Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Using a wireguard VPN, access servers that are in a vlan.

Post Reply
 
User avatar
Turbovix
just joined
Topic Author
Posts: 4
Joined: Thu Mar 14, 2024 11:19 pm

Using a wireguard VPN, access servers that are in a vlan.

Fri Mar 15, 2024 2:19 am

Hello everyone, first I would like to make it clear that I am new to Mikrotik, I don't speak English, I use Google Translate. I apologize for any errors in translation. I have a smart home system, with several IoT devices, cameras, servers, home WiFi, guest WiFi, 2 internet links, 1 with public IP and the other CGNAT.
I decided to invest in something better for my network, safe and reliable, I opted for: 01 - HapAX3, 02 - CAP-ac, 01-managed switch TP-LINK
So after some time learning Mikrotik, I started putting things to work (everything working perfectly, with wireguard and recursive route), and then it was time for the second step. I want to segment my network into 04 vlans, example: vlan-10(home wifi) vlan-20(guest wifi), vlan-30(iot devices), vlan-40(servers).
At the moment I have the following problem, using my cell phone connected via wireguard, I cannot access my services/servers that are in a vlan. I've struggled with several firewall rules, but I still haven't been able to understand which access bars.

The scenario is this:

OBSERVATION. Despite having 1 public IP, I use a CHR running in the cloud to allow the recursive route of the second link (LTE 5G).

(smartphones outside the network, connected wireguard) -------> (CHR V7.14 running on Oracle - Wireguard Server) < -------- (HapAx3 from my house - connected to Wireguard Server on Oracle )

