I thought I had the answer to my VPN issue with my question viewtopic.php?f=2&t=164604 about the L7 Hack a few days ago, but I was wrong. That deals with when you want to intercept DNS requests.
My issue is that, when I connect my IPsec VPN from the remote office and direct all traffic through that VPN, some sites are either really slow or never load.
I thought this was a DNS issue but I'm not sure. I know the remote office router manages to resolve the DNS - I can see them in the cache.
I don't know why some sites load and some don't but could it be because the DNS is resolved by the remote router, but the actual pages need to go via head office?
I tried catching the DNS entries in the remote office using NAT (and putting them to the Head Office router), but DNS seems to happen before NAT, so that didn't work.
Has anyone got ideas on how to solve this?
Re: Unresolving pages via IPsec VPN
It is more likely that it is a MTU issue, either because of errors in your own firewall or because of the common errors in firewalls on servers on internet.
Re: Unresolving pages via IPsec VPN
Any pointers as to what I can do?
Charles
Charles
Re: Unresolving pages via IPsec VPN
I don't remember the current state of the affairs in your network, but if you've ended up with a bare IPsec VPN (using /ip ipsec policy rows to choose the traffic to be sent via the VPN), you need to make sure that the ICMP "fragmentation needed" messages sent by the 'Tik itself to the client PC don't get grabbed by the policy and sent down the tunnel. See the third paragraph of this post for details.
Re: Unresolving pages via IPsec VPN
Sindy,
Good to see you have replied!
I first tried putting that rule in the France router (ie the sub-office), but it killed the VPN so I presumed I put the rule on the wrong end. I then put the rule on the London end (ie main office) but that killed the VPN too
As you will see, I only send the range 192.168.65.192/28 through the VPN (when the NAT Rule is enabled).
I tried the rule withe a broader range 192.168.0.0/16 but the rule was "invalid".
pe1chl mentioned it may be an MTU issue (mine generally is 1500) and I also get a lot of "disconnected, received deauth: sending station leaving (3)" and "disconnected, received disassoc: sending station leaving (8)" messages in France. I'm wondering whether all these are related?
Note: the 192.168.1.38 address in France is because the MK Router is behind another one.
I've put the full config for both here just in case you can spot an issue.
Thanks, Charles
London
France
Good to see you have replied!
I first tried putting that rule in the France router (ie the sub-office), but it killed the VPN so I presumed I put the rule on the wrong end. I then put the rule on the London end (ie main office) but that killed the VPN too
As you will see, I only send the range 192.168.65.192/28 through the VPN (when the NAT Rule is enabled).
I tried the rule withe a broader range 192.168.0.0/16 but the rule was "invalid".
pe1chl mentioned it may be an MTU issue (mine generally is 1500) and I also get a lot of "disconnected, received deauth: sending station leaving (3)" and "disconnected, received disassoc: sending station leaving (8)" messages in France. I'm wondering whether all these are related?
Note: the 192.168.1.38 address in France is because the MK Router is behind another one.
I've put the full config for both here just in case you can spot an issue.
Thanks, Charles
London
Code: Select all
# aug/09/2020 10:00:21 by RouterOS 6.47.1
# software id = YCNI-BQ6N
#
# model = RB4011iGS+5HacQ2HnD
# serial number =
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2462 name="2GHz Channel 11"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
frequency=5180 name="5Ghz - Channel 36"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
frequency=5260 name="5Ghz - Channel 52"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
frequency=5500 name="5Ghz - Channel 100"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
frequency=5580 name="5Ghz - Channel 116"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
frequency=5660 name="5Ghz - Channel 132"
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
frequency=5765 name="5Ghz - Channel 153"
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name="2GHz Channel 1"
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2437 name="2GHz Channel 6"
/interface bridge
add admin-mac=C4:AD:34:60:79:47 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
add name=guest-bridge
/interface wireless
