Community discussions

MikroTik App
 
martysm
just joined
Topic Author
Posts: 3
Joined: Sun Jul 10, 2022 9:36 pm

Minor problems upgrading ROS from 6.49 to 7.10

Wed Aug 16, 2023 2:58 pm

I debated about this upgrade for a long time and the need for Wireguard to replace a PPTP vpn on a pair of simple home routers(two physical locations) won out. I believe in not fixing what ain't broke but Android and IOS are making it difficult to use pptp.

It (7.10) installed and it(wireguard) is awesome. I can access all the services I need to (rdp/smb/winbox) from remote android and windows.

I am left with a couple of nagging issues maybe someone can help with:

1. There is some pptp and l2tp detritus in the /interface section of the config file that I can't make go away. I've checked under interfaces in winbox and via print and there is nothing related actually there. Probably not important but it's annoying.

2. Although I could update from 6.49 to 7.10 through winbox system/packages/check for updates without issue now, under 7.10, when I checked to update to 7.11 I get "ERROR:Could not resolve DNS name".

3. I have done an external port scan and everything looks locked down but I am new to Mikrotik from a lifetime of consumer routers. If anyone knowledgeable can take a quick squint at my firewall section and tell me whether or not there is anything obvious I should do differently or better that would be very helpful.

Thanks much.