If anyone understands this and can help me I would be very grateful.
Code: Select all
# 2024-03-08 10:04:35 by RouterOS 7.14
# software id = **ELIDED**
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="LINK 1" name=ether1-LINK-1-VIA
set [ find default-name=ether2 ] comment="LINK 2" name=ether2-LINK-2-TIM-4G
set [ find default-name=ether5 ] name=ether5-SWITCH-TPLINK
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard2
/interface vlan
add interface=bridge name=vlan1-starlink-10 vlan-id=10
add interface=bridge name=vlan2-cft-20 vlan-id=20
add interface=bridge name=vlan3-iot-30 vlan-id=30
add interface=bridge name=vlan4-gerencia-50 vlan-id=50
add interface=bridge name=vlan5-servers-80 vlan-id=80
add interface=bridge name=vlan6-wifi-visitantes-100 vlan-id=100
/interface pppoe-client
add allow=chap,mschap1,mschap2 dial-on-demand=yes disabled=no interface=\
    ether1-LINK-1-VIA name=pppoe-VIA user=**ELIDED**
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="LINKS INTERNET" name=WAN-LINKS
add name=Interfaces-Seguras
add name=VLAN-30
/interface wifi channel
add band=5ghz-ax disabled=no name=ch-5-ax skip-dfs-channels=all width=\
    20/40/80mhz
add band=5ghz-ac disabled=no name=ch-5-ac skip-dfs-channels=all width=\
    20/40mhz
add band=2ghz-n disabled=no name=ch-2-n width=20mhz
add band=2ghz-ax disabled=no name=ch-2-ax width=20mhz
/interface wifi datapath
add bridge=bridge disabled=no name=data-starlink
add client-isolation=yes disabled=no name=data-visitantes vlan-id=100
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=starlink
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=starlink-visitantes
/interface wifi configuration
add channel=ch-2-ax comment=CONF-STARLINK country=Brazil datapath=\
    data-starlink disabled=no mode=ap name=cfg-2-starlink-ax security=\
    starlink ssid=STARLINK
add channel=ch-2-ax comment=CONF-VISITANTES country=Brazil datapath=\
    data-visitantes disabled=no mode=ap name=cfg-2-visitantes-ax security=\
    starlink-visitantes ssid=STARLINK_VISITANTES
add channel=ch-5-ax comment=CONF-STARLINK country=Brazil datapath=\
    data-starlink disabled=no mode=ap name=cfg-5-starlink-ax security=\
    starlink ssid=STARLINK
add channel=ch-5-ax comment=CONF-VISITANTES country=Brazil datapath=\
    data-visitantes disabled=no mode=ap name=cfg-5-visitantes-ax security=\
    starlink-visitantes ssid=STARLINK_VISITANTES
add channel=ch-5-ac comment=CONF-VISITANTES country=Brazil datapath=\
    data-visitantes disabled=no mode=ap name=cfg-5-visitantes-ac security=\
    starlink-visitantes ssid=STARLINK_VISITANTES
add channel=ch-5-ac comment=CONF-STARLINK country=Brazil datapath=\
    data-starlink disabled=no mode=ap name=cfg-5-starlink-ac security=\
    starlink ssid=STARLINK
add channel=ch-2-n comment=CONF-VISITANTES country=Brazil datapath=\
    data-visitantes disabled=no mode=ap name=cfg-2-visitantes-n security=\
    starlink-visitantes ssid=STARLINK_VISITANTES
add channel=ch-2-n comment=CONF-STARLINK country=Brazil datapath=\
    data-starlink disabled=no mode=ap name=cfg-2-starlink-n security=starlink \
    ssid=STARLINK
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration=cfg-5-starlink-ax configuration.manager=local .mode=ap \
    disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration=cfg-2-starlink-ax configuration.manager=local .mode=ap \
    disabled=no
/ip firewall layer7-protocol
add name=YouTube regexp="^.+(youtube.com).*\$"
add comment=Facebook name=Facebook regexp="^.+(facebook.com).*\$"
/ip kid-control
add disabled=yes fri=0s-1d mon=5h-22h name=Pedro rate-limit=100M sat=0s-1d \
    sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22h
add disabled=yes fri=7h-12h5m name=Marcio rate-limit=100M thu=7h-9h27m
add disabled=yes fri=0s-1d mon=5h-22h name="TV - Pedro" rate-limit=100M sat=\
    0s-1d sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22h
add disabled=yes fri=0s-1d mon=4h-22h name=DELL rate-limit=100m sat=0s-1d \
    sun=4h-22h thu=4h-22h tue=4h-22h wed=4h-22h
add disabled=yes fri=0s-1d mon=5h-22h name="Notebook - Pedro" rate-limit=100M \
    sat=0s-1d sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22h
/ip pool
add name=dhcp-bridge-local ranges=192.168.88.2-192.168.88.254
add name=WireGuard-VPN ranges=10.50.0.0/24
add name=dhcp_pool-vlan-gerencia ranges=50.50.50.2-50.50.50.6
add name=dhcp_pool13 ranges=20.20.20.2-20.20.20.14
add name=dhcp_pool14 ranges=30.30.30.2-30.30.30.14
add name=dhcp_pool15 ranges=80.80.80.2-80.80.80.14
add name=dhcp_pool16 ranges=100.100.100.2-100.100.100.14
add name=dhcp_pool17 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp-bridge-local interface=bridge lease-time=\
    10m name=defconf
add address-pool=dhcp_pool-vlan-gerencia interface=vlan4-gerencia-50 name=\
    dhcp-vlan-gerencia-50
add address-pool=dhcp_pool13 interface=vlan2-cft-20 name=dhcp1
add address-pool=dhcp_pool14 interface=vlan3-iot-30 name=dhcp2
add address-pool=dhcp_pool15 interface=vlan5-servers-80 name=dhcp3
add address-pool=dhcp_pool16 interface=vlan6-wifi-visitantes-100 name=dhcp4
add address-pool=dhcp_pool17 interface=vlan1-starlink-10 name=dhcp5
/queue simple
add max-limit=20M/20M name=Controle-Banda-Wifi-Visitante target=10.10.10.0/26
add disabled=yes max-limit=1M/1M name=Controle-Banda-VPN target=""
add dst=ether2-LINK-2-TIM-4G max-limit=1k/1k name=\
    "Limita o  tr\E1fego do YOUTUBE" packet-marks=mc_youtube target=""
