Not at laptop at the moment, will have deeper look into config tomorrow morning.
Off the bat I will change the 172.0.0.0/x IPs, these are outside the private IP range scope, use 172.16.x.x - 172.31.x.x instead
I have adjusted the ranges as you have suggested (
I believe). I have also updated the adjusted configuration export. Thanks for your help on this.
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 6.44.5 (c) 1999-2019 http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
ReichNet - Authorized administrators only. Access to this device is monitored.
[38636@ReichHub] > export hide-sensitive
# aug/02/2019 17:22:36 by RouterOS 6.44.5
# software id = 1SBQ-KUIK
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A24B654
/interface l2tp-server
add name=l2tp-jreich user=jreich
add name=reichnet-3978 user=3978
add name=reichnet-8794 user=8794
/interface bridge
add admin-mac=74:4D:28:2F:4E:2D arp=proxy-arp auto-mac=no name=bridge \
protocol-mode=none
add arp=proxy-arp name=guestbridge protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=OutToHouse speed=100Mbps
set [ find default-name=ether1 ] name=OutToWAN speed=100Mbps
set [ find default-name=ether3 ] name=ReichNet-GUEST speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
auto-negotiation=no name=SFP-RackSwitch speed=10Gbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] disabled=yes speed=100Mbps
set [ find default-name=ether8 ] disabled=yes speed=100Mbps
set [ find default-name=ether9 ] disabled=yes speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
/interface vlan
add interface=bridge name=srv-vlan vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=PPP
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=ReichNet
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-maximum-failures=2 \
enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=10.0.0.101-10.0.0.254
add name=VPN-L2TP ranges=172.16.0.10-172.16.0.254
add name=dhcp-guest ranges=20.0.0.10-20.0.0.75
add name=dhcp-server ranges=30.0.0.10-30.0.0.75
add name=dhcp-l2tp-remote ranges=40.0.0.51-40.0.0.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=rst
add address-pool=dhcp-guest disabled=no interface=guestbridge name=guest
add address-pool=dhcp-server disabled=no interface=srv-vlan name=srv
add address-pool=dhcp-l2tp-remote disabled=no interface=OutToWAN name=\
l2tpexternal
/ppp profile
add change-tcp-mss=yes dns-server=10.0.0.3 local-address=172.16.0.1 name=\
VPN-L2TP remote-address=VPN-L2TP use-encryption=yes
/queue interface
set OutToWAN queue=ethernet-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=OutToHouse
add bridge=guestbridge comment=defconf interface=ReichNet-GUEST
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=SFP-RackSwitch
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge vlan-ids=50
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-L2TP enabled=yes \
keepalive-timeout=disabled max-mtu=1500
/interface list member
add interface=bridge list=LAN
add comment=defconf interface=OutToWAN list=WAN
add interface=guestbridge list=LAN
add list=LAN
/interface ovpn-server server
set certificate=reichnetwork_net.ca-bundle_2 cipher=\
blowfish128,aes128,aes192,aes256
/interface pptp-server server
set default-profile=default
/interface sstp-server server
set authentication=mschap1,mschap2 certificate=reichnetwork_net.crt_0
/ip address
add address=10.0.0.1/24 comment=defconf interface=OutToHouse network=10.0.0.0
add address=**REMOVED FOR UPLOAD** interface=OutToWAN network=**REMOVED FOR UPLOADED**
add address=20.0.0.1/24 interface=guestbridge network=20.0.0.0
add address=30.0.0.1/24 interface=srv-vlan network=30.0.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=OutToWAN
/ip dhcp-server lease
add address=10.0.0.16 client-id=1:ec:71:db:f2:d8:7c comment=CAMBACKYARD-N \
mac-address=EC:71:DB:F2:D8:7C server=rst
add address=10.0.0.14 client-id=1:ec:71:db:15:5e:4 comment=CAMBACKYARD-S \
mac-address=EC:71:DB:15:5E:04 server=rst
add address=10.0.0.15 client-id=1:ec:71:db:c7:73:6a comment=CAMFRONTYARD-E \
mac-address=EC:71:DB:C7:73:6A server=rst
add address=10.0.0.3 comment=P000EPRIMARY mac-address=00:0E:B6:30:89:88 server=\
rst