# 2023-08-15 16:49:50 by RouterOS 7.10.2
# software id = 0VXP-18V6
#
# model = RB750Gr3
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:CD:9C:D1 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=10:BF:48:E6:A9:AD
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/disk
set sd1 type=hardware
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "31 042 043 392" type=partition
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.85.50-192.168.85.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
set 1 target=memory
add disk-file-count=100 disk-file-name=sd1/FW-log name=SD target=disk
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set internet-interface-list=dynamic
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=*5 cipher=aes256-cbc require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=chap,mschap1,mschap2
/interface wireguard peers
add allowed-address=192.168.100.2/32 comment="MotoG(2021)" interface=\
    wireguard1 public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=192.168.100.3/32 comment=T420 interface=wireguard1 \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.85.1/24 comment=defconf interface=bridge network=\
    192.168.85.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.85.252 client-id=1:74:da:88:60:7b:d4 mac-address=\
    74:DA:88:60:7B:D4 server=defconf
add address=192.168.85.251 client-id=1:74:da:88:60:7b:b8 mac-address=\
    74:DA:88:60:7B:B8 server=defconf
add address=192.168.85.241 client-id=1:1c:3b:f3:87:84:fc mac-address=\
    1C:3B:F3:87:84:FC server=defconf
add address=192.168.85.214 client-id=1:e4:5f:1:8:bd:bc mac-address=\
    E4:5F:01:08:BD:BC server=defconf
add address=192.168.85.246 block-access=yes lease-time=1h mac-address=\
    60:01:94:43:9B:75 server=defconf
add address=192.168.85.250 client-id=1:74:da:88:60:76:3c mac-address=\
    74:DA:88:60:76:3C server=defconf
add address=192.168.85.220 client-id=1:38:59:f9:e7:b0:5c mac-address=\
    38:59:F9:E7:B0:5C server=defconf
add address=192.168.85.227 client-id=1:0:21:cc:c6:68:41 mac-address=\
    00:21:CC:C6:68:41 server=defconf
add address=192.168.85.242 client-id=1:2:db:1b:28:84:bb comment=\
    "Moto G_pwr_2021" mac-address=02:DB:1B:28:84:BB server=defconf
add address=192.168.85.229 client-id=1:8c:70:5a:ab:ed:58 mac-address=\
    8C:70:5A:AB:ED:58 server=defconf
add address=192.168.85.62 client-id=1:e4:5f:1:8:bd:b9 mac-address=\
    E4:5F:01:08:BD:B9 server=defconf
add address=192.168.85.52 client-id=1:d8:3a:dd:31:b1:f2 mac-address=\
    D8:3A:DD:31:B1:F2 server=defconf
add address=192.168.85.56 client-id=1:4c:11:ae:15:f9:9f mac-address=\
    4C:11:AE:15:F9:9F server=defconf
/ip dhcp-server network
add address=192.168.85.0/24 comment=defconf gateway=192.168.85.1 netmask=24
/ip dns
set servers=151.203.0.84,141.154.0.68
/ip dns static
add address=192.168.85.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 log=\
    yes log-prefix="Wireguard Conn" protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" log=yes \
    log-prefix=WGTRAFF src-address=192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked src-mac-address=00:00:00:00:00:00
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix="DROP Invalid"
add action=accept chain=input comment="defconf: accept WINBOX from LAN" \
    dst-port=42424 log=yes protocol=tcp src-address=192.168.85.0/24
add action=drop chain=input comment="defconf:Drop WINBOX from WAN" dst-port=\
    8291 log=yes log-prefix="DROP WINBOX TCP !...85.1/24" protocol=tcp \
    src-address=!192.168.85.0/24
add action=drop chain=input comment="defconf: Drop ICMP from WAN" log-prefix=\
    "PING Drop" protocol=icmp src-address=!192.168.85.0/24
add action=accept chain=input comment="defconf: accept ICMP from LAN" \
    protocol=icmp src-address=192.168.85.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Allow tcp port 1723 for PPTP/13231 for wireguard" disabled=yes dst-port=\
    13231 log=yes log-prefix=PPTP protocol=tcp
add action=accept chain=input comment="Allow GRE protocol ID 47" disabled=yes \
    log=yes protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=LD time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=input comment="defconf: Accept all coming from LAN" \
    in-interface-list=LAN log-prefix="Accept Internal Comms" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix="DROP Invalid" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "DROP Fwd !DSTNATed" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=input log=yes log-prefix="DROP Inpt !DSTNATed"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
    "Hairpin NAT for in-lan access via external domain" dst-address=\
    192.168.85.0/24 src-address=192.168.85.0/24
add action=dst-nat chain=dstnat comment="Garage IP Camera" dst-address-list=\
    "" dst-address-type=local dst-port=50016 log=yes protocol=tcp \
    to-addresses=192.168.85.16 to-ports=85
add action=dst-nat chain=dstnat comment="Front IP Camera" dst-address-list="" \
    dst-address-type=local dst-port=50017 log=yes protocol=tcp to-addresses=\
    192.168.85.17 to-ports=85
add action=dst-nat chain=dstnat comment="Marsh IP Camera" dst-address-list="" \
    dst-address-type=local dst-port=50018 log=yes protocol=tcp to-addresses=\
    192.168.85.18 to-ports=85
add action=dst-nat chain=dstnat comment="LivingRoom IP Camera" \
    dst-address-list="" dst-address-type=local dst-port=50019 log=yes \
    protocol=tcp to-addresses=192.168.85.19 to-ports=85
add action=dst-nat chain=dstnat comment="Basement IP Camera" \
    dst-address-list="" dst-address-type=local dst-port=50020 log=yes \
    protocol=tcp to-addresses=192.168.85.20 to-ports=85
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="192.168.85.220/32,192.168.85.227/32,192.168.85.11/32,192.1\
    68.85.242/32,0.0.0.0/0" port=xxxx
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=workgroup enabled=yes
/ip smb shares
add directory=usb1-part1 name=share1
/ip smb users
add name=xxxxx read-only=no
add name=xxxxx read-only=no
add name=xxxxx read-only=no
/ppp secret
add local-address=192.169.85.1 name=marty remote-address=192.169.85.4 \
    service=pptp
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=America/New_York
/system identity
set name=xxxxx
/system logging
set 0 topics=info,!dhcp,!firewall
add action=SD topics=firewall
/system note
set show-at-login=no
/system scheduler
add interval=2w name="auto reboot" on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2023-04-22 start-time=02:00:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-port=ircu

Who is online

Users browsing this forum: DanMos79 and 15 guests