Yikes, I use no wizards, just do it manually LOL, and normally for keys one just puts "++++++" or something never the real keys.
Okay that gives me a bit of a sense of what you are doing.
Interesting, in 4 router scenario, its rare to have each one have a public IP.
Normally its one, so what is done is
ONE server Router at handshake
THREE client Routers at handshake
Now if two of the four have public IPs what I recommend is a backup separate wireguard network
In this case, assuming Primary router goes down, then make the second one with public IP the primary
ALTERNATE server Router at handshake
Two client Routers at handshake.
It would appear you have all four on same network, with all the same listening port in settings, all are listening on the same port in the input chain as well.
On the peer settings, each router has three peers.
I think I understand what you want to throw into the mix, you as admin via a remote laptop, for example, have connected to one of the routers and want the added ability to reach any subnet LAN or any other router for config purposes.
Not sure why you want to reach one through the other as you can simply DIRECTLY connect to the router you desire.
For example on wireguard app on my iphone, I would simply make four wireguard configs, one for each router............... but its possible so why not think about it.
Now if one wants to wireguard and connect to ONE router and then reach the other three, I know how to do that in the ONE server scenario, but this is different and will have to think about it.
By the way this is apparently called FULL MESH or ( full mess ) TOPOLOGY.
As long as there is no requirement for any local subnet users to use the internet of a different router, this should work just fine. The admiin on the laptop coming into any router depending on firewall rules can access internet if desired.......
LOGIC:
1. One connects to R1 via wireguard and am now at the LAN side of R1 ( used the ios wireguard app )
2. I want to reach R4, which has a specific wireguard IP ( via winbox likely ), or I use the gateway of a subnet on R4, to attempt to reach config of R4 ( via browser likely )
Routes
- R1 knows that the wireguard address of R4, so nothing needs to be made
- R1 knows nothing about remote subnet on R4, so one needs a route made to that subnet
FW Rules
One has to allow traffic that left the tunnel go back into the tunnel, which is what I call a relay rule..............
CONCLUSION/SOLUTION.
On each router add all the possible routes to other subnets.
ex. R1
add dst-address=lansubnetR2 gateway=wireguard1
add dst-address=lansubnetR3 gateway=wireguard1
add dst-address=lansubnetR4 gateway=wireguard1
On each router add a relay rule that allows traffic to exit the tunnel and then renter the tunnel.
add action=accept chain=forward comment="relay wg" in-interface=wireguard1 out-interface=wireguard1
Do this on all your routers and thus you as remote admin should be able to wireguard into any of the four specific routers and reach any other subnet or router to config.
Why is it rare for 4 routers to have public IPs?
I guess it is a Mesh topology, I didnt plan it that way it just happened because when i added third site to original Server-Client setup i couldnt get routing to work on server side between clients , so i added a peer between clients bypassing the server, when it worked I did the same with site 4.
Mesh tunneling between sites works perfect for this client, because all of his locations are independent businesses and dont share data between locations or have centralized database. main purpose of tunnels is voip traffic between their pbxs. i can share unused sip trunks at any of the sites for outbound calls and send calls between locations via internal trunks bypassing telco provider and increasing outbound capacity.
i think i already have all possible routes to each site, but not the relay rule (I will research it)
Im thinking of adding travel router to mesh topology as a site 0 and also as you suggested mobile peer at each site for laptop in case travel router fails.