add comment="CONTROLE DE BANDA" disabled=yes max-limit=100M/200M name=\
    Controle-Banda-VIA-100M queue=pcq-upload-default/pcq-download-default \
    target=""
/interface bridge port
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5-SWITCH-TPLINK \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge disabled=yes interface=*10 pvid=100
add bridge=bridge disabled=yes interface=*11 pvid=100
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!WAN-LINKS
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="-------------- VLAN WIFI HOME --------------" \
    tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=10
add bridge=bridge comment="-------------- VLAN GERENCIA -------------" \
    tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=50
add bridge=bridge comment="-------------- VLAN VISITANTES -------------" \
    tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=100
add bridge=bridge comment="-------------- VLAN IOT -------------" tagged=\
    bridge,ether5-SWITCH-TPLINK vlan-ids=30
add bridge=bridge comment="-------------- VLAN SERVERS -------------" tagged=\
    bridge,ether5-SWITCH-TPLINK vlan-ids=80
add bridge=bridge comment="-------------- VLAN CFTV -------------" tagged=\
    bridge,ether5-SWITCH-TPLINK vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-LINK-1-VIA list=WAN
add comment=defconf interface=ether1-LINK-1-VIA list=WAN-LINKS
add interface=pppoe-VIA list=WAN-LINKS
add interface=ether2-LINK-2-TIM-4G list=WAN-LINKS
add interface=pppoe-VIA list=WAN
add interface=bridge list=Interfaces-Seguras
add interface=*A list=LAN
add interface=wireguard2 list=LAN
add interface=*10 list=VLAN-30
add interface=*11 list=VLAN-30
add interface=vlan3-iot-30 list=VLAN-30
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=\
    cfg-5-visitantes-ac slave-configurations=cfg-2-starlink-n \
    supported-bands=5ghz-ac
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Mikrotik-CHR-V7-Oracle -" \
    endpoint-address=XX.XX.XX.XX endpoint-port=13232 interface=wireguard2 \
    persistent-keepalive=20s public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.100.2/24 interface=wireguard2 network=192.168.100.0
add address=100.100.100.1/28 interface=vlan6-wifi-visitantes-100 network=\
    100.100.100.0
add address=192.168.0.2 interface=ether2-LINK-2-TIM-4G network=192.168.0.1
add address=50.50.50.1/29 interface=vlan4-gerencia-50 network=50.50.50.0
add address=10.10.10.1/24 interface=vlan1-starlink-10 network=10.10.10.0
add address=30.30.30.1/28 interface=vlan3-iot-30 network=30.30.30.0
add address=20.20.20.1/28 interface=vlan2-cft-20 network=20.20.20.0
add address=80.80.80.1/28 interface=vlan5-servers-80 network=80.80.80.0
/ip arp
add address=192.168.88.6 comment="//// Poco - Marcio ////" interface=bridge \
    mac-address=88:52:EB:77:5D:C8
add address=192.168.88.12 comment="//// Poco - Pedro ////" interface=bridge \
    mac-address=A4:55:90:DA:1F:26
add address=192.168.88.66 interface=bridge mac-address=5A:00:XX:BC:FE:C7
add address=192.168.88.11 comment="//// Notebook - Pedro ////" interface=\
    bridge mac-address=0A:D1:6F:9B:DD:62
add address=192.168.88.91 comment="//// OPI-02(HA - Node-red) ////" \
    interface=bridge mac-address=6E:6E:F6:D3:58:0B
add address=192.168.88.90 comment="//// OPI-01- (Esp-Home - Frigate ) ////" \
    interface=bridge mac-address=2E:2B:1A:EC:47:AF
add address=192.168.88.92 comment="//// OPI-03 - (Traccar) ////" interface=\
    bridge mac-address=86:2C:1A:E7:F8:63
add address=192.168.88.51 comment="//// TV - Casal ////" disabled=yes \
    interface=bridge mac-address=E8:F2:E2:3B:B6:3E
add address=192.168.88.47 comment=XBOX interface=bridge mac-address=\
    28:18:78:82:F6:99
add address=192.168.88.15 comment="//// Redmi - Christiane ////" interface=\
    bridge mac-address=1C:CC:D6:0A:13:3A
add address=192.168.88.93 interface=bridge mac-address=02:03:92:53:F7:8F
add address=192.168.88.68 comment=ESP-Garagem interface=bridge mac-address=\
    C4:5B:BE:65:6E:37
add address=192.168.88.13 comment=Amazon interface=bridge mac-address=\
    44:D5:CC:ED:9B:49
add address=192.168.88.33 comment="//// Alexa Quarto do Pedro ////" \
    interface=bridge mac-address=2C:71:FF:F9:1B:C9
add address=192.168.88.249 comment="//// Camera Xiaov ////" interface=bridge \
    mac-address=B4:FB:E3:28:77:CA
add address=192.168.88.247 comment="//// Camera Xiaov ////" interface=bridge \
    mac-address=B4:FB:E3:28:65:B4
add address=192.168.88.3 comment=ESP32-C3-Bat interface=bridge mac-address=\
    7C:DF:A1:B6:4B:E0
add address=192.168.88.199 comment=T-Relay interface=bridge mac-address=\
    44:17:93:4B:27:74
add address=192.168.88.67 comment=KC868-A4-Garagem interface=bridge \
    mac-address=C4:DD:57:C7:78:F4
add address=192.168.88.188 interface=bridge mac-address=2E:2B:1A:EC:47:AF
add address=192.168.88.88 comment=OpenSuse-HA interface=bridge mac-address=\
    64:1C:67:A0:43:8B
add address=192.168.88.50 comment="//// Fire Stik ////" interface=bridge \
    mac-address=90:39:5F:A3:A3:E7
add address=192.168.88.45 comment="//// Hub Tuya ////" interface=bridge \
    mac-address=50:8A:06:3C:12:DF
add address=192.168.88.186 comment="//// Adaptador Wifi Epson ////" \
    interface=bridge mac-address=2A:1F:E4:2C:25:EF
add address=192.168.88.161 comment=\
    "//// notebook - starlink 2.4 - epson ////" interface=bridge mac-address=\
    58:00:E3:BC:71:C7
add address=192.168.88.164 comment="//// Dell - Ethernet ////" interface=\
