to make it work. This is with OS 7.1beta3. My guess is I'm missing something obvious, so I would
appreciate if someone could have a look at my config below and tell me what I've done wrong...
Thanks in advance,
Rick
# dec/30/2020 23:26:07 by RouterOS 7.1beta3
# software id = G5ES-UNVF
#
# model = RB3011UiAS
# serial number = B8950C9801E6
/interface bridge
add admin-mac=00:00:00:00:00:01 auto-mac=no name=bridge1 vlan-filtering=yes
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge1 name=VLAN7 vlan-id=7
add interface=bridge1 name=VLAN166 vlan-id=166
/interface bonding
add mode=802.3ad name=bond1 slaves=ether5,ether9,ether10
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface lte apn
set [ find default=yes ] apn=internet.it
add apn=internet.it ip-type=ipv4 name=windtre use-network-apn=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=windtre name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.166.1-192.168.166.99
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=VLAN166 lease-time=23h name=dhcp1
/ip vrf
add list=all name=main
/port
set 1 name=usb2
/routing table
add fib name=vpn
/interface bridge port
add comment=defconf interface=ether1
add comment=defconf interface=ether2
add comment=defconf interface=ether3
add comment=defconf interface=ether4
add comment=defconf interface=ether5
add comment=defconf interface=ether6
add comment=defconf interface=ether7
add comment=defconf interface=ether8
add comment=defconf interface=ether9
add comment=defconf interface=ether10
add comment=defconf interface=sfp1
add bridge=bridge1 interface=bond1
/interface bridge vlan
add bridge=bridge1 tagged=bond1,bridge1 vlan-ids=1-4094
/interface list member
add interface=lte1 list=WAN
add comment=defconf interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add list=VPN
add interface=VLAN166 list=LAN
add interface=VLAN7 list=LAN
add interface=wireguard1 list=VPN
add list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=1.2.3.4 endpoint-port=51820 interface=wireguard1 persistent-keepalive=25s public-key=\
"redacted"
/ip address
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0
add address=192.168.7.254/24 interface=VLAN7 network=192.168.7.0
add address=192.168.166.254/24 interface=VLAN166 network=192.168.166.0
add address=192.168.69.253/24 interface=wireguard1 network=192.168.69.0
/ip dhcp-client
add comment=defconf disabled=no
/ip dhcp-server network
add address=192.168.166.0/24 dns-server=8.8.8.8,8.8.8.4 gateway=192.168.166.254
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.166.100-192.168.166.199 list=vpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="traffic from VLAN7" in-interface=VLAN7 protocol=tcp
add action=accept chain=forward comment="samba access" dst-address=192.168.7.13 dst-port=139,445 protocol=tcp src-address=192.168.166.243
add action=drop chain=forward comment="drop from VLAN166" in-interface=VLAN166 log=yes out-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=no src-address-list=vpn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=vpn