here is current configuration from 2 sites
[admin@somerouter] > export
# 2024-11-09 20:51:10 by RouterOS 7.16.1
# software id = xxxxxxxxx
#
# model = RB5009UG+S+
# serial number = xxxxxxxxxxxxx
/interface bridge
add admin-mac=48:xxxxxxxxxx:EA auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether6 ] advertise=\
10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full
set [ find default-name=ether8 ] comment="WiFi CapAC"
/caps-man interface
add disabled=yes mac-address=00:00:00:00:00:00 master-interface=none name=cap1 \
radio-mac=00:00:00:00:00:00 radio-name=""
/interface wireguard
add comment="main site" listen-port=13231 mtu=1420 name=someWG
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.17.1.100-172.17.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/snmp community
set [ find default=yes ] security=private
/system logging action
set 3 bsd-syslog=yes remote=172.17.1.115 remote-port=1514
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/interface wireguard peers
add allowed-address=10.0.17.16/32,172.17.16.0/24 comment="Munster peer" \
endpoint-address=xxxxxxxxxxxxx.xxxxx.com endpoint-port=13231 \
interface=someWG name=peer-to-munster persistent-keepalive=25s \
public-key="fwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXc="
add allowed-address=10.0.17.13/32,172.17.13.0/24,172.17.13.1/32 comment=\
"Hickory tunnel" endpoint-address=xxxxxxxxxxxxx.sn.mynetname.net \
endpoint-port=13231 interface=someWG name=peer-to-hickory \
persistent-keepalive=25s public-key=\
"CbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTg="
add allowed-address=10.0.17.99/32,10.0.17.0/24 interface=someWG name=\
peer-for-Dell-Laptop public-key=\
"e/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxFE="
add allowed-address=10.0.17.15/32,172.17.15.0/24 disabled=yes \
endpoint-address=xxxxxxxxxxxxx.sn.mynetname.net endpoint-port=13231 \
interface=someWG name=peer-to-47th persistent-keepalive=25s public-key=\
"htxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCA="
add allowed-address=10.0.17.14/32,172.17.14.0/24 endpoint-address=\
xxxxxxxxxxxxx.sn.mynetname.net endpoint-port=13231 interface=someWG \
name=peer-to-naperville persistent-keepalive=25s public-key=\
"9axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxS4="
/ip address
add address=172.17.1.1/24 comment=defconf interface=bridge network=172.17.1.0
add address=10.0.17.1/24 comment="someHq wireguard interface" interface=\
someWG network=10.0.17.0
add address=xxx.xxx.xxx.xxx/22 interface=ether1 network=xxx.xxx.xxx.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=172.17.1.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=\
172.17.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=172.17.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="winbox remote" dst-port=xxxx protocol=\
tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input src-address=10.0.17.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward src-address=10.0.17.0/24
add action=accept chain=forward src-address=10.0.17.1
add action=accept chain=forward dst-address=172.17.1.0/24 src-address=\
172.17.16.0/24
add action=accept chain=forward dst-address=172.17.1.0/24 src-address=\
172.17.15.0/24
add action=accept chain=forward dst-address=172.17.1.0/24 src-address=\
172.17.14.0/24
add action=accept chain=forward dst-address=172.17.1.0/24 src-address=\
172.17.13.0/24
add action=accept chain=forward dst-address=172.17.1.0/24 src-address=\
172.17.12.0/24
add action=accept chain=forward dst-address=172.17.1.0/24 src-address=\
172.17.11.0/24
add action=accept chain=forward dst-address=172.17.11.0/24 src-address=\
172.17.1.0/24
add action=accept chain=forward dst-address=172.17.12.0/24 src-address=\
172.17.1.0/24
add action=accept chain=forward dst-address=172.17.13.0/24 src-address=\
172.17.1.0/24
add action=accept chain=forward dst-address=172.17.14.0/24 src-address=\
172.17.1.0/24
add action=accept chain=forward dst-address=172.17.15.0/24 src-address=\
172.17.1.0/24
add action=accept chain=forward dst-address=172.17.16.0/24 src-address=\
172.17.1.0/24
add action=accept chain=forward disabled=yes dst-address=172.17.1.0/24 \
src-address=192.168.177.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.177.0/24 \
src-address=172.17.1.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="route to munster" disabled=yes distance=1 dst-address=0.0.0.0/0 \
gateway=xxx.xxx.xxx.xxx pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="route to munster" disabled=no distance=1 dst-address=\
172.17.16.0/24 gateway=10.0.17.16 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="route to hickory" disabled=no distance=1 dst-address=\
172.17.13.0/24 gateway=10.0.17.13 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="route to 47th" disabled=no distance=1 dst-address=172.17.15.0/24 \
gateway=10.0.17.15 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=172.17.12.0/24 gateway=10.0.17.12 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.17.14.0/24 gateway=10.0.17.14 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="route to oakbrook" disabled=no distance=1 dst-address=\
172.17.11.0/24 gateway=10.0.17.11 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/snmp
set location=home trap-version=3
/system clock
set time-zone-name=America/Chicago
/system identity
set name=SomeRouter
/system logging
add action=remote prefix=INFO topics=info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool sniffer
set streaming-server=172.17.1.115:9000
site 2
