Wed Feb 14, 2024 10:09 pm
I corrected the 10.9.0.128/32 yesterday ... didn't make any obvious difference to my problem, but it was incorrect, so /24.
The original config (version 6.x) did the routing using tags (mangle) and it it worked ok, and I could understand what was happening.
When I migrated, that config was changed, and ended up being a mixture of tags (mangle) and routing based upon the tag matching a routing table.
I never really understood how it was supposed to work ... but then there is a lot of black magic (to me) in Mikrotik config.
It worked for its intended purpose of streaming TV, but had problems transferring large files ... (?).
Replacing the mangle woth direct routing worked wonders. Looks like it is working correctly now.
Fallback to communicating on the main external interface is fine, BTW.
Thanks for the help!!
Modified config:
=======================
# 2024-02-14 11:58:37 by RouterOS 7.13.4
# software id = 3VQ9-S2GH
#
# model = RB4011iGS+
# serial number = F03A0EDA8E49
/interface bridge
add admin-mac=2C:C8:1B:7D:63:4E auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment="Extension Interface" name=\
sfp-S+RJ10
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.100-10.0.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=5h name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=VPN
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment="Was WAN" interface=ether1 internal-path-cost=10 \
path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp-S+RJ10 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=3.11.140.143 endpoint-port=\
51820 interface=wireguard2 persistent-keepalive=25s public-key=\
"mF7TFCjkSUrPVZ+/AteLLNvmLQzJAXXXXXXXXXXXXXX="
/ip address
add address=10.0.0.1/24 comment="Internal network gateway" interface=bridge \
network=10.0.0.0
add address=10.9.0.128/24 interface=wireguard2 network=10.9.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add comment="Xfinity DHCP" interface=sfp-S+RJ10 script=":if (\$bound=1) do={\
\n/ip firewall address-list set [/ip firewall address-list find where comm\
ent=\"WAN-IP\"] address=\$\"lease-address\" disabled=no\
\n} else={\
\n/ip firewall address-list set [/ip firewall address-list find where comm\
ent=\"WAN-IP\"] disabled=yes\
\n}" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.21,1.1.1.1,8.8.8.8 \
gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=73.37.97.160 comment=WAN-IP list=WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
";;; Tag packets for WireGuard link to UK" disabled=yes new-routing-mark=\
VPN passthrough=yes src-address=10.0.0.23
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP disabled=yes dst-address-list=\
WAN-IP dst-port=80 protocol=tcp to-addresses=10.0.0.4 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS disabled=yes dst-address-list=\
WAN-IP dst-port=443 protocol=tcp to-addresses=10.0.0.4
add action=dst-nat chain=dstnat comment=SMTP disabled=yes dst-port=25 \
protocol=tcp to-addresses=10.9.0.25 to-ports=25
add action=dst-nat chain=dstnat comment=IMAPS dst-address-list=WAN-IP \
dst-port=993 protocol=tcp to-addresses=10.0.0.4 to-ports=993
add action=dst-nat chain=dstnat comment="Wireguard UDP" dst-address-list=\
WAN-IP dst-port=51820 in-interface=sfp-S+RJ10 protocol=udp to-addresses=\
10.0.0.21 to-ports=51820
add action=masquerade chain=srcnat comment="WG-UK VPN" out-interface=\
wireguard2
add action=masquerade chain=srcnat comment=\
"Hairpin - Loopback for external address" dst-address=10.0.0.0/24 \
src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="Camera 1" dst-address-list=WAN-IP \
dst-port=554 protocol=tcp to-addresses=10.0.0.30 to-ports=554
add action=dst-nat chain=dstnat comment="EchoLink - forward to laptop" \
dst-address-list=WAN-IP dst-port=5198,5199 protocol=udp to-addresses=\
10.0.0.143
add action=dst-nat chain=dstnat comment=SSH disabled=yes dst-address-list=\
WAN-IP dst-port=22 protocol=tcp to-addresses=10.0.0.4 to-ports=22
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard2 pref-src=\
"" routing-table=VPN scope=30 suppress-hw-offload=no target-scope=10
/routing bfd configuration
add disabled=no
/routing rule
add action=lookup src-address=10.0.0.23/32 table=VPN
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.0.4
add address=132.163.97.3
/system resource irq rps
set sfp-S+RJ10 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether3 filter-ip-protocol=udp filter-port=51820