Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Wireguard no longer works

Post Reply
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Wireguard no longer works

Thu May 08, 2025 3:33 pm

I installed wireguard on my RB2011UiAS-2HnD more than one year year ago. I accessed it from 3 android phones and 2 linux systems connected to 5G network. My router in on a FTTH line with dynamic and public IP, addressed via xxxxxx.sn.mynetname.net. I used it really a lot and I never had any problems but I do not use it every day, only the periods I am am away. Currently, I noticed I could no longer connect from any device, so I can discard remote configuration and I can focus on the router. I checked almost everything: correctness of keys and addresses, firewall, etc. and all looks fine. Few days ago I updated routeros to v7.18.2 and I added an Adlist, so I removed the adlist and I downgraded routeros to 7.16.2 with no luck. So I returned to 7.18.2.
I have a Firewall rule to accept UDP on port 13231, my wireguard port. I added the log option and I see that the port is reached anytime I attempt a connection. Good.
With: /tool sniffer quick port=13231 I also see incoming packets INPUT from wlan1 and bridge but there are absolutely NO output packets.
Finally, I made the usual desperation steps: remove wireguard interface and peer, reinstall. No change.
I am really out of ideas! What can I do to understand what is going on?
Here http://www.rescas.eu/listing/download/public/mtkcfg.zip you can find the full configuration with no password and keys. The zip password is verysecret :D
Any help is very welcome - Thanks!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 23722
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard no longer works

Thu May 08, 2025 4:32 pm

Sorry copy and paste the config to here directly via text editor aka notepadd++
Then post here and use the code quotes around the text ( above black square with white square brackets on the same line as Bold and Italics etc.)

We appreciate the effort to provide the config, but its against good security practices to ask folks to click on unknown links!!

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Thu May 08, 2025 7:11 pm

Ok, I thought i was not possible to send hundreds of lines here!
I did not delete the sensitive data but I modified strings so they are wrong but respect the equality.
Code: Select all
# 2025-05-08 14:23:16 by RouterOS 7.18.2
# software id = LQJ4-4CGL
#
# model = RB2011UiAS-2HnD
# serial number = xxxx
/interface bridge
add admin-mac=6C:3B:6B:72:AB:4B ageing-time=5m arp=enabled arp-timeout=auto \
    auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes \
    forward-delay=15s igmp-snooping=no max-learned-entries=auto \
    max-message-age=20s mtu=auto mvrp=no name=bridge port-cost-mode=short \
    priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=\
    no
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:4A mtu=1500 \
    name=ether1 orig-mac-address=6C:3B:6B:72:AB:4A rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether2 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:4B mtu=1500 \
    name=ether2 orig-mac-address=6C:3B:6B:72:AB:4B rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether3 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:4C mtu=1500 \
    name=ether3 orig-mac-address=6C:3B:6B:72:AB:4C rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether4 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:4D mtu=1500 \
    name=ether4 orig-mac-address=6C:3B:6B:72:AB:4D rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether5 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:4E mtu=1500 \
    name=ether5 orig-mac-address=6C:3B:6B:72:AB:4E rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether6 ] advertise=\
    10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:4F mtu=1500 \
    name=ether6 orig-mac-address=6C:3B:6B:72:AB:4F rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether7 ] advertise=\
    10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:50 mtu=1500 \
    name=ether7 orig-mac-address=6C:3B:6B:72:AB:50 rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether8 ] advertise=\
    10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:51 mtu=1500 \
    name=ether8 orig-mac-address=6C:3B:6B:72:AB:51 rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether9 ] advertise=\
    10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:52 mtu=1500 \