    bridge mac-address=84:7B:EB:FD:CF:CD
add address=192.168.88.177 comment="//// EspHome - Mini - APC220 ////" \
    interface=bridge mac-address=98:CD:AC:30:47:04
add address=192.168.88.179 comment=ESP32-C3 interface=bridge mac-address=\
    D2:BF:75:94:3A:8B
add address=192.168.88.34 comment="//// Alexa 4 - Sala ////" interface=bridge \
    mac-address=90:39:5F:EF:91:D3
add address=192.168.88.78 interface=bridge mac-address=00:80:92:D0:F2:24
add address=192.168.88.180 comment=ESP32-Lora-Lilygo interface=bridge \
    mac-address=E8:6B:EA:25:20:88
add address=192.168.88.7 comment="//// E1 Pro - Garagem -  WIFI - 5Ghz ////" \
    interface=bridge mac-address=38:C8:04:46:AD:E0
add address=192.168.88.74 comment="//// Reolink -Lado Direito ////" \
    interface=bridge mac-address=EC:71:DB:A3:51:74
add address=192.168.88.89 comment=RPI3-01 interface=bridge mac-address=\
    B8:27:EB:DB:37:B1
add address=192.168.88.233 interface=bridge mac-address=28:C2:DD:3B:DD:85
add address=192.168.88.100 comment="//// Router INTELBRAS ////" interface=\
    bridge mac-address=80:8F:E8:9E:44:E2
add address=192.168.88.75 comment="//// Reolink - Lado Esquerdo ////" \
    interface=bridge mac-address=EC:71:DB:8E:AC:86
add address=192.168.88.8 interface=bridge mac-address=EC:71:DB:95:FF:5A
add address=50.50.50.3 interface=vlan4-gerencia-50 mac-address=\
    48:8F:5A:0A:74:60
/ip dhcp-client
add comment=defconf interface=ether1-LINK-1-VIA
/ip dhcp-server lease
add address=192.168.88.67 comment="//// kc868-a4 - EPS32 ////" mac-address=\
    58:00:E3:BC:71:C7 server=defconf use-src-mac=yes
add address=192.168.88.247 client-id=1:b4:fb:e3:28:65:b4 mac-address=\
    B4:FB:E3:28:65:B4 server=defconf
add address=192.168.88.249 client-id=1:b4:fb:e3:28:77:ca mac-address=\
    B4:FB:E3:28:77:CA server=defconf
add address=192.168.88.51 client-id=1:e8:f2:e2:3b:b6:3e comment=\
    "//// TV - Casal ////" mac-address=E8:F2:E2:3B:B6:3E server=defconf \
    use-src-mac=yes
add address=192.168.88.52 client-id=1:40:2f:86:31:30:e0 comment=\
    "//// TV LG - Pedro ////" mac-address=40:2F:86:31:30:E0 server=defconf \
    use-src-mac=yes
add address=192.168.88.47 client-id=1:28:18:78:82:f6:99 comment=XBOX \
    mac-address=28:18:78:82:F6:99 server=defconf
add address=192.168.88.10 client-id=1:b8:27:eb:97:aa:21 mac-address=\
    B8:27:EB:97:AA:21 server=defconf
add address=192.168.88.69 client-id=1:14:de:39:81:b9:9e comment=\
    "//// Huawei - Router ////" mac-address=14:DE:39:81:B9:9E server=defconf
add address=192.168.88.12 client-id=1:56:d3:de:79:f4:63 comment=\
    "//// Poco PHST ////" mac-address=56:D3:DE:79:F4:63 server=defconf \
    use-src-mac=yes
add address=192.168.88.15 client-id=1:1c:cc:d6:a:13:3a comment=\
    "//// Redmi - Christiane ////" mac-address=1C:CC:D6:0A:13:3A server=\
    defconf
add address=192.168.88.65 comment="//// Tuya Smart Inc. ////" mac-address=\
    50:8A:06:3C:12:DF server=defconf
add address=192.168.88.222 comment="//// Alexa - Sala ////" mac-address=\
    90:A8:22:0D:76:EE server=defconf
add address=192.168.88.30 comment="//// Tuya Smart Inc. ////" mac-address=\
    84:E3:42:B8:13:4C server=defconf
add address=192.168.88.31 comment="//// Tuya Smart Inc. ////" mac-address=\
    84:E3:42:B8:B9:72 server=defconf
add address=192.168.88.28 comment=" ////Tuya Smart Inc. ////" mac-address=\
    84:E3:42:BE:17:D7 server=defconf
add address=192.168.88.5 comment="////Alexa - Casal ////" mac-address=\
    34:AF:B3:16:53:97 server=defconf
add address=192.168.88.3 client-id=1:7c:df:a1:b6:4b:e0 comment=ESP32-C3-Bat \
    mac-address=7C:DF:A1:B6:4B:E0 server=defconf
add address=192.168.88.13 comment="//// Alexa Cozinha ////" mac-address=\
    44:D5:CC:ED:9B:49 server=defconf
add address=192.168.88.78 client-id=1:0:80:92:d0:f2:24 comment=\
    "//// Silex Technology, Inc. ////" mac-address=00:80:92:D0:F2:24 server=\
    defconf
add address=192.168.88.6 comment="//// Poco - Marcio ////" mac-address=\
    88:52:EB:77:5D:C8 server=defconf use-src-mac=yes
add address=192.168.88.11 comment="//// Notebook - Pedro ////" mac-address=\
    00:D7:6D:9B:F7:62 server=defconf use-src-mac=yes
add address=192.168.88.90 comment=OPI-01 mac-address=2E:2B:1A:EC:47:AF \
    server=defconf use-src-mac=yes
add address=192.168.88.92 mac-address=86:2C:1A:E7:F8:63 server=defconf \
    use-src-mac=yes
add address=192.168.88.93 comment=TANIX-TX6 mac-address=02:03:92:53:F7:8F \
    server=defconf use-src-mac=yes
add address=192.168.88.68 comment=ESP-Garagem mac-address=C4:5B:BE:65:6E:37 \
    server=defconf use-src-mac=yes
add address=192.168.88.188 mac-address=2E:2B:1A:EC:47:AF server=defconf
add address=192.168.88.91 comment="//// OPI-02 (HA - Node-red) ////" \
    mac-address=6E:6E:F6:D3:58:0B server=defconf
add address=192.168.88.88 comment=TKC-01 mac-address=64:1C:67:A0:43:8B \
    server=defconf
add address=192.168.88.50 comment="//// Fire Stick ////" mac-address=\
    90:39:5F:A3:A3:E7 server=defconf
add address=192.168.88.168 comment="//// Adaptador wifi Epson ////" \
    mac-address=2A:1F:E4:2C:25:EF server=defconf
add address=192.168.88.161 comment="//// Notebook- starlink 2.4 - epson ////" \
    mac-address=58:00:E3:BC:71:C7 server=defconf
add address=192.168.88.164 comment="//// Dell - Ehernet ////" mac-address=\
    84:7B:EB:FD:CF:CD server=defconf
add address=192.168.88.177 comment="//// EspHome - Mini - APC220 ////" \
    mac-address=98:CD:AC:30:47:04 server=defconf