# managed by CAPsMAN
# channel: 5500/20-Ceee/ac/DP(24dBm)+5210/80/P(17dBm), SSID: athome, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge secondary-channel=auto ssid=MikroTik-607951 \
station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2437/20/gn(17dBm), SSID: athome, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-C64D6C station-roaming=enabled wireless-protocol=802.11
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface l2tp-server
add name=l2tp-in-CharlieW10 user=CharlieW10
/caps-man interface
add disabled=yes mac-address=CC:2D:E0:E8:07:49 master-interface=none name=\
cap5 radio-mac=CC:2D:E0:E8:07:49 radio-name=CC2DE0E80749
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
main-datapath
add bridge=guest-bridge client-to-client-forwarding=no local-forwarding=yes \
name=guest-datapath
/caps-man security
add authentication-types=wpa2-psk name=default_security
add authentication-types=wpa2-psk name=guest-security
/caps-man configuration
add channel="5Ghz - Channel 36" country="united kingdom" datapath=\
main-datapath hide-ssid=no installation=indoor mode=ap name=\
"Master-5GHz - Channel 36" security=default_security ssid=athome
add channel="5Ghz - Channel 153" country="united kingdom" datapath=\
main-datapath hide-ssid=no installation=indoor mode=ap name=\
"Master-5GHz - Channel 153" security=default_security ssid=athome
add channel="5Ghz - Channel 52" country="united kingdom" datapath=\
main-datapath hide-ssid=no installation=indoor mode=ap name=\
"Master-5GHz - Channel 52" security=default_security ssid=athome
add channel="5Ghz - Channel 100" country="united kingdom" datapath=\
main-datapath hide-ssid=no installation=indoor mode=ap name=\
"Master-5GHz - Channel 100" security=default_security ssid=athome
add channel="5Ghz - Channel 116" country="united kingdom" datapath=\
main-datapath hide-ssid=no installation=indoor mode=ap name=\
"Master-5GHz - Channel 116" security=default_security ssid=athome
add channel="5Ghz - Channel 132" country="united kingdom" datapath=\
main-datapath distance=indoors hide-ssid=no installation=indoor mode=ap \
name="Master-5GHz - Channel 132" security=default_security ssid=athome
add channel="2GHz Channel 1" country="united kingdom" datapath=main-datapath \
hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 1" \
security=default_security ssid=athome
add channel="2GHz Channel 6" country="united kingdom" datapath=main-datapath \
hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 6" \
security=default_security ssid=athome
add channel="2GHz Channel 11" country="united kingdom" datapath=main-datapath \
hide-ssid=no installation=indoor mode=ap name="Master-2GHz - Channel 11" \
security=default_security ssid=athome
add datapath=main-datapath name=Down5 security=default_security ssid=\
athome-down5
add datapath=main-datapath name=Up5 security=default_security ssid=athome-up5
add datapath=main-datapath name=Up2 security=default_security ssid=athome-up2
add datapath=main-datapath name=Down2 security=default_security ssid=\
athome-down2
add datapath=main-datapath name=UpUp2 security=default_security ssid=\
athome-upup2
add datapath=main-datapath name=UpUp5 security=default_security ssid=\
athome-upup5
add datapath=main-datapath name=SittingRoom security=default_security ssid=\
athome
add datapath=guest-datapath name=guest security=guest-security ssid=\
athome-guest
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
sha512 name=profile_1
/ip ipsec peer
add address=France comment=FranceLondon exchange-mode=ike2 \
name=peerFrance profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=default-dhcp ranges=192.168.64.2-192.168.64.100
add name=vpn-pool ranges=192.168.64.101-192.168.64.150
add name=dhcp-pool-guest ranges=192.168.66.10-192.168.66.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp-pool-guest disabled=no interface=guest-bridge name=\
guest-dhcp
/ppp profile
set *0 local-address=192.168.64.1 remote-address=vpn-pool
set *FFFFFFFE local-address=192.168.64.1 remote-address=vpn-pool
/queue simple
add disabled=yes dst=ether1 max-limit=16M/200M name="All Bandwidth" target=""
add disabled=yes max-limit=10M/10M name="Charlie L13" parent="All Bandwidth" \
target=192.168.64.5/32
add disabled=yes max-limit=1M/1M name=Pixel4 parent="All Bandwidth" target=\
192.168.64.68/32
/system logging action
set 3 bsd-syslog=yes remote=192.168.64.6
add email-start-tls=yes email-to=MyEmail name=email target=\
email
/caps-man access-list
add action=reject allow-signal-out-of-range=10s comment="Charlie Pixel 4" \
disabled=no mac-address=F0:5C:77:DF:63:DA signal-range=-120..-70 \
ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled comment=Down2G master-configuration=\
"Master-2GHz - Channel 6" name-format=prefix-identity name-prefix=Down2G \
radio-mac=74:4D:28:C6:4D:6C slave-configurations=guest,Down2
add action=create-dynamic-enabled comment=Down5G master-configuration=\
"Master-5GHz - Channel 100" name-format=prefix-identity name-prefix=\
Down5G radio-mac=C4:AD:34:60:79:51 slave-configurations=guest,Down5
add action=create-dynamic-enabled comment=UpUp2G master-configuration=\
"Master-2GHz - Channel 11" name-format=prefix-identity name-prefix=UpUp2G \
radio-mac=CC:2D:E0:EB:1D:7E slave-configurations=guest,UpUp2
add action=create-dynamic-enabled comment=UpUp5G master-configuration=\
"Master-5GHz - Channel 132" name-format=prefix-identity name-prefix=\
UpUp5G radio-mac=CC:2D:E0:EB:1D:7F slave-configurations=guest,UpUp5
add action=create-dynamic-enabled comment=Up5G master-configuration=\
"Master-5GHz - Channel 36" name-format=prefix-identity name-prefix=Up5G \
radio-mac=64:D1:54:04:7E:1A slave-configurations=guest,Up5
add action=create-dynamic-enabled comment=Up2G master-configuration=\
"Master-2GHz - Channel 1" name-format=prefix-identity name-prefix=Up2G \
radio-mac=64:D1:54:04:7E:1B slave-configurations=guest,Up2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=l2tp-in-CharlieW10 list=LAN
add interface=guest-bridge list=LAN
add interface=l2tp-in-Nexus list=LAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge \
enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.64.1/24 comment=defconf interface=bridge network=\
192.168.64.0
add address=192.168.66.1/24 interface=guest-bridge network=192.168.66.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.64.80 client-id=1:f0:5c:77:df:63:da comment=Pixel4 \
mac-address=F0:5C:77:DF:63:DA server=defconf
/ip dhcp-server network
add address=192.168.64.0/24 comment=defconf gateway=192.168.64.1
add address=192.168.66.0/24 comment="Guest Network" gateway=192.168.66.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.64.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.64.1-192.168.64.254 list=AllowedAccessToBlackSynology
add address=192.168.65.1-192.168.65.254 list=AllowedAccessToBlackSynology
add address=192.168.66.10-192.168.66.254 list=GuestNetwork
add address=192.168.64.0/24 list=MainNetwork
add address=192.168.64.13 list=Camera
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=1.10.16.0/20 comment="Added from chgblacklist.rsc" list=blacklist
/ip firewall filter
add action=log chain=forward disabled=yes log=yes log-prefix="From France" \
src-address=192.168.65.203
add action=log chain=forward disabled=yes dst-address=192.168.65.192/28 log=\
yes log-prefix="To France"
add action=accept chain=forward disabled=yes dst-address=192.168.64.6 \
dst-port=23 log=yes log-prefix="Allow Telnet to Synology" protocol=tcp
add action=drop chain=forward comment="Drop Facebook" disabled=yes dst-port=\
443 log=yes log-prefix="Drop Facebook" protocol=tcp tls-host=\
*facebook.com
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related dst-address=!192.168.65.192/28 \
src-address=!192.168.65.192/28
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix="CH_Track invalid"
add action=drop chain=forward comment="Camera Out" log-prefix=\
"Block Camera out:" out-interface-list=WAN src-address-list=Camera
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN ipsec-policy=in,none
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface-list=\
WAN ipsec-policy=in,none log=yes log-prefix="CH_Track !public" \
src-address-list=not_in_internet
add action=drop chain=input comment="Drop input from blacklist" log-prefix=\
"CH_Track Drop input from blacklist" src-address-list=blacklist
add action=drop chain=forward comment="Drop from Blacklist sites" log=yes \
log-prefix="CH_Track forward from Blacklist In:" src-address-list=\
blacklist
add action=drop chain=forward comment="Drop to Blacklist sites" \
dst-address-list=blacklist log=yes log-prefix=\
"CH_Track forward to Blacklist"
add action=drop chain=output comment="Drop from Router to blacklist sites" \
dst-address-list=blacklist log=yes log-prefix=\
"CH_Track blacklist out from router"
add action=drop chain=forward comment="TCP flags and Port 0 attacks" \
protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward comment=\
"Block from Guest Network to Main Network" dst-address-list=MainNetwork \
src-address-list=GuestNetwork
add action=drop chain=input comment="Block from Guest Network to Main Router" \
dst-address=192.168.64.1 src-address-list=GuestNetwork