# 2024-11-09 21:18:06 by RouterOS 7.16.1
# software id = xxxxxxx
#
# model = RB5009UG+S+
# serial number = xxxxxxxxxxx
/interface bridge
add admin-mac=78:9A:18:CB:13:B2 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment="WAN comcast"
set [ find default-name=ether4 ] comment="LTE Management"
set [ find default-name=ether6 ] comment=LinksysPAP2
set [ find default-name=ether7 ] comment="WAN2 LTE-Modem"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=CRS326
/interface wireguard
add listen-port=13231 mtu=1420 name=HickoryWG
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.17.13.100-172.17.13.249
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/system logging action
set 3 bsd-syslog=yes remote=172.17.1.115 remote-port=1513
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether7 list=WAN
/interface wireguard peers
add allowed-address=10.0.17.16/32,172.17.16.0/24,172.17.16.1/32 endpoint-address=xxxxxxxxxxx.sn.mynetname.net endpoint-port=13231 interface=HickoryWG \
name=peer-to-munster persistent-keepalive=25s public-key="fwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXc="
add allowed-address=10.0.17.1/32,172.17.1.0/24 endpoint-address=xxxxxxxxxxx.sn.mynetname.net endpoint-port=13231 interface=HickoryWG name=\
peer-to-highlandpark persistent-keepalive=25s public-key="Oyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxno="
add allowed-address=10.0.17.15/32,172.17.15.0/24 disabled=yes endpoint-address=xxxxxxxxxxx.sn.mynetname.net endpoint-port=13231 interface=HickoryWG \
name=peer-to-47th persistent-keepalive=25s public-key="htxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCA="
add allowed-address=10.0.17.14/32,172.17.14.0/24 endpoint-address=xxxxxxxxxxx.sn.mynetname.net endpoint-port=13231 interface=HickoryWG name=\
peer-to-naperville persistent-keepalive=25s public-key="9axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxS4="
/ip address
add address=172.17.13.1/24 comment=defconf interface=bridge network=172.17.13.0
add address=10.0.17.13/24 interface=HickoryWG network=10.0.17.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m update-time=no
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
add default-route-distance=5 interface=ether7 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.17.13.0/24 comment=defconf dns-server=172.17.13.1 gateway=172.17.13.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=172.17.13.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input dst-port=xxxx protocol=tcp
add action=accept chain=input comment="allow wg" src-address=10.0.17.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment=www.star4live.com content=www.star4live.com
add action=accept chain=forward src-address=10.0.17.0/24
add action=accept chain=forward dst-address=172.17.1.0/24 src-address=172.17.13.0/24
add action=accept chain=forward dst-address=172.17.11.0/24 src-address=172.17.13.0/24
add action=accept chain=forward dst-address=172.17.12.0/24 src-address=172.17.13.0/24
add action=accept chain=forward dst-address=172.17.14.0/24 src-address=172.17.13.0/24
add action=accept chain=forward dst-address=172.17.15.0/24 src-address=172.17.13.0/24
add action=accept chain=forward dst-address=172.17.16.0/24 src-address=172.17.13.0/24
add action=accept chain=forward dst-address=172.17.13.0/24 src-address=172.17.1.0/24
add action=accept chain=forward dst-address=172.17.13.0/24 src-address=172.17.11.0/24
add action=accept chain=forward dst-address=172.17.13.0/24 src-address=172.17.12.0/24
add action=accept chain=forward dst-address=172.17.13.0/24 src-address=172.17.14.0/24
add action=accept chain=forward dst-address=172.17.13.0/24 src-address=172.17.15.0/24
add action=accept chain=forward dst-address=172.17.13.0/24 src-address=172.17.16.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=output comment=www.star4live.com content=www.star4live.com
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NVR dst-port=84 in-interface-list=WAN protocol=tcp to-addresses=172.17.13.2 to-ports=80
add action=dst-nat chain=dstnat comment=NEC dst-port=88 in-interface-list=WAN protocol=tcp to-addresses=172.17.13.80 to-ports=88
add action=dst-nat chain=dstnat comment="NEC PC PRO" dst-port=8888 in-interface-list=WAN protocol=tcp to-addresses=172.17.13.80 to-ports=8888
add action=dst-nat chain=dstnat comment=NVR dst-port=8554 in-interface-list=WAN protocol=tcp to-addresses=172.17.13.2 to-ports=8554
add action=dst-nat chain=dstnat comment=NVR dst-port=8554 in-interface-list=WAN protocol=udp to-addresses=172.17.13.2 to-ports=8554
add action=dst-nat chain=dstnat comment=NVR dst-port=84 in-interface-list=WAN protocol=udp to-addresses=172.17.13.2 to-ports=80
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=172.17.1.0/24 gateway=10.0.17.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=172.17.16.0/24 gateway=10.0.17.16 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.17.11.0/24 gateway=10.0.17.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.17.12.0/24 gateway=10.0.17.12 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.17.14.0/24 gateway=10.0.17.14 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.17.15.0/24 gateway=10.0.17.15 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=HickoryRouter
/system logging
add action=remote prefix=INFO topics=system,info
add action=remote topics=interface
add action=remote topics=firewall
add action=remote topics=critical
add action=remote topics=error
add
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes