I've just got my hEX S setup at home, but I have no internet on the router it self, so when i check for update for example the connection times out and when I ping from the router the connection timesout.
All devices on LAN the internet works fine on.
Config below:
Code: Select all
# jun/02/2023 21:54:09 by RouterOS 7.9.1
# software id = L3VM-GUCZ
#
# model = RB760iGS
# serial number =
/disk
set sd1 type=hardware
add parent=sd1 partition-number=1 partition-offset=512 partition-size=\
"30 908 349 952" type=partition
/interface bridge
add admin-mac=18:FD:74:F8:2D:77 auto-mac=no comment=defconf name=bridge-LAN
/interface ovpn-client
add certificate="OpenVPN Cert" cipher=aes256-cbc connect-to=1.2.3.4 \
disabled=yes mac-address=02:B2:C7:54:E6:34 name="KS DC" user=user
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mtu=1500 name=\
WAN service-name=INTERNET user=username
/interface list
add comment=defconf name=External
add comment=defconf name=Trusted
add name=Guest
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms="ae\
s-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-\
128-ctr,aes-128-gcm" pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=172.16.12.100-172.16.12.254
add name=dhcp_pool2 ranges=172.16.12.100-172.16.12.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge-LAN lease-time=\
10m name=defconf
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
"TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
up-port=1700
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] addresses=172.16.10.8/32
/interface bridge port
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge-LAN list=Trusted
add comment=defconf interface=ether1 list=External
add interface=WAN list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.16.10.1/24 comment=defconf interface=bridge-LAN network=\
172.16.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-relay
add dhcp-server=172.16.10.8 disabled=no interface=*8 name=relay1
/ip dns
set servers=172.16.10.8
/ip dns static
add address=172.16.10.1 comment=defconf name=router
/ip firewall address-list
add list=BlackList
add address=172.16.10.0/24 list=LANIP
add address=172.16.12.0/24 list=GuestVlan
add address=45.90.28.40 list="Trusted DNS 1"
add address=45.90.30.40 list="Trusted DNS 2"
add address=45.90.28.76 list="Guest DNS1"
add address=45.90.30.76 list="Guest DNS2"
add address=172.16.10.22 list="Google Home"
add address=172.16.10.12 list="Google Home"
/ip firewall filter
add action=add-src-to-address-list address-list=BlackList \
address-list-timeout=10h chain=input comment="\"Block TCP port scanning\":\
\_add a device scanning an unused port to BlackList." connection-state=\
new dst-port=\
20-25,80,110,161,443,445,3128,3306,3333,3389,7547,8291,8080-8082 \
in-interface=BT-WAN protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!Trusted
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Inbound - Trust access to mgt" \
connection-state=established,related,untracked dst-port=80,22,8291 \
protocol=tcp src-address-list=LANIP
add action=accept chain=input comment="Inbound - Ping" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Inbound - IPSEC" ipsec-policy=\
in,ipsec
add action=accept chain=forward comment="Outbound - IPSEC" ipsec-policy=\
out,ipsec
add action=accept chain=forward comment="Outbound - Work VPN" dst-address=\
1.2.3.4
add action=accept chain=forward comment="Outbound - Work 3CX" dst-address=\
1.2.3.4
add action=accept chain=forward comment="Outbound - Google Home TCP" \
dst-port=8008,8009,80,443,5228 protocol=tcp src-address-list=\
"Google Home"
add action=accept chain=forward comment="Outbound - Google Home UDP" \
dst-port=53,123 protocol=udp src-address-list="Google Home"
add action=accept chain=forward comment="Outbound - Trusted DNS" \
connection-state="" dst-port=53 protocol=udp src-address=172.16.10.8 \
src-address-list=""
add action=drop chain=forward comment="Block DNS Traffic" dst-port=53 \
protocol=udp src-address=!172.16.10.8
add action=accept chain=forward comment="Outbound - SIP" src-address=\
172.16.10.4
add action=accept chain=forward comment="Outbound - Time" connection-state="" \
dst-port=123 protocol=udp
add action=accept chain=forward comment="Outbound - Web Traffic" \
connection-state="" dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="Outbound - MC" connection-state="" \
dst-port=25565,30052,30051,30050 protocol=tcp
add action=accept chain=forward comment="Outbound - Ptero Ports" \
connection-state="" dst-port=8080,2022 protocol=tcp
add action=accept chain=forward comment="Outbound - Steam (TCP)" dst-port=\
27015-27050 protocol=tcp
add action=accept chain=forward comment="Outbound - Steam (UDP)" dst-port=\
27015-27050 protocol=udp
add action=accept chain=forward comment="Outbound - SMTP STARTLS (TCP)" \
dst-port=587 protocol=tcp
add action=accept chain=forward comment="Outbound - QNAP VPN Client TCP" \
dst-port=1443 protocol=tcp src-address=172.16.10.5
add action=accept chain=forward comment="Outbound - Teamviewer TCP" dst-port=\
5938 protocol=tcp
add action=accept chain=forward comment="Outbound - Teamviewer UDP" dst-port=\
5938 protocol=udp
add action=accept chain=forward comment="Outbound - Roblox" dst-port=\
49152-65535 protocol=udp src-address=172.16.10.26
add action=accept chain=forward comment="Outbound - Whatsapp TCP" dst-port=\
5222,5223 protocol=tcp
add action=accept chain=forward comment="Outbound - Whatsapp UDP" dst-port=\
3478 protocol=udp
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=External
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="drop everything else"
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting comment=Teamviewer dst-port=5938 \
new-connection-mark=conn-TeamViewer passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=5938 \
new-connection-mark=conn-TeamViewer protocol=udp
add action=mark-packet chain=prerouting connection-mark=conn-TeamViewer \
new-packet-mark=TeamViewer_pkt-up passthrough=no src-address=\
172.16.10.0/24
add action=mark-packet chain=prerouting connection-mark=conn-TeamViewer \
dst-address=172.16.10.0/24 new-packet-mark=TeamViewer_pkt-down \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=WAN
/ip firewall raw
add action=drop chain=prerouting comment=\
"Blacklist: reject the connection with a device from the blacklist." \
src-address-list=BlackList
/ip firewall service-port
set irc disabled=no
set sip disabled=yes
set rtsp disabled=no
/ip service
set telnet disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes location=Flat
/system clock
set time-zone-name=Europe/London
/system identity
set name=router
/system logging
add prefix=ipsec topics=ipsec
/system note
set show-at-login=no
/tool graphing interface
add allow-address=172.16.10.0/24
/tool mac-server
set allowed-interface-list=Trusted
/tool mac-server mac-winbox
set allowed-interface-list=Trusted