    name=ether9 orig-mac-address=6C:3B:6B:72:AB:52 rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether10 ] advertise=\
    10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:53 mtu=1500 \
    name=ether10 orig-mac-address=6C:3B:6B:72:AB:53 poe-out=off poe-priority=\
    10 power-cycle-interval=none !power-cycle-ping-address \
    power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
    aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1598 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=6C:3B:6B:72:AB:49 mtu=1500 \
    name=sfp1 orig-mac-address=6C:3B:6B:72:AB:49 rx-flow-control=off \
    sfp-ignore-rx-los=no sfp-rate-select=high sfp-shutdown-temperature=95C \
    tx-flow-control=off
/interface wireguard
add disabled=no listen-port=13231 mtu=1420 name=wireguard1
/queue interface
set bridge queue=no-queue
set wireguard1 queue=no-queue
/interface vlan
add arp=enabled arp-timeout=auto disabled=no interface=ether1 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=\
    1500 mvrp=no name=vlan-TIM use-service-tag=no vlan-id=835
/queue interface
set vlan-TIM queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch1
set 1 cpu-flow-control=yes mirror-source=none mirror-target=none name=switch2
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 6 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 7 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 8 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 9 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 10 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
set 11 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 12 default-vlan-id=0 vlan-header=leave-as-is vlan-mode=disabled
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
set 3 !forwarding-override
set 4 !forwarding-override
set 5 !forwarding-override
set 6 !forwarding-override
set 7 !forwarding-override
set 8 !forwarding-override
set 9 !forwarding-override
set 10 !forwarding-override
set 11 !forwarding-override
set 12 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
add comment=defconf exclude="" include="" name=WAN
add comment=defconf exclude="" include="" name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=\
    none default-route-distance=2 ip-type=ipv4 name=default use-network-apn=\
    no use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk disable-pmkid=\
    no eap-methods="" group-ciphers=aes-ccm group-key-update=1d \
    interim-update=0s management-protection=disabled mode=dynamic-keys \
    mschapv2-username="" name=default radius-called-format=mac:ssid \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-sta-private-algo=none static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=\
    no-certificates unicast-ciphers=aes-ccm
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=none allow-sharedkey=\
    no ampdu-priorities=0 amsdu-limit=8192 amsdu-threshold=8192 antenna-gain=\
    4 area="" arp=enabled arp-timeout=auto band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps basic-rates-b=1Mbps bridge-mode=enabled channel-width=20/40mhz-XX \
    compression=no country=etsi default-ap-tx-limit=0 default-authentication=\
    yes default-client-tx-limit=0 default-forwarding=yes \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=\
    indoors frame-lifetime=0 frequency=auto frequency-mode=regulatory-domain \
    frequency-offset=0 guard-interval=any hide-ssid=no ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-supported-mcs="mcs-0,mc\
    s-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,m\
    cs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-2\
    3" hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 installation=indoor \
    interworking-profile=disabled keepalive-frames=enabled l2mtu=1600 \
    mac-address=6C:3B:6B:72:AB:54 max-station-count=2007 mode=ap-bridge mtu=\
    1500 multicast-buffering=enabled multicast-helper=default name=wlan1 \
    noise-floor-threshold=default nv2-cell-radius=30 nv2-downlink-ratio=50 \
    nv2-mode=dynamic-downlink nv2-noise-floor-offset=default nv2-qos=default \
    nv2-queue-count=2 nv2-security=disabled nv2-sync-secret="" \
    on-fail-retry-time=100ms preamble-mode=both radio-name=6C3B6B72AB54 \
    rate-selection=advanced rate-set=default rx-chains=0,1 scan-list=default \
    secondary-frequency="" security-profile=default skip-dfs-channels=\
    disabled ssid=MikroTik station-bridge-clone-mac=00:00:00:00:00:00 \
    station-roaming=disabled supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-chains=0,1 \