add address=10.0.0.2 comment=P000EPRIMARY mac-address=00:0E:B6:30:89:89 server=\
rst
add address=10.0.0.74 client-id=1:a4:2b:b0:20:74:df comment=\
WIRELESS-ADAPTER-PRIVATE mac-address=A4:2B:B0:20:74:DF server=rst
add address=10.0.0.28 always-broadcast=yes client-id=1:d8:cb:8a:5f:15:cb \
comment=PD8CBCAMERA mac-address=D8:CB:8A:5F:15:CB server=rst
add address=10.0.0.11 client-id=1:0:15:5d:0:6:0 comment=V782BDOWNLOAD \
mac-address=00:15:5D:00:06:00 server=rst
add address=10.0.0.31 client-id=1:0:15:5d:0:6:3 comment=V782BMEDIA mac-address=\
00:15:5D:00:06:03 server=rst
add address=10.0.0.30 comment=V782BDROPBOX mac-address=00:15:5D:00:06:04 \
server=rst
add address=10.0.0.45 client-id=1:0:26:b9:62:27:e2 comment=P0026VIRTUAL \
mac-address=00:26:B9:62:27:E2 server=rst
add address=10.0.0.46 client-id=1:0:26:b9:62:27:e4 comment=P0026VIRTUAL \
mac-address=00:26:B9:62:27:E4 server=rst
add address=10.0.0.47 client-id=1:0:26:b9:62:27:e0 comment=P0026VIRTUAL \
mac-address=00:26:B9:62:27:E0 server=rst
add address=10.0.0.48 client-id=1:0:26:b9:62:27:de comment=P0026VIRTUAL \
mac-address=00:26:B9:62:27:DE server=rst
add address=10.0.0.51 client-id=1:34:97:f6:b7:2:43 comment=JORDAN-DESKTOP \
mac-address=34:97:F6:B7:02:43 server=rst
add address=10.0.0.34 comment=V0026CARLYWEBSRV mac-address=00:15:5D:00:2E:02 \
server=rst
add address=10.0.0.39 client-id=1:0:15:5d:0:2e:4 comment=V0026WEBHUB \
mac-address=00:15:5D:00:2E:04 server=rst
add address=10.0.0.4 comment=V0026PXEBOOT mac-address=00:15:5D:00:2E:0A server=\
rst
add address=10.0.0.49 client-id=1:98:5f:d3:5b:e5:6c comment=JORDAN-WORKPC \
mac-address=98:5F:D3:5B:E5:6C server=rst
add address=10.0.0.38 client-id=1:0:15:5d:0:2e:12 comment=V0026EXCHANGE \
mac-address=00:15:5D:00:2E:12 server=rst
add address=10.0.0.37 comment=V0026IRC mac-address=00:15:5D:00:2E:13 server=rst
add address=10.0.0.20 client-id=1:0:15:5d:0:2e:14 comment=V0026EXCHANGE \
mac-address=00:15:5D:00:2E:14 server=rst
add address=10.0.0.13 client-id=1:0:15:5d:0:2e:15 comment=V0026EMAIL \
mac-address=00:15:5D:00:2E:15 server=rst
add address=10.0.0.71 client-id=\
ff:76:3b:fc:74:0:2:0:0:ab:11:17:95:92:7b:86:4e:27:e4 comment=V0026CARLYTEST \
mac-address=00:15:5D:00:2E:16 server=rst
add address=10.0.0.52 client-id=1:d8:c4:97:a0:44:84 comment=CARLY-LAPTOP \
mac-address=D8:C4:97:A0:44:84 server=rst
add address=10.0.0.32 client-id=1:0:15:5d:0:2e:18 comment=V0026POLICYTEST \
mac-address=00:15:5D:00:2E:18 server=rst
add address=10.0.0.12 client-id=1:0:15:5d:0:2e:1a comment=V0026MONITOR \
mac-address=00:15:5D:00:2E:1A server=rst
add address=10.0.0.36 client-id=1:0:15:5d:0:2e:1b comment=V0026JCWIN2016 \
mac-address=00:15:5D:00:2E:1B server=rst
add address=10.0.0.50 client-id=1:1c:1b:d:ec:a7:b3 comment=CDELABARRE-PC \
mac-address=1C:1B:0D:EC:A7:B3 server=rst
add address=10.0.0.35 client-id=1:0:15:5d:0:2e:24 comment=V0026HOMEASSIST \
mac-address=00:15:5D:00:2E:24 server=rst
add address=10.0.0.53 client-id=1:0:15:5d:0:2e:25 comment=V0026WORKVPN \
mac-address=00:15:5D:00:2E:25 server=rst
add address=10.0.0.33 comment=V0026LIBCATALOG mac-address=00:15:5D:00:2E:27 \
server=rst
add address=10.0.0.10 client-id=\
ff:80:40:df:4e:0:2:0:0:ab:11:c:b8:8a:f8:1d:7e:9a:19 comment=V0026JITSI \
mac-address=00:15:5D:00:2E:28 server=rst
add address=10.0.0.101 client-id=1:0:4:4b:48:9b:27 comment=SHIELD-GSTNET \
mac-address=00:04:4B:48:9B:27 server=rst
add address=10.0.0.103 comment=TV-LVRM-GSTNET mac-address=C4:1C:FF:5B:6D:5B \
server=rst
add address=10.0.0.100 client-id=1:74:4d:28:18:a2:94 comment="SFP SWITCH CONN" \
mac-address=74:4D:28:18:A2:94 server=rst
add address=20.0.0.10 client-id=1:14:91:82:c7:7e:16 comment=REICHNET-GUEST \
mac-address=14:91:82:C7:7E:16 server=guest
add address=10.0.0.40 client-id=1:0:19:b9:d8:38:31 comment=P0019DEREK \
mac-address=00:19:B9:D8:38:31 server=rst
add address=10.0.0.5 comment=V0026RADIUS mac-address=00:15:5D:00:2E:2C server=\
rst
add address=10.0.0.29 client-id=ff:5d:0:28:4:0:1:0:1:24:b7:72:a7:0:15:5d:0:28:4 \
comment="V0019DEREK - NEXTCLOUD" mac-address=00:15:5D:00:28:04 server=rst
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
add address=20.0.0.0/24 gateway=20.0.0.1 netmask=24
add address=30.0.0.0/24 gateway=30.0.0.1 netmask=24
add address=172.0.0.0/24 gateway=172.0.0.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.3
/ip dns static
add address=10.0.0.1 name=router.lan
add address=10.0.0.1 name=router
/ip firewall address-list
add address=216.92.61.7 list=blacklist
add address=10.0.0.101 list=hardwire-block
add address=10.0.0.103 list=hardwire-block
add address=69.20.59.81 list=blacklist
add address=69.20.59.80 list=blacklist
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"38636: defconf fasttrack" connection-state=established,related
add action=accept chain=input comment=\
"38636: defconf accept established,related" connection-state=\
established,related
add action=accept chain=forward comment=\
"38636: defconf accept established,related" connection-state=\
established,related
add action=accept chain=input comment="38636: Winbox" dst-port=8291 protocol=\
tcp
add action=accept chain=forward comment="38636: NAT Traffic Permit" dst-port=\
443,1000,32400,8096,26555,81,80,8081,3000 in-interface=OutToWAN protocol=\
tcp
add action=accept chain=input comment="38636: L2TP 1701" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="38636: L2TP 500" dst-port=500 protocol=\
udp
add action=accept chain=input comment="38636: L2TP 4500" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="38636: L2TP PRTL 50" protocol=ipsec-esp
add action=accept chain=forward comment="PPP: RouterOS netflow to ELK-Stack" \
dst-address=10.0.0.33 dst-port=2055 in-interface=all-ppp protocol=udp
add action=accept chain=forward comment="PPP: accept machine PINGS" \
in-interface=all-ppp protocol=icmp
add action=accept chain=forward comment="PPP: Allow dynamic port ranges" \
dst-port="" in-interface=all-ppp protocol=tcp src-port=49152-65535
add action=accept chain=forward comment="PPP: Allow PXE server access" \
dst-port="" in-interface=all-ppp protocol=udp src-port=4011
add action=accept chain=forward comment="PPP: TCP allow for AD" dst-address=\
10.0.0.3 dst-port=53,88,135,139,389,445,464,636,3268,3269,5722,9389 \
in-interface=all-ppp protocol=tcp
add action=accept chain=forward comment="PPP: UDP allow for AD" dst-address=\
10.0.0.3 dst-port=53,67,88,123,137,138,389,123,445,2535 in-interface=\
all-ppp port="" protocol=udp
add action=accept chain=forward comment="PPP: Storage access 10.0.0.9 TCP" \
dst-address=10.0.0.9 dst-port=135-139,445 in-interface=all-ppp protocol=tcp
add action=accept chain=forward comment="PPP: Storage access 10.0.0.9 UDP" \
dst-address=10.0.0.9 dst-port=135-139,445 in-interface=all-ppp protocol=udp
add action=drop chain=forward comment="PPP: drop all FORWARD from VPN" \
in-interface=all-ppp log-prefix=VPNdrop
add action=drop chain=input comment="PPP: drop all INPUT from VPN" \
in-interface=all-ppp log-prefix=VPNdrop
add action=drop chain=forward comment="GUEST: Deny all to primary network" \
dst-address=10.0.0.0/24 in-interface=guestbridge src-address=20.0.0.0/24
add action=drop chain=forward comment=\
"38636: drop all GST hardwire traffic to RST" dst-address=10.0.0.0/24 \
out-interface=bridge src-address-list=hardwire-block
add action=drop chain=forward comment="38636: TCP Address Blacklist" \
dst-address-list=blacklist protocol=tcp
add action=drop chain=forward comment="38636: defconf drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"38636: defconf drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface=OutToWAN
add action=drop chain=input comment="38636: drop all INPUT (WAN)" in-interface=\
OutToWAN log=yes log-prefix=Drop_Input_WAN
add action=drop chain=forward comment="38636: drop all FORWARD (WAN)" \
in-interface=OutToWAN log=yes log-prefix=Drop_Forward_WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface=OutToWAN
add action=dst-nat chain=dstnat comment="HTTPS PASSWORD 1000" dst-port=1000 \
in-interface=all-ethernet protocol=tcp to-addresses=10.0.0.2 to-ports=1000
add action=dst-nat chain=dstnat comment="PLEX PORT 32400 TCP" dst-port=32400 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.31 to-ports=32400
add action=dst-nat chain=dstnat comment="EMBY PORT 8096 TCP" dst-port=8096 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.31 to-ports=8096