add address=192.168.88.179 comment=ESP32-C3 mac-address=D2:BF:75:94:3A:8B \
    server=defconf
add address=192.168.88.34 comment="//// Alexa 4 - Sala ////" mac-address=\
    90:39:5F:EF:91:D3 server=defconf
add address=192.168.88.180 comment=ESP32-Lora-Lilygo mac-address=\
    E8:6B:EA:25:20:88 server=defconf
add address=192.168.88.74 client-id=1:ec:71:db:a3:51:74 comment=\
    "//// Reolink - Lado Direito ////" mac-address=EC:71:DB:A3:51:74 server=\
    defconf
add address=192.168.88.89 comment=RPI3-01 mac-address=B8:27:EB:DB:37:B1 \
    server=defconf
add address=192.168.88.233 mac-address=28:C2:DD:3B:DD:85 server=defconf
add address=192.168.88.100 comment="//// Router INTELBRAS ////" mac-address=\
    80:8F:E8:9E:44:E2 server=defconf use-src-mac=yes
add address=192.168.88.75 comment="//// Reolink - Lado Esquerdo ////" \
    mac-address=EC:71:DB:8E:AC:86 server=defconf
add address=192.168.88.33 comment="//// Alexa Quarto Pedro ////" mac-address=\
    2C:71:FF:F9:1B:C9 server=defconf
add address=192.168.88.8 client-id=1:ec:71:db:95:ff:5a mac-address=\
    EC:71:DB:95:FF:5A server=defconf
add address=192.168.88.16 client-id=1:50:91:e3:d9:48:6c mac-address=\
    50:91:E3:D9:48:6C server=defconf
add address=192.168.88.14 client-id=1:38:c8:4:29:f2:a9 mac-address=\
    38:C8:04:29:F2:A9 server=defconf
add address=192.168.88.7 client-id=1:38:c8:4:46:ad:e0 comment=\
    "E1-PRO - GARAGEM" mac-address=38:C8:04:46:AD:E0 server=defconf
add address=50.50.50.3 client-id=1:48:8f:5a:a:74:60 comment=\
    "-----------------------------  CAP-ac-01 -----------------------------" \
    mac-address=48:8F:5A:0A:74:60 server=dhcp-vlan-gerencia-50
/ip dhcp-server network
add address=10.1.0.0/29 gateway=10.1.0.0
add address=10.10.10.0/26 gateway=10.10.10.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.20.20.0/28 gateway=10.20.20.0
add address=10.30.30.0/26 gateway=10.30.30.0
add address=10.50.50.0/28 gateway=10.50.50.0
add address=10.90.90.0/29 dns-server=8.8.4.4 gateway=10.90.90.0
add address=10.90.90.0/28 dns-server=192.168.88.91 gateway=10.90.90.1
add address=20.20.20.0/28 dns-server=20.20.20.1 gateway=20.20.20.1
add address=30.30.30.0/28 dns-server=30.30.30.1 gateway=30.30.30.1
add address=50.50.50.0/29 dns-server=50.50.50.1 gateway=50.50.50.1
add address=80.80.80.0/28 dns-server=80.80.80.1 gateway=80.80.80.1
add address=100.100.100.0/28 dns-server=100.100.100.1 gateway=100.100.100.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.90.0/28 dns-server=192.168.88.91 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.88.91,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.91 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.161 list=" (SUPORTE-WINBOX)"
add address=50.50.50.4 list=" (SUPORTE-WINBOX)"
add list=PORTSCAN
add address=50.50.50.3 list=" (SUPORTE-WINBOX)"
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=add-dst-to-address-list address-list=SITES-BLOQUEADOS-LINK2-TIM \
    address-list-timeout=5m chain=forward comment=\
    "Adiciona ips do facebook no link 2 em uma blacklist " disabled=yes log=\
    yes protocol=tcp tls-host=*facebook*
add action=drop chain=forward comment="Drop no youtube pelo link 2 (TIM)" \
    dst-address-list=SITES-BLOQUEADOS-LINK2-TIM
add action=drop chain=forward comment="DROP YOUTUBE LINK-2" disabled=yes \
    layer7-protocol=YouTube log=yes log-prefix="TOUTUBE BLOQUEADO NO LINK 2"
add action=accept chain=forward comment="LIBERA YOUTUBE LINK-1" \
    layer7-protocol=YouTube out-interface=pppoe-VIA
add action=fasttrack-connection chain=forward comment="***********************\
    ***** HABILITA O FASTTRACKER ****************************" disabled=yes \
    hw-offload=yes in-interface=pppoe-VIA out-interface=bridge
add action=add-src-to-address-list address-list=PORTSCAN \
    address-list-timeout=1w chain=input comment="PEGA MALANDRO - PORTSCAN" \
    dst-port=23,25,80,110,1723,53,44,1883 in-interface-list=WAN-LINKS \
    protocol=tcp
add action=add-src-to-address-list address-list=PORTSCAN \
    address-list-timeout=1w chain=input comment="DETECTA - PORTSCAN" \
    in-interface-list=WAN-LINKS protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="-------------------------- CONEXOES INVAL\
    IDAS - DROP --------------------------" connection-state=invalid \
    log-prefix="Conexoes Invalidas"
add action=accept chain=input comment=\
    "ACEITA CONEXOES: estabelecidas,relacionadas" connection-state=\
    established,related
add action=jump chain=input comment="ICMP - Passe pelo Controle - Chain ICMP" \
    in-interface-list=WAN-LINKS jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="ACEITA: ICMP - Echo Reply " \
    icmp-options=0:0-255 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Destination Unreachable" \
    icmp-options=3:0-255 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Time Exceeded" icmp-options=\
    11:0-255 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="ACEITA: ICMP - Echo Request" \
    icmp-options=8:0-255 limit=10,5:packet protocol=icmp
add action=drop chain=ICMP comment="ICMP - ALL - DROP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=tarpit chain=input in-interface-list=WAN-LINKS log=yes protocol=\
    tcp psd=21,3s,3,1
add action=accept chain=input comment="(LIBERA ACESSO AO WINBOX)" log=yes \
    src-address-list=" (SUPORTE-WINBOX)"
add action=accept chain=input comment=\
    "(LIBERA ACESSO AO WINBOX - IPS LIBERADOS)" dst-port=25476 \