    tx-power-mode=default update-stats-interval=disabled vlan-id=1 vlan-mode=\
    no-tag wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 \
    wds-ignore-ssid=no wds-mode=disabled wireless-protocol=802.11 \
    wmm-support=disabled wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
    bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
    17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
    7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
    3200 framer-policy=none
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 install-hotspot-queue=yes login-by=cookie,http-chap name=\
    default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
    use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=\
    exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
add name=group-12345678.sn.mynetname.net
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
add dh-group=modp2048,modp1536,modp1024 dpd-interval=2m dpd-maximum-failures=\
    5 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 lifetime=1d \
    name=profile-12345678.sn.mynetname.net nat-traversal=yes \
    proposal-check=obey
/ip ipsec peer
add disabled=no exchange-mode=ike2 local-address=80.181.227.212 name=\
    peer-80.181.227.212 passive=yes profile=\
    profile-12345678.sn.mynetname.net send-initial-contact=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
    modp1024
add auth-algorithms=sha512,sha256,sha1 disabled=no enc-algorithms="aes-256-cbc\
    ,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
    es-128-gcm" lifetime=8h name=proposal-12345678.sn.mynetname.net \
    pfs-group=none
/ip pool
add name=dhcp ranges=10.3.50.91-10.3.50.99
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool-12345678.sn.mynetname.net ranges=10.0.88.2-10.0.88.254
/ip dhcp-server
add address-lists="" address-pool=dhcp disabled=no interface=bridge \
    lease-script="" lease-time=10m name=defconf use-radius=no
/ip ipsec mode-config
add address-pool=pool-12345678.sn.mynetname.net address-prefix-length=32 \
    name=modeconf-12345678.sn.mynetname.net split-dns="" split-include=\
    0.0.0.0/0 static-dns=10.0.88.1 system-dns=no
/ip smb users
set [ find default=yes ] disabled=yes name=guest read-only=yes
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
    stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority !bridge-port-trusted \
    !bridge-port-vid change-tcp-mss=yes !dns-server !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list !local-address \
    name=default on-down="" on-up="" only-one=default !outgoing-filter \
    !parent-queue !queue-type !rate-limit !remote-address !session-timeout \
    use-compression=default use-encryption=default use-ipv6=yes use-mpls=\
    default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default \
    !bridge-path-cost !bridge-port-priority !bridge-port-trusted \
    !bridge-port-vid change-tcp-mss=yes dns-server=10.3.50.11 !idle-timeout \
    !incoming-filter !insert-queue-before !interface-list local-address=\
    192.168.89.1 name=default-encryption on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit remote-address=vpn \
    !session-timeout use-compression=default use-encryption=yes use-ipv6=yes \
    use-mpls=default use-upnp=default !wins-server
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
    default-route-distance=1 dial-on-demand=no disabled=no interface=vlan-TIM \
    keepalive-timeout=10 max-mru=auto max-mtu=auto mrru=disabled name=\
    pppoe-out1 profile=default service-name="" use-peer-dns=yes user=\
    0521939281
/queue interface
set pppoe-out1 queue=no-queue
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set ether6 queue=only-hardware-queue
set ether7 queue=only-hardware-queue
set ether8 queue=only-hardware-queue
set ether9 queue=only-hardware-queue
set ether10 queue=only-hardware-queue
set sfp1 queue=only-hardware-queue
set wlan1 queue=wireless-default
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2 router-id=main version=2 vrf=main
/routing ospf area
add area-id=0.0.0.0 disabled=yes instance=default-v2 name=backbone-v2 type=\
    default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=\
    no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 name=remote remote=0.0.0.0 remote-log-format=default remote-port=514 \
    remote-protocol=udp src-address=0.0.0.0 syslog-facility=daemon \
    syslog-severity=auto syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled \
    mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