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" port=\
1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" protocol=\
ipsec-esp
add action=accept chain=input comment="ICMP Ping" protocol=icmp
add action=accept chain=input comment=\
"accept input established,related,untracked" connection-state=\
established,related,untracked log-prefix=\
"accept input established,related,untracked"
add action=drop chain=input comment=\
"Drop everything else that has got through" in-interface-list=WAN \
log-prefix="Last rule: Input"
add action=drop chain=forward comment=\
"Drop everything else that has got through" in-interface-list=WAN \
ipsec-policy=in,none log=yes log-prefix=\
"CH_Track Last Rule: Forward: Drop"
/ip firewall nat
add action=accept chain=srcnat comment=FranceLondon dst-address=\
192.168.65.0/24 src-address=192.168.64.0/24
add action=accept chain=dstnat comment=FranceLondon dst-address=\
192.168.64.0/24 src-address=192.168.65.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=\
192.168.65.0/24
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=\
192.168.64.0/24
/ip ipsec identity
add peer=peerFrance
/ip ipsec policy
add action=none disabled=yes dst-address=192.168.65.0/24 src-address=\
0.0.0.0/0
add comment=FranceLondon-Laptop dst-address=192.168.65.192/28 peer=peerFrance \
sa-dst-address=176.153.109.218 sa-src-address=0.0.0.0 src-address=\
0.0.0.0/0 tunnel=yes
add comment=FranceLondon dst-address=192.168.65.0/24 peer=peerFrance \
sa-dst-address=FrancePublicIP sa-src-address=LondonPublicIP src-address=\
192.168.64.0/24 tunnel=yes
/ip route
add comment=FranceLondon distance=1 dst-address=192.168.65.0/24 gateway=ether1 \
pref-src=192.168.64.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=CharlieW10 service=l2tp
/system clock
set time-zone-name=Europe/London
/system identity
set name=MainLondon
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
set 0 topics=info,!caps,!interface,!dhcp,!system
set 3 action=memory
add disabled=yes topics=ipsec,!packet
add disabled=yes topics=ppp,!debug
add action=remote disabled=yes topics=dhcp,info
add topics=account
add disabled=yes topics=info
add action=disk topics=error,script
/system scheduler
add disabled=yes interval=1h name="Update Time" on-event=\
"/ip cloud set update-time=yes" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
aug/22/2017 start-time=23:38:00
/system script
/tool e-mail
set address=66.102.1.108 from="Mt_msg <MyEmail>" port=587 \
start-tls=yes user=MyEmail
/tool graphing interface
add interface=ether1
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=ipsec-peer-update-FranceLondon disabled=yes down-script="/system sc\
heduler enable ipsec-peer-update-FranceLondon\
\n/system scheduler enable ip-cloud-forceupdate" host=192.168.65.1 \
up-script="/system scheduler disable ip-cloud-forceupdate\
\n/system scheduler disable ipsec-peer-update-FranceLondon"
add down-script=":local target 8.8.8.8\
\n:log error \"Connection lost to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] Co\
nnection lost to \$target\" body=\"Problem\"" host=8.8.8.8
add down-script=":local target 192.168.65.1\
\n:log error \"Connection lost to \$target\";\
\n#/tool e-mail send to=\"MyEmail\" subject=\"[London] C\
onnection lost to \$target\" body=\"Problem\"" host=192.168.65.1 \
interval=10s up-script=":local target 192.168.65.1\
\n:log error \"Connection back to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] Co\
nnection back to \$target\" body=\"Problem\""
add down-script=":local target 192.168.64.2\
\n:log error \"Connection lost to \$target\";\
\n#/tool e-mail send to=\"MyEmail\" subject=\"[London] C\
onnection lost to \$target\" body=\"Problem\"" host=192.168.64.2 \
interval=10s up-script=":local target 192.168.64.2\
\n:log error \"Connection back to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] Co\
nnection back to \$target\" body=\"Problem\""
add down-script=":local target 192.168.64.3\
\n:log error \"Connection lost to \$target\";\
\n#/tool e-mail send to=\"MyEmail\" subject=\"[London] C\
onnection lost to \$target\" body=\"Problem\"" host=192.168.64.3 \
interval=10s up-script=":local target 192.168.64.3\
\n:log error \"Connection back to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] Co\
nnection back to \$target\" body=\"Problem\""
add down-script=":local target 80.6.232.1\
\n:log error \"Connection lost to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] Co\
nnection lost to \$target\" body=\"Problem\"" host=80.6.232.1
add down-script=":local target 192.168.64.4\
\n:log error \"Connection lost to \$target\";\