    in-interface-list=WAN-LINKS protocol=tcp src-address-list=IPs-liberados
add action=accept chain=input comment="-----------------------LIBERA PORTA DO \
    WIREGUARD-------------------------" dst-port=13231 protocol=udp
add action=accept chain=input comment="-----------------------LIBERA PORTA DO \
    WIREGUARD2-------------------------" dst-port=13232 protocol=udp
add action=accept chain=input comment=\
    "-------------- LIBERA COM. WIREGUARD ----------------" dst-address=\
    192.168.88.0/24 src-address=192.168.100.0/24
add action=accept chain=input comment=\
    "-------------- LIBERA COM. WIREGUARD ----------------" dst-address=\
    192.168.100.0/24 src-address=192.168.88.0/24
add action=add-src-to-address-list address-list=PORTA-1 address-list-timeout=\
    5s chain=input comment="PORTKNOCKING - PORTA-1" dst-port=35621 \
    in-interface-list=WAN-LINKS log=yes protocol=tcp
add action=add-src-to-address-list address-list=PORTA-2 address-list-timeout=\
    5s chain=input comment="PORTKNOCKING - PORTA-2" dst-port=24987 \
    in-interface-list=WAN-LINKS log=yes protocol=tcp src-address-list=PORTA-1
add action=add-src-to-address-list address-list=IPs-liberados \
    address-list-timeout=10m chain=input comment="PORTKNOCKING - IP-LIBERADO" \
    dst-port=41687 in-interface-list=WAN-LINKS log=yes protocol=tcp \
    src-address-list=PORTA-2
add action=add-src-to-address-list address-list=\
    "######## TENTATIVA LOGIN - 1 ########" address-list-timeout=1m chain=\
    input comment="TENTATIVA LOGIN -1" connection-state=new dst-port=\
    1701,8728 in-interface-list=WAN-LINKS log=yes protocol=udp
add action=add-src-to-address-list address-list=\
    "######## TENTATIVA LOGIN - 1 ########" address-list-timeout=1m chain=\
    input comment="TENTATIVA LOGIN - 1 - TCP" connection-state=new dst-port=\
    25476 in-interface-list=WAN-LINKS log=yes protocol=tcp
add action=add-src-to-address-list address-list=\
    "######## TENTATIVA LOGIN - 2 ########" address-list-timeout=1m chain=\
    input comment="TEMTATIVA LOGIN - 2" connection-state=new dst-port=\
    1701,8728 in-interface-list=WAN-LINKS log=yes protocol=udp \
    src-address-list="TENTATIVA LOGIN - 1"
add action=add-src-to-address-list address-list=\
    "######## TENTATIVA LOGIN - 2 ########" address-list-timeout=1m chain=\
    input comment="TEMTATIVA LOGIN - 2 - TCP" connection-state=new dst-port=\
    25476 in-interface-list=WAN-LINKS log=yes protocol=tcp src-address-list=\
    "TENTATIVA LOGIN - 1"
add action=add-src-to-address-list address-list=\
    "######## TENTATIVA LOGIN - BLOQUEADO ########" address-list-timeout=1h \
    chain=input comment="TENTATIVA LOGIN - BLOQUEADA" connection-state=new \
    dst-port=1701,8728 in-interface-list=WAN-LINKS log=yes log-prefix=\
    "TENTATIVA DE LOGIN - BLOQUEADA" protocol=udp src-address-list=\
    "TENTATIVA LOGIN - 2"
add action=add-src-to-address-list address-list=\
    "######## TENTATIVA LOGIN - BLOQUEADO ########" address-list-timeout=1h \
    chain=input comment="TENTATIVA LOGIN - BLOQUEADA - TCP" connection-state=\
    new dst-port=25476 in-interface-list=WAN-LINKS log=yes log-prefix=\
    "TENTATIVA DE LOGIN - BLOQUEADA - TCP" protocol=tcp src-address-list=\
    "TENTATIVA LOGIN - 2"
add action=drop chain=input comment=\
    "######## TENTATIVA DE LOGIN - DROP ########" log=yes log-prefix=\
    "DROP - TENTATIVA DE LOGIN" src-address-list=\
    "TENTATIVA LOGIN - BLOQUEADO"
add action=drop chain=input comment=\
    "######## TUDO QUE N\C3O VENHA DA LAN: DROP ########" in-interface-list=\
    !LAN log-prefix="Nao vem da LAN"
add action=drop chain=forward comment=\
    "######## ISOLA REDE VIVISITANTE/LAN ########" connection-state="" \
    disabled=yes dst-address=192.168.88.0/24 log=yes log-prefix=\
    "Isola rede visitantes" out-interface-list=!LAN src-address=10.10.10.0/26
add action=fasttrack-connection chain=forward comment=\
    "######## defconf: fasttrack ########" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "######## defconf: accept established,related, untracked ########" \
    connection-state=established,related
add action=reject chain=forward comment="TESTE LAN" disabled=yes dst-address=\
    100.100.100.12 reject-with=icmp-network-unreachable src-address=\
    30.30.30.2
add action=drop chain=forward comment=\
    "######## defconf: drop all from WAN not DSTNATed ########" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN-LINKS
add action=drop chain=input comment=\
    "######## DROP - GERAL - LIKS 1, 2 ########" in-interface-list=WAN-LINKS \
    log=yes log-prefix="drop geral links 1, 2"
/ip firewall mangle
add action=mark-packet chain=forward comment=\
    "########Marcar paquetes de YouTube ########" connection-mark=mc_youtube \
    new-packet-mark=mc_youtube passthrough=no
add action=mark-connection chain=forward comment=\
    "######## Marcar conexiones de YouTube ########" connection-mark=no-mark \
    layer7-protocol=YouTube new-connection-mark=mc_youtube passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
    "########  MASQ. - TRAFEGO - LINKS - WAN ########" ipsec-policy=out,none \
    out-interface-list=WAN-LINKS
add action=masquerade chain=srcnat comment=\
    "########  MASQ. - TRAFEGO WIREGUARD  ########" ipsec-policy=out,none \
    out-interface=wireguard2
add action=dst-nat chain=dstnat comment="########  PORT KNOCKING ########" \