    require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set log-script-errors=yes sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no \
    auto-smb-user=guest default-mount-point-template="[slot]"
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether2 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether3 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether4 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether5 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether6 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether7 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether8 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether9 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=ether10 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none ingress-filtering=no interface=wlan1 internal-path-cost=10 \
    learn=auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal path-cost=10 \
    point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN discover-interval=30s lldp-mac-phy-config=no \
    lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled lldp-poe-power=\
    yes lldp-vlan-info=no mode=tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
    arp-timeout=30s icmp-errors-use-inbound-interface-address=no \
    icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    ipv4-multipath-hash-policy=l3 max-neighbor-entries=8192 rp-filter=no \
    secure-redirects=yes send-redirects=yes tcp-syncookies=no tcp-timestamps=\
    random-offset
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
    yes-if-forwarding-disabled allow-fast-path=yes disable-ipv6=yes \
    disable-link-local-address=no forward=yes max-neighbor-entries=8192 \
    min-neighbor-entries=512 multipath-hash-policy=l3 \
    soft-max-neighbor-entries=1024 stale-neighbor-detect-interval=30 \
    stale-neighbor-timeout=60
/interface detect-internet
set detect-interface-list=none internet-interface-list=none \
    lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \
    authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=yes keepalive-timeout=30 \
    l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\
    unlimited mrru=disabled one-session-per-host=no use-ipsec=yes
/interface list member
add comment=defconf disabled=no interface=bridge list=LAN
add comment=defconf disabled=no interface=ether1 list=WAN
add disabled=no interface=pppoe-out1 list=WAN
add disabled=yes interface=*10 list=WAN
/interface lte settings
set esim-channel=auto firmware-path=firmware mode=auto
/interface ovpn-server server
add auth=sha1,md5 certificate=*0 cipher=blowfish128,aes128-cbc \
    default-profile=default disabled=yes enable-tun-ipv6=no ipv6-prefix-len=\
    64 keepalive-timeout=60 mac-address=FE:FD:41:00:B7:34 max-mtu=1500 mode=\
    ip name=ovpn-server1 netmask=24 port=1194 protocol=tcp push-routes="" \
    redirect-gateway=disabled reneg-sec=3600 require-client-certificate=no \
    tls-version=any tun-server-ipv6=:: user-auth-method=pap vrf=main
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=\
    aes256-sha,aes256-gcm-sha384 default-profile=default-encryption enabled=\
    yes keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no \
    port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set enabled=no
/interface wifi capsman
set enabled=no
/interface wireguard peers
add allowed-address=10.3.53.0/24 client-endpoint="" disabled=no \
    endpoint-address="" endpoint-port=0 interface=wireguard1 name=peer5 \
    preshared-key="" private-key=\
    "PIPPaufJHa1fBNv+x5heP9Jtyk18+VADKp4tV2Z8S3E=" public-key=\
    "PlUtXH1qSGF8tgP7k3sxW6sKoQO1+IcGxbs30vd2QkA="
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
    caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
    interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
    no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip address
add address=10.3.50.11/24 comment=defconf disabled=no interface=bridge \
    network=10.3.50.0
add address=10.3.53.1/24 disabled=no interface=wireguard1 network=10.3.53.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 \
    default-route-tables=default dhcp-options=hostname,clientid disabled=no \
    interface=ether1 use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=\
    5m
/ip dhcp-server lease
add address=10.3.50.52 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=B0:EC:71:27:8A:0E \
    !parent-queue !queue-type
add address=10.3.50.53 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=C8:AA:21:78:D8:F8 \
    !parent-queue !queue-type
add address=10.3.50.54 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=00:16:EA:65:2B:72 \
    !parent-queue !queue-type
add address=10.3.50.55 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=90:4C:E5:5D:A3:EB \
    !parent-queue !queue-type
add address=10.3.50.4 address-lists="" !allow-dual-stack-queue dhcp-option="" \
    disabled=no !insert-queue-before mac-address=00:19:DB:A6:2D:63 \
    !parent-queue !queue-type
add address=10.3.50.56 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=60:01:94:01:6C:5A \
    !parent-queue !queue-type
add address=10.3.50.61 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=A4:50:46:06:7F:73 \
    !parent-queue !queue-type
add address=10.3.50.111 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=80:7D:3A:3E:59:87 \
    !parent-queue !queue-type
add address=10.3.50.100 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=30:AE:A4:F0:0D:1C \
    !parent-queue !queue-type
add address=10.3.50.154 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=00:1D:72:3E:EA:04 \
    !parent-queue !queue-type
add address=10.3.50.201 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=3C:71:BF:48:10:80 \
    !parent-queue !queue-type
add address=10.3.50.115 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=84:0D:8E:B1:19:85 \
    !parent-queue !queue-type
add address=10.3.50.112 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=CC:50:E3:3C:02:75 \
    !parent-queue !queue-type
add address=10.3.50.210 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=E8:DB:84:C5:39:5C \
    !parent-queue !queue-type
add address=10.3.50.110 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=18:FE:34:9E:F3:0A \
    !parent-queue !queue-type
add address=10.3.50.20 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=00:19:AF:83:50:51 \
    !parent-queue !queue-type server=*1
add address=10.3.50.117 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=84:F3:EB:07:09:EA \
    !parent-queue !queue-type server=defconf
add address=10.3.50.116 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=A8:48:FA:DC:80:52 \
    !parent-queue !queue-type server=defconf
add address=10.3.50.118 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=4C:75:25:35:DA:B9 \
    !parent-queue !queue-type server=defconf
add address=10.3.50.119 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=E8:9F:6D:92:C1:73 \
    !parent-queue !queue-type server=defconf
add address=10.3.50.122 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=B8:D6:1A:68:E8:FC \
    !parent-queue !queue-type
add address=10.3.50.104 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=40:F5:20:48:89:A8 \
    !parent-queue !queue-type server=defconf
add address=10.3.50.101 address-lists="" !allow-dual-stack-queue client-id=\
    1:40:f5:20:48:87:ec dhcp-option="" disabled=no !insert-queue-before \
    mac-address=40:F5:20:48:87:EC !parent-queue !queue-type server=defconf
add address=10.3.50.103 address-lists="" !allow-dual-stack-queue client-id=\
    1:c0:49:ef:dd:2:80 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=C0:49:EF:DD:02:80 !parent-queue !queue-type server=defconf
add address=10.3.50.106 address-lists="" !allow-dual-stack-queue client-id=\
    1:c0:49:ef:dd:2:b4 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=C0:49:EF:DD:02:B4 !parent-queue !queue-type server=defconf
add address=10.3.50.105 address-lists="" !allow-dual-stack-queue client-id=\
    1:c0:49:ef:dd:2:e0 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=C0:49:EF:DD:02:E0 !parent-queue !queue-type server=defconf
add address=10.3.50.62 address-lists="" !allow-dual-stack-queue client-id=\
    1:78:d8:40:83:91:be dhcp-option="" disabled=no !insert-queue-before \
    mac-address=78:D8:40:83:91:BE !parent-queue !queue-type server=defconf
add address=10.3.50.63 address-lists="" !allow-dual-stack-queue client-id=\
    1:24:f0:d3:97:1:25 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=24:F0:D3:97:01:25 !parent-queue !queue-type server=defconf
add address=10.3.50.120 address-lists="" !allow-dual-stack-queue client-id=\
    1:e0:51:d8:eb:1f:b6 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=E0:51:D8:EB:1F:B6 !parent-queue !queue-type server=defconf
add address=10.3.50.121 address-lists="" !allow-dual-stack-queue client-id=\
    1:70:4:1d:56:30:2c dhcp-option="" disabled=no !insert-queue-before \
    mac-address=70:04:1D:56:30:2C !parent-queue !queue-type server=defconf
add address=10.3.50.15 address-lists="" !allow-dual-stack-queue client-id=\