\n#/tool e-mail send to=\"MyEmail\" subject=\"[London] C\
onnection lost to \$target\" body=\"Problem\"" host=192.168.64.4 \
interval=10s up-script=":local target 192.168.64.4\
\n:log error \"Connection back to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] Co\
nnection back to \$target\" body=\"Problem\""
/tool sniffer
set filter-ip-address=192.168.64.11/32
/tool traffic-monitor
add disabled=yes interface=ether1 name=100M on-event=":local myMessage \"eth1 \
above 100M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=100000000 traffic=\
received
add interface=ether1 name=150M on-event=":local myMessage \"eth1 above 150M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=150000000 traffic=\
received
add disabled=yes interface=ether1 name=50M on-event=":local myMessage \"eth1 a\
bove 50M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=50000000 traffic=\
received
add disabled=yes interface=ether1 name=1k on-event=":local myMessage \"eth1 be\
low1k\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=1000 traffic=received \
trigger=below
add disabled=yes interface=ether1 name=120M on-event=":local myMessage \"eth1 \
above 120M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=120000000 traffic=\
received
add disabled=yes interface=ether1 name=160M on-event=":local myMessage \"eth1 \
above 160M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=160000000 traffic=\
received
add disabled=yes interface=ether1 name=140M on-event=":local myMessage \"eth1 \
above 140M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=140000000 traffic=\
received
add disabled=yes interface=ether1 name=70M on-event=":local myMessage \"eth1 a\
bove 70M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=70000000 traffic=\
received
add interface=ether1 name=170M on-event=":local myMessage \"eth1 above 170M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=170000000 traffic=\
received
add disabled=yes interface=ether1 name=30M on-event=":local myMessage \"eth1 a\
bove 30M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=30000000 traffic=\
received
add disabled=yes interface=ether1 name=20M on-event=":local myMessage \"eth1 a\
bove 20M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=20000000 traffic=\
received
add interface=ether1 name=200M on-event=":local myMessage \"eth1 above 200M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=200000000 traffic=\
received
add interface=ether1 name=220M on-event=":local myMessage \"eth1 above 220M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=220000000 traffic=\
received
add interface=ether1 name=240M on-event=":local myMessage \"eth1 above 240M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[London] \$\
myMessage\" body=\"Threshold Reached\"" threshold=240000000 traffic=\
received
Code: Select all
# aug/09/2020 08:59:48 by RouterOS 6.47.1
# software id = 65FW-3KRA
#
# model = 2011UiAS-2HnD
# serial number =
/interface l2tp-server
add disabled=yes name=l2tp-in-CharlieW10 user=CharlieW10
/interface bridge
add admin-mac=4C:5E:0C:B8:9D:92 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
add name="guest bridge"
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united kingdom" \
disabled=no distance=indoors frequency=2462 installation=indoor l2mtu=\
1598 mode=ap-bridge name=wlan1-2G-athome ssid=athome station-roaming=\
enabled wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
dynamic-keys name="guest security" supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=4E:5E:0C:B8:9D:9B master-interface=\
wlan1-2G-athome name=wlan1-virtual-athome-guest security-profile=\
"guest security" ssid=athome-guest station-roaming=enabled wps-mode=\
disabled
/ip ipsec profile
add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
sha512 name=profile_1
/ip ipsec peer
add address=London comment=FranceLondon exchange-mode=ike2 \
name=peer2 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.65.2-192.168.65.100
add name=vpn-pool ranges=192.168.65.101-192.168.65.150
add name="guest pool" ranges=192.168.67.2-192.168.67.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name=\
"Default DHCP Server"
add address-pool="guest pool" disabled=no interface="guest bridge" \
lease-time=1h name="guest bridge"
/ppp profile
set *0 local-address=192.168.65.1 remote-address=vpn-pool
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1-2G-athome
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge="guest bridge" interface=wlan1-virtual-athome-guest
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=l2tp-in-CharlieW10 list=LAN
add disabled=yes interface=wlan1-2G-athome list=discover