    dst-port=59272 in-interface-list=WAN-LINKS protocol=tcp src-address-list=\
    IPs-liberados to-addresses=192.168.88.1 to-ports=25476
add action=dst-nat chain=dstnat comment=\
    "########  Porta - 1883 - MQTT ########" dst-port=1883 in-interface-list=\
    WAN-LINKS protocol=tcp src-address=204.216.162.246 to-addresses=\
    192.168.88.88 to-ports=1883
add action=dst-nat chain=dstnat comment=\
    "########  Porta - 5055 - SATVIX ########" disabled=yes dst-port=5055 \
    in-interface-list=WAN-LINKS log=yes log-prefix="NAT - Porta 5055" \
    protocol=tcp to-addresses=192.168.88.92
add action=dst-nat chain=dstnat comment=\
    "########  Porta - 5013 - SATVIX ########" disabled=yes dst-port=5013 \
    in-interface-list=WAN-LINKS log=yes log-prefix="NAT - Porta 5013 - Xing" \
    protocol=tcp to-addresses=192.168.88.92
add action=dst-nat chain=dstnat comment=\
    "########  Porta - 5027 - SATVIX - Teltonika ########" disabled=yes \
    dst-port=5027 in-interface-list=WAN-LINKS log=yes log-prefix=\
    "NAT - Porta 5027 - Teltonika" protocol=tcp to-addresses=192.168.88.92
add action=dst-nat chain=dstnat comment=\
    "########  Direciona para o OPI-01 ########" disabled=yes dst-port=80 \
    in-interface=pppoe-VIA log=yes log-prefix="NAT - Direciona para o OPI-01" \
    protocol=tcp to-addresses=192.168.88.90
add action=dst-nat chain=dstnat comment=\
    "########  Direciona para o Winbox ########" disabled=yes dst-port=9272 \
    in-interface=pppoe-VIA log=yes log-prefix="NAT - Porta Winbox2" protocol=\
    tcp src-address-list=IPs-liberados to-addresses=192.168.88.1 to-ports=\
    25476
add action=masquerade chain=srcnat comment=\
    "########  Masquerade LTE ########" disabled=yes out-interface=wireguard2
add action=masquerade chain=srcnat disabled=yes out-interface-list=VLAN-30
/ip kid-control device
add mac-address=58:00:E3:BC:71:C7 name=DELL user=DELL
add mac-address=40:2F:86:31:30:E0 name="LG - PHST" user=Pedro
add mac-address=88:52:EB:77:5D:C8 name="MAC - real - Poco Marcio " user=\
    Marcio
add mac-address=A4:55:90:DA:1F:26 name="MAC - real - Poco PHST" user=Pedro
/ip route
add comment="monitora 8.8.8.8 via link 1 - VIA" disabled=no distance=1 \
    dst-address=8.8.8.8/32 gateway=pppoe-VIA pref-src="" routing-table=main \
    scope=10 suppress-hw-offload=no
add comment="monitora 1.1.1.1 via link 2 - TIM" disabled=no distance=1 \
    dst-address=1.1.1.1/32 gateway=192.168.0.1 pref-src="" routing-table=main \
    scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Rota principal - VIA" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="Rota Secund\E1ria" disabled=no distance=2 \
    dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api port=25576
set winbox port=25476
set api-ssl disabled=yes
/ipv6 address
add address=::cafe from-pool=pda-ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-VIA pool-name=pda-ipv6 request=\
    prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=add-dst-to-address-list address-list=\
    SITES-BLOQUEADOS-LINK2-TIM-IPV6 address-list-timeout=4w2d chain=forward \
    comment="Bloqueia o youtube no link 2 TIM" disabled=yes protocol=tcp \
    tls-host=*youtube*
add action=drop chain=forward comment="Drop no youtube pelo link 2 (TIM)" \
    disabled=yes dst-address-list="SITES-BLOQUEADOS-LINK-2-TIM-(IPV6)"
add action=accept chain=input comment="Libera porta Wireguard" disabled=yes \
    dst-port=13231 protocol=udp
add action=drop chain=forward connection-state=new in-interface-list=\
    WAN-LINKS log=yes log-prefix=IPV6-Drop
add action=drop chain=input connection-state=new in-interface-list=WAN-LINKS \
    log=yes log-prefix=drop-ipv6-input
/ipv6 firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN-LINKS
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=America/Sao_Paulo
/system identity
set name=hAP-AX3
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=a.ntp.br
add address=b.ntp.br
/system script
add dont-require-permissions=no name=backup-email owner=Turbovix-Mk policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global nome [/system identity get name]\r\
    \n:global data [/system clock get date]\r\
    \n:global hora [/system clock get time]\r\
    \n/system backup save name=HapX3;\r\
    \n/tool e-mail send to=\"mkmt.es@gmail.com\" subject=\"Backup Mikrotik - H\
    apX3\" file=HapX3.backup body=\"Segue em anexo o arquivo de backup da \$no\
    me realizado em \$data as \$hora\";\r\
    \n:log info \"Backup e-mail sent.\94;"
add dont-require-permissions=no name=envia-backup-gmail owner=Turbovix-Mk \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source=":global nome [/system identity get name]\r\
    \n:global data [/system clock get date]\r\
    \n:global hora [/system clock get time]\r\
    \n/export file=HapX3.rsc;\r\
    \n/tool e-mail send to=\"mkmt.es@gmail.com\" subject=\"Backup HapX3\" file\
    =HapX3.rsc body=\"Segue anexo o backup da \$nome realizado em \$data as \$\
    hora\";\r\
    \n:log info \"Backup e-mail sent.\";"
/tool e-mail
set from="<**** MIKROTIK-HapX3 ****>" port=587 server=smtp.gmail.com tls=\
    starttls user=mkmt.es@gmail.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch **ELIDED**
/tool romon
set id=XXXXXXXXXXXXXXXX
/tool romon port
set [ find default=yes ] forbid=yes
add disabled=no interface=ether5-SWITCH-TPLINK
Last edited by tangent on Fri Mar 15, 2024 7:22 am, edited 1 time in total.
Reason: elided PII, API keys, PSKs…
Top
 