    1:24:5e:be:24:ba:b7 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=24:5E:BE:24:BA:B7 !parent-queue !queue-type server=defconf
add address=10.3.50.16 address-lists="" !allow-dual-stack-queue client-id=\
    1:24:5e:be:24:ba:b8 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=24:5E:BE:24:BA:B8 !parent-queue !queue-type server=defconf
add address=10.3.50.81 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=A8:41:F4:B2:B5:C9 \
    !parent-queue !queue-type server=defconf
add address=10.3.50.131 address-lists="" !allow-dual-stack-queue client-id=\
    1:60:1:94:7a:49:91 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=60:01:94:7A:49:91 !parent-queue !queue-type server=defconf
add address=10.3.50.133 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=80:7D:3A:3E:5A:1D \
    !parent-queue !queue-type server=defconf
add address=10.3.50.123 address-lists="" !allow-dual-stack-queue client-id=\
    1:94:54:c5:aa:2b:38 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=94:54:C5:AA:2B:38 !parent-queue !queue-type server=defconf
add address=10.3.50.124 address-lists="" !allow-dual-stack-queue client-id=\
    1:c8:c9:a3:64:b8:dc dhcp-option="" disabled=no !insert-queue-before \
    mac-address=C8:C9:A3:64:B8:DC !parent-queue !queue-type server=defconf
add address=10.3.50.3 address-lists="" !allow-dual-stack-queue client-id=\
    1:e0:cb:4e:f7:d:29 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=E0:CB:4E:F7:0D:29 !parent-queue !queue-type server=defconf
add address=10.3.50.71 address-lists="" !allow-dual-stack-queue client-id=\
    1:f4:ce:46:10:c7:35 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=F4:CE:46:10:C7:35 !parent-queue !queue-type server=defconf
add address=10.3.50.72 address-lists="" !allow-dual-stack-queue client-id=\
    1:b6:86:8d:77:31:46 dhcp-option="" disabled=no !insert-queue-before \
    mac-address=B6:86:8D:77:31:46 !parent-queue !queue-type server=defconf
add address=10.3.50.132 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=60:01:94:7A:49:8F \
    !parent-queue !queue-type server=defconf
add address=10.3.50.82 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=A8:41:F4:18:34:CF \
    !parent-queue !queue-type server=defconf
add address=10.3.50.83 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=20:0B:74:56:0C:73 \
    !parent-queue !queue-type server=defconf
add address=10.3.50.17 address-lists="" !allow-dual-stack-queue dhcp-option=\
    "" disabled=no !insert-queue-before mac-address=00:13:97:B5:0E:FD \
    !parent-queue !queue-type server=defconf
/ip dhcp-server network
add address=10.3.50.0/24 caps-manager="" comment=defconf dhcp-option="" \
    dns-server=10.3.50.11 gateway=10.3.50.11 netmask=24 !next-server \
    ntp-server="" wins-server=""
/ip dns
set address-list-extra-time=0s allow-remote-requests=yes cache-max-ttl=1w \
    cache-size=20480KiB doh-max-concurrent-queries=50 \
    doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 \
    max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
    mdns-repeat-ifaces="" query-server-timeout=2s query-total-timeout=10s \
    servers=8.8.8.8 use-doh-server="" verify-doh-cert=no vrf=main
/ip dns adlist
add disabled=no ssl-verify=no url=https://adaway.org/hosts.txt
add disabled=no ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=10.3.50.11 disabled=no name=router.lan ttl=1d type=A
add address=10.3.50.4 disabled=no name=Acer.lan ttl=1d type=A
add address=10.3.50.5 disabled=no name=Asus.lan ttl=1d type=A
add address=10.3.50.52 disabled=no name=Junior.lan ttl=1d type=A
add address=10.3.50.53 disabled=no name=Motorola.lan ttl=1d type=A
add address=10.3.50.54 disabled=no name=Aacer-wan.lan ttl=1d type=A
add address=10.3.50.55 disabled=no name=pbell.lan ttl=1d type=A
add address=10.3.50.56 disabled=no name=newphone.lan ttl=1d type=A
add address=10.3.50.71 disabled=no name=small-eth.lan ttl=1d type=A
add address=10.3.50.61 disabled=no name=xiaomi.lan ttl=1d type=A
add address=10.3.50.101 disabled=no name=tappa1.lan ttl=1d type=A
add address=10.3.50.103 disabled=no name=tappa3.lan ttl=1d type=A
add address=10.3.50.104 disabled=no name=tappa4.lan ttl=1d type=A
add address=10.3.50.105 disabled=no name=tappa5.lan ttl=1d type=A
add address=10.3.50.106 disabled=no name=tappa6.lan ttl=1d type=A
add address=10.3.50.110 disabled=no name=thermo.lan ttl=1d type=A
add address=10.3.50.111 disabled=no name=baker.lan ttl=1d type=A
add address=10.3.50.12 disabled=no name=tplink.lan ttl=1d type=A
add address=10.3.50.112 disabled=no name=clock.lan ttl=1d type=A
