the second one is detached from eth and I wanna use it as external IP for my Mikrotik (I can't have external IP from my ISP). So when I tcpdump 'mikrotik' (my name for wireguard interface in server) interface in server and ping it from another server I see incoming packets. I see ICMP packets in IP>Firewall>Connections, but when I did a package sniffing I saw it receives on wg99 and responds on ether1 (WAN). How can I fix that? Thank you in advance