User avatar
Turbovix
just joined
Topic Author
Posts: 4
Joined: Thu Mar 14, 2024 11:19 pm

Re: Using a wireguard VPN, access servers that are in a vlan.

Fri Mar 15, 2024 4:56 am

Hi everyone, I won't need help for now, as I found this excellent material that deals with the subject of VLAN. Therefore, I will delve deeper into reading and exercising for a few days, as soon as I finish, and if I need help I will let you know.

For now, thank you.

viewtopic.php?t=143620&sid=164c05b0db5d ... dba8444939
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19404
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Using a wireguard VPN, access servers that are in a vlan.

Fri Mar 15, 2024 4:51 pm

What is preventing the CGNAT LTE (second link) from being used recursively on your home router??
All devices can connect to your home router through the public IP, no need for CHR again.
Top
 
User avatar
Turbovix
just joined
Topic Author
Posts: 4
Joined: Thu Mar 14, 2024 11:19 pm

Re: Using a wireguard VPN, access servers that are in a vlan.

Sat Mar 16, 2024 7:54 am

No, no... I don't have any problems with my recursive routes. My problem was accessing a vlan via wireguard.
However, after reading the material in the link, I had a better understanding of how to work with vlan.
Top
 
TheCat12
Member Candidate
Member Candidate
Posts: 179
Joined: Fri Dec 31, 2021 9:13 pm

Re: Using a wireguard VPN, access servers that are in a vlan.

Sat Mar 16, 2024 1:18 pm

I have a suggestion, after which I will leave you alone delving into vlans.

Presuming that you've set as allowed addresses on the CHR the Wireguard VPN pool on the hAP ax^3, I would add a firewall rule which allows traffic between it and the servers vlan:
Code: Select all
/ip firewall filter
add action=accept chain=forward src-address=10.50.0.0/24 out-interface=vlan5-servers-80
Top
Post Reply

Who is online

Users browsing this forum: raiser and 16 guests
  4. RouterOS
  5. Beginner Basics