I need to add the real ip to the address list to do ipsec with the center.
It also checks the constantly changing public ip address with a script and corrects it automatically.
It works as long as the public ip address is not changed by the ISP. But as soon as the ISP changes the public ip, mikrotik cannot go to the internet. I have to manually disable and re-enable pubaddr in the address list otherwise I can't go online.
Do you have a suggestion for a solution?
Code: Select all
/interface bridge
add name=bridge
add name="bridge guest"
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" sms-protocol=auto \
sms-read=no
/interface vlan
add interface=ether5 name=vlan13 vlan-id=13
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=no use-network-apn=no \
use-peer-dns=no
add add-default-route=no apn=superbox use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name="Sec Profile" \
supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=otu \
supplicant-identity=""
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
aes-256 hash-algorithm=sha256 lifetime=8h name=ike_crypto nat-traversal=\
no
/ip ipsec peer
add address=111.111.111.111/32 disabled=yes exchange-mode=ike2 local-address=\
176.238.169.228 name=peer profile=ike_crypto
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ipsec_crypto pfs-group=\
modp2048
/ip pool
add comment=10.5 name=pool_lan ranges=10.10.5.20-10.10.5.200
add comment=10.5 name=pool_misafir ranges=10.11.5.20-10.11.5.200
/ip dhcp-server
add address-pool=pool_lan interface=bridge name=dhcp
add address-pool=pool_misafir interface="bridge guest" name=dhcp_misafir
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge="bridge guest" interface=vlan13
add bridge="bridge guest" interface=wlan1-vlan13
add bridge="bridge guest" interface=wlan2-vlan13
/ip firewall connection tracking
set udp-timeout=10s
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=lte1 list=WAN
/interface wireless access-list
add mac-address=00:19:3B:21:F9:F3
/ip address
add address=10.10.5.1/24 interface=bridge network=10.10.5.0
add address=10.11.5.1/24 interface="bridge guest" network=10.11.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=10.10.5.0/24 comment=LAN dns-server=10.10.5.1 gateway=10.10.5.1
add address=10.11.5.0/24 comment=Misafir dns-server=10.11.5.1 gateway=\
10.11.5.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=10.10.5.0/24 list=LAN
add address=10.10.5.0/24 list=AdminAccess
add address=10.11.5.0/24 list=AdminAccess
/ip firewall filter
add action=accept chain=input comment=Input connection-state=\
established,related,untracked
add action=drop chain=input comment="Input Drop Invalid" connection-state=\
invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="Router Access" src-address-list=\
AdminAccess
add action=accept chain=input comment="LAN DNS queries-TCP" connection-state=\
"" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="LAN DNS queries-UDP" connection-state=\
"" dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Input Drop All Else"
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec In" \
ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec Out" \
ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=change-ttl chain=prerouting in-interface-list=WAN new-ttl=\
increment:5 passthrough=yes ttl=equal:1
add action=change-ttl chain=postrouting new-ttl=set:64 out-interface-list=WAN \
passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=0.0.0.0/0 \
src-address=10.10.5.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add peer=peer
/ip ipsec policy
add action=none disabled=yes dst-address=10.10.5.0/24 src-address=\
10.10.5.0/24
add comment=ipsec disabled=yes dst-address=0.0.0.0/0 peer=peer proposal=\
ipsec_crypto src-address=10.10.5.0/24 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=lte1 routing-table=main \
suppress-hw-offload=no
add comment=pubaddr disabled=no distance=2 dst-address=31.142.247.255 \
gateway=lte1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/system scheduler
add disabled=yes interval=5m name=PubIP on-event=ReNewPubIP policy=\
read,write,policy,test start-date=1970-01-01 start-time=23:59:59
/system script
add dont-require-permissions=no name=ReNewPubIP owner=admin policy=\
read,write,policy,test source=":local NewIP [/ip cloud get public-address]\
\r\
\n/ip address set [find where comment=\"pubaddr\"] address=\$NewIP network\
=\$NewIP\r\
\n/ip ipsec peer set peer local-address=\$NewIP"
Code: Select all
/ip address
add address=10.10.5.1/24 interface=bridge network=10.10.5.0
add address=10.11.5.1/24 interface="bridge guest" network=10.11.5.0
add address=176.89.208.201 comment=pubaddr interface=lte1 network=176.89.208.20