add disabled=yes interface=sfp1 list=discover
add disabled=yes interface=ether2 list=discover
add disabled=yes interface=ether3 list=discover
add disabled=yes interface=ether4 list=discover
add disabled=yes interface=ether5 list=discover
add disabled=yes interface=ether6 list=discover
add disabled=yes interface=ether7 list=discover
add disabled=yes interface=ether8 list=discover
add disabled=yes interface=ether9 list=discover
add disabled=yes interface=ether10 list=discover
add disabled=yes interface=bridge list=discover
add disabled=yes interface=bridge list=mactel
add disabled=yes interface=bridge list=mac-winbox
add interface="guest bridge" list=LAN
/interface wireless access-list
add comment=CameraPi mac-address=00:0F:55:A8:B2:E6
/ip dhcp-server network
add address=192.168.65.0/24 comment=defconf gateway=192.168.65.1 netmask=24
add address=192.168.67.0/24 comment="guest pool" gateway=192.168.67.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.65.1 name=router.lan type=A
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.67.0/24 list=GuestNetwork
add address=192.168.65.0/24 list=MainNetwork
add address=192.168.64.0/24 list=MainNetwork
add address=192.168.66.0/24 list=MainNetwork
add address=192.168.65.192/28 list=SpecificVPNsources
/ip firewall filter
add action=passthrough chain=forward disabled=yes log=yes log-prefix=\
"To London" src-address=192.168.65.202
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related dst-address=!192.168.65.192/28 \
src-address=!192.168.65.192/28
add action=drop chain=forward comment="Drop Camera WAN Traffic" log-prefix=\
"CH_Track camera wan traffic" out-interface-list=WAN src-address-list=\
Camera
add action=drop chain=forward comment="Drops everything from OutsideCamera goi\
ng to OutsideNotAllowed List. Prefix is OutsideDroptoBad" \
dst-address-list=OutsideNotAllowed log-prefix=OutsideDroptoBad \
src-address=192.168.65.88
add action=add-dst-to-address-list address-list=OutsideDestination \
address-list-timeout=none-static chain=forward comment=\
"Puts address from .88 onto OutsideDestination address list" \
dst-address-list=!CameraAllowed src-address=192.168.65.88
add action=add-dst-to-address-list address-list=InsideDestination \
address-list-timeout=none-static chain=forward dst-address-list=\
!CameraAllowed src-address=192.168.65.93
add action=drop chain=forward comment=DropInsideCamera dst-address-list=\
!CameraAllowed log-prefix=DropInside src-address=192.168.65.93
add action=drop chain=forward comment="Drops activity from OutsideCamera going\
\_to anywhere apart from CameraAllowed list. Has DropOutsideCamera prefix" \
dst-address-list=!CameraAllowed log-prefix=DropOutsideCamera src-address=\
192.168.65.88
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked log-prefix=Previous
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix="CH_Track invalid"
add action=drop chain=input comment=\
"Drop incoming to router from my Blacklist" in-interface-list=WAN \
log-prefix="CH_Track Block Blacklist Input" src-address-list=blacklist
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=passthrough chain=input comment="Track Dodgy SSH" dst-port=22 log=\
yes log-prefix="CH_Track Dodgy SSH" protocol=tcp src-address=\
!192.168.64.6
add action=accept chain=input comment="Accept SSH" dst-port=22 log-prefix=\
"CH_Track: Allow in SSH" protocol=tcp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface-list=\
WAN log=yes log-prefix="CH_Track !public" src-address-list=\
not_in_internet
add action=drop chain=forward comment="Drop incoming from Blacklist site" \
in-interface-list=WAN log=yes log-prefix="CH_Track Blacklist fwd from:" \
src-address-list=blacklist
add action=drop chain=forward comment=\
"To stop things getting out to Blacklist sites" dst-address-list=\
blacklist log=yes log-prefix="CH_Track Blacklist fwd to:" \
out-interface-list=WAN
add action=drop chain=output comment="Drop from Router to Blacklist sites" \
dst-address-list=blacklist log=yes log-prefix=\
"CH_Track Blacklist output to:" out-interface-list=WAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"defconf: drop all from WAN not DSTNATed"
add action=drop chain=forward comment="TCP flags and Port 0 attacks" log=yes \
log-prefix="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!ack
add action=drop chain=forward comment="TCP Flag1" log=yes log-prefix=\
"TCP Flag1" protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward comment="TCP Flag2" log=yes log-prefix=\
"TCP Flag1" protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward comment="TCP Flag3" log=yes log-prefix=\