add action=dst-nat chain=dstnat comment=P0019DEREK-PLEX dst-port=26555 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.40 to-ports=32400
add action=dst-nat chain=dstnat comment=P0019DEREK-NEXTCLOUD dst-port=81 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.29 to-ports=81
add action=dst-nat chain=dstnat comment="HTTP WEBHUB TRAFFIC 80" dst-port=80 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.39 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS WEBHUB TRAFFIC 443" dst-port=443 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.2 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS PASSWORD 1000" dst-port=1000 \
in-interface=all-ethernet protocol=tcp to-addresses=10.0.0.2 to-ports=1000
add action=dst-nat chain=dstnat comment="SECURITY CAMERA SYSTEM 8081" dst-port=\
8081 in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.28 to-ports=\
8081
add action=dst-nat chain=dstnat comment="HTTPS MAILTRAIN 3000" dst-port=3000 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.34 to-ports=3000
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=47984 in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 \
to-ports=47984
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=47989 in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 \
to-ports=47989
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=48010 in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 \
to-ports=48010
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=47998 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=47998
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=47999 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=47999
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=48000 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=48000
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=48002 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=48002
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=48010 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=48010
/ip firewall service-port
set ftp ports=212
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore
/ip route
add distance=1 gateway=**REMOVED FOR UPLOAD**
add distance=1 dst-address=10.0.1.0/24 gateway=reichnet-8794
add distance=1 dst-address=10.0.2.0/24 gateway=reichnet-3978
add distance=1 dst-address=172.16.0.0/24 gateway=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes port=212
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries=128k enabled=yes
/ip traffic-flow target
add dst-address=10.0.0.33
/ip upnp
set enabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add local-address=172.16.0.1 name=8794 profile=VPN-L2TP remote-address=\
172.16.0.240 service=l2tp
add local-address=172.16.0.1 name=3978 profile=VPN-L2TP remote-address=\
172.16.0.242 service=l2tp
/radius
add address=10.0.0.5 realm=reichnetwork service=ppp,login,ipsec src-address=\
10.0.0.1
/snmp
set enabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=ReichHub
/system logging
add disabled=yes topics=ipsec
add topics=sstp
/system note
set note="ReichNet - Authorized administrators only. Access to this device is mo\
nitored."
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes
[38636@ReichHub] >
General Information:
- I have three site locations including myself. Each with their own private ISP. With MikroTik routers at each location. (172.16.0.0/24)
- I also allow people to VPN into the house through the same connection using radius through AD (172.16.0.0/24)
- The primary hub location runs off a subnet (10.0.0.0/24)
- One of the site locations has a subnet (10.0.1.0/24)
- The other site location has a subnet (10.0.2.0/24)
- I have a guest network at the primary location (20.0.0.0/24)
- I have a VLAN setup between the hub and SwOS (30.0.0.0/24)
- I can communicate between all of the 10.X addresses both directions from the house locations. The VPN from a windows client appears to not be able to communicate with those locations. Might be due to the fact that I have the routes built on both sides when two routers are involved.
- From the primary location, I also appear unable to communicate with the 20 and 30 subnet ranges. Although I can assign computers to them and they appear to get internet connectivity.