"TCP Flag3" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward comment="TCP Flag4" log=yes log-prefix=\
"TCP Flag4" protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward log=yes log-prefix="TCP Flag5" protocol=tcp \
tcp-flags=syn,rst
add action=drop chain=forward log=yes log-prefix="TCP Flag 6:" protocol=tcp \
tcp-flags=rst,urg
add action=drop chain=forward log=yes log-prefix="TCP Flag 7:" protocol=tcp \
src-port=0
add action=accept chain=input comment=VPN log-prefix="CH_Track VPN" port=\
1701,500,4500 protocol=udp
add action=accept chain=input comment=VPN protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=Ping: \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked log-prefix=Flag8:
add action=drop chain=input comment="Stop Guest accessing Router" \
dst-address=192.168.65.1 log=yes log-prefix=\
"CH_Track Guest trying to access Router" src-address-list=GuestNetwork
add action=drop chain=forward comment="Stop guest getting to our stuff" \
dst-address-list=MainNetwork log=yes log-prefix=\
"CH_Track Guest messing around" src-address-list=GuestNetwork
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log-prefix="Flag 8:"
add action=drop chain=input comment=\
"Drop everything else that has got through" in-interface-list=WAN \
log-prefix="Last rule"
add action=drop chain=forward in-interface-list=WAN ipsec-policy=in,none log=\
yes log-prefix="Final Fwd Drop:"
add action=passthrough chain=forward comment=\
"Last rule. Tracks traffic OUT FROM the network" disabled=yes log=yes \
log-prefix="Last Rule: Accept"
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes log=yes protocol=tcp \
src-address=192.168.65.192/28 src-port=53 to-addresses=192.168.64.1 \
to-ports=53
add action=dst-nat chain=dstnat disabled=yes protocol=udp src-address=\
192.168.65.192/28 src-port=53 to-addresses=192.168.64.1 to-ports=53
add action=src-nat chain=srcnat comment=NTP disabled=yes dst-port=25 log=yes \
log-prefix="scrnat SMTP" protocol=tcp src-address=192.168.65.88 to-ports=\
465
add action=accept chain=srcnat comment=\
"Send this range 192.168.65.192/28 through London (IP 193 to 206)" \
disabled=yes log-prefix=NAT src-address-list=SpecificVPNsources
add action=accept chain=srcnat comment=FranceLondon dst-address=\
192.168.64.0/24 src-address=192.168.65.0/24
add action=accept chain=dstnat comment=FranceLondon dst-address=\
192.168.65.0/24 src-address=192.168.64.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
"defconf: masquerade - traffic not going through VPN" out-interface-list=\
WAN src-address-list=!SpecificVPNsources
add action=masquerade chain=srcnat comment=\
"defconf: masquerade - traffic going through VPN" log-prefix=Nat: \
out-interface-list=WAN src-address-list=SpecificVPNsources
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=\
192.168.64.0/24
add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=\
192.168.65.0/24
/ip ipsec identity
add peer=peer2
/ip ipsec policy
add comment="for machines that go via London" dst-address=0.0.0.0/0 peer=\
peer2 sa-dst-address=LondonPublicIP sa-src-address=192.168.1.38 \
src-address=192.168.65.192/28 tunnel=yes
add comment=FranceLondon dst-address=192.168.64.0/24 peer=peer2 \
sa-dst-address=LondonPublicIP sa-src-address=192.168.1.38 src-address=\
192.168.65.0/24 tunnel=yes
/ip route
add comment=FranceLondon distance=1 dst-address=192.168.64.0/24 gateway=ether1 \
pref-src=192.168.65.1
add distance=1 dst-address=192.168.64.1/32 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes always-allow-password-login=yes forwarding-enabled=\
remote
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.65.98 version=5
/lcd
set time-interval=hour
/ppp secret
add name=CharlieW10
/system clock
set time-zone-autodetect=no time-zone-name=GMT
/system identity
set name="Red MikroTik"
/system logging
add topics=firewall
add disabled=yes topics=e-mail
add topics=account
add disabled=yes topics=dhcp,info
add topics=script
add topics=ipsec,info
add topics=l2tp,info
add topics=ppp,info
add topics=ssh,info
add topics=interface
add topics=system,info
add disabled=yes topics=ipsec,!packet
/system ntp client
set enabled=yes primary-ntp=80.86.38.193 secondary-ntp=108.61.73.243
/system ntp server
set enabled=yes
/tool graphing interface
add interface=ether1
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool netwatch
add comment=ipsec-peer-update-FranceLondon disabled=yes down-script="/system sc\
heduler enable ipsec-peer-update-FranceLondon\
\n/system scheduler enable ip-cloud-forceupdate" host=192.168.64.1 \
up-script="/system scheduler disable ip-cloud-forceupdate\
\n/system scheduler disable ipsec-peer-update-FranceLondon"
add down-script=":local target 8.8.8.8\
\n:log error \"[France] Connection lost to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"Connection \
back \$target\" body=\"Problem\"" host=8.8.8.8 up-script=":local target 8.\
8.8.8\
\n:log error \"[France] Connection back to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"Connection \
down \$target\" body=\"Problem\""
add down-script=":local target 192.168.1.38\
\n:log error \"[France] Connection lost to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"Connection \
down \$target\" body=\"Problem\"" host=192.168.1.38 interval=10s \
up-script=":local target 192.168.1.38\
\n:log error \"[France] Connection back to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"Connection \
down \$target\" body=\"Problem\""
add down-script=":local target 192.168.65.2\
\n:log error \"[France] Connection lost to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"Connection \
down \$target\" body=\"Problem\"" host=192.168.65.2 interval=10s \
up-script=":local target 192.168.65.2\
\n:log error \"[France] Connection back to \$target\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"Connection \
back \$target\" body=\"Problem\""
/tool traffic-monitor
add disabled=yes interface=ether1 name=20M on-event=":local myMessage \"eth1 a\
bove 20M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[France] \$m\
yMessage\" body=\"Threshold Reached\"" threshold=20000000 traffic=\
received
add disabled=yes interface=ether1 name=30M on-event=":local myMessage \"eth1 a\
bove 30M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[France] \$m\
yMessage\" body=\"Threshold Reached\"" threshold=30000000 traffic=\
received
add interface=ether1 name=40M on-event=":local myMessage \"eth1 above 40M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[France] \$m\
yMessage\" body=\"Threshold Reached\"" threshold=40000000 traffic=\
received
add interface=ether1 name=50M on-event=":local myMessage \"eth1 above 50M\"\
\n:log error \"\$myMessage\";\
\n/tool e-mail send to=\"MyEmail\" subject=\"[France] \$m\
yMessage\" body=\"Threshold Reached\"" threshold=50000000 traffic=\
received
Re: Unresolving pages via IPsec VPN
I agree with pe1chl that it is likely a MTU issue. The thing is that when you use any kind of VPN, part of the available packet size (MTU) is occupied by the tunneling and encryption headers, so the part of the MTU which can be used for the payload is smaller.pe1chl mentioned it may be an MTU issue (mine generally is 1500)
As this is only one of the possible reasons why the MTU of some hop on the path between client and server may be smaller than the one reported by the interface of the client or server, and as packet fragmentation decreases efficiency of bandwidth usage, TCP includes a "path MTU discovery" mechanism which is based on adjusting the TCP packet size to the lowest MTU on the whole path. The mechanism sends packets with a "don't fragment" flag set, and if the MTU of the outbound interface of some intermediate router is insufficient, that router sends back an information about the actual MTU to the sender by means of ICMP and the sender sends a smaller portion of the output buffer. The goal is to slice the data stream already at the source to the largest possible pieces which make it to the destination without fragmentation.
In our case, it is the continental Mikrotik itself. The policy's traffic selector says "whatever is sent from 192.168.65.0/24 anywhere", so the ICMP packet sent by the Mikrotik itself (192.168.65.1) to a client in the 192.168.65.192/28 range also matches it.
So you need to place a policy action=none src-address=0.0.0.0/0 dst-address=192.168.65.0/24 as the first one at the continental 'Tik. In London, this is not necessary, because no traffic selector matches packets being sent anywhere else than to the continental 'Tik. In fact, a policy action=none src-address=192.168.65.1 dst-address=192.168.65.192/28 would be sufficient for the purpose, I just suggested the simplest variant in the post I referred to.
These are messages related to wireless interface. Nothing to do with VPN. Maybe some wireless device is far away from the AP and the strength of the signal it receives falls below the acceptable limit every now and then.I also get a lot of "disconnected, received deauth: sending station leaving (3)" and "disconnected, received disassoc: sending station leaving (8)" messages in France. I'm wondering whether all these are related?