add address=10.3.50.2 disabled=no name=asus2.lan ttl=1d type=A
add address=10.3.50.113 disabled=no name=captest.lan ttl=1d type=A
add address=10.3.50.73 disabled=no name=gtmedia.lan ttl=1d type=A
add address=10.3.50.6 disabled=no name=DOS-VM.lan ttl=1d type=A
add address=10.3.50.100 disabled=no name=master.lan ttl=1d type=A
add address=10.3.50.13 disabled=no name=Dlink.lan ttl=1d type=A
add address=10.3.50.102 disabled=no name=tappa2.lan ttl=1d type=A
add address=10.3.50.154 disabled=no name=Aacer-lan.lan ttl=1d type=A
add address=10.3.50.114 disabled=no name=lab32.lan ttl=1d type=A
add address=10.3.50.115 disabled=no name=GPSClock.lan ttl=1d type=A
add address=10.3.50.15 disabled=no name=qnap1.lan ttl=1d type=A
add address=10.3.50.16 disabled=no name=qnap2.lan ttl=1d type=A
add address=10.3.50.14 disabled=no name=tik2.lan ttl=1d type=A
add address=10.3.50.116 disabled=no name=powermeter.lan ttl=1d type=A
add address=10.3.50.117 disabled=no name=presa1.lan ttl=1d type=A
add address=10.3.50.210 disabled=no name=lab12.lan ttl=1d type=A
add address=10.3.50.7 disabled=no name=rigol.lan ttl=1d type=A
add address=10.3.50.207 disabled=no name=rigolEspEth.lan ttl=1d type=A
add address=10.3.50.118 disabled=no name=rigolEspWiFi.lan ttl=1d type=A
add address=10.3.50.119 disabled=no name=KitchenTimer.lan ttl=1d type=A
add address=10.3.50.120 disabled=no name=webcam1.lan ttl=1d type=A
add address=10.3.50.121 disabled=no name=camehelper.lan ttl=1d type=A
add address=10.3.50.122 disabled=no name=webcam2.lan ttl=1d type=A
add address=10.3.50.62 disabled=no name=redmi.lan ttl=1d type=A
add address=10.3.50.63 disabled=no name=tab.lan ttl=1d type=A
add address=10.3.50.81 disabled=no name=fuji1.lan ttl=1d type=A
add address=10.3.50.83 disabled=no name=fuji3.lan ttl=1d type=A
add address=10.3.50.82 disabled=no name=fuji2.lan ttl=1d type=A
add address=10.3.50.123 disabled=no name=3D_Cam.lan ttl=1d type=A
add address=10.3.50.124 disabled=no name=frigofan.lan ttl=1d type=A
add address=10.3.50.3 disabled=no name=bill.lan ttl=1d type=A
add address=10.3.50.72 disabled=no name=small-wifi.lan ttl=1d type=A
add address=10.3.50.131 disabled=no name=fuji1c.lan ttl=1d type=A
add address=10.3.50.132 disabled=no name=fuji2c.lan ttl=1d type=A
add address=10.3.50.133 disabled=no name=fuji3c.lan ttl=1d type=A
add address=10.3.50.17 disabled=no name=sat.lan ttl=1d type=A
/ip firewall address-list
add address=139.59.181.152 disabled=no dynamic=no list=Invaders2
add address=71.6.199.23 disabled=no dynamic=no list=Invaders2
add address=152.32.149.118 disabled=no dynamic=no list=Invaders2
add address=167.94.138.138 disabled=no dynamic=no list=Invaders2
add address=167.94.138.125 disabled=no dynamic=no list=Invaders2
add address=154.209.125.190 disabled=no dynamic=no list=Invaders2
add address=183.136.225.29 disabled=no dynamic=no list=Invaders2
add address=146.88.241.120 disabled=no dynamic=no list=Invaders2
add address=167.94.138.129 disabled=no dynamic=no list=Invaders2
add address=167.94.138.52 disabled=no dynamic=no list=Invaders2
/ip firewall filter
add action=drop chain=input comment="Invaders2 list" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="rsc: INVADERS2" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !src-address \
    src-address-list=Invaders2 !src-address-type !src-mac-address !src-port \
    !tcp-flags !tcp-mss !time !tls-host !ttl
add action=drop chain=input comment="**** BLOCK PPTP ****" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=1723 \
    !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix=\
    "rsc **** PPTP **** dropped" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=tcp !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=drop chain=input comment="**** BLOCK L2TP ***" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=1701 \
    !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix=\
    "rsc **** L2TP ****" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=udp !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=drop chain=forward comment="**** BABA SPY ****" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    dst-address=47.90.2.43 !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="*** BABA SPY***" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Open for DNS From outside the LAN" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="rsc DNS request" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier port=53 !priority protocol=udp \
    !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input comment="allow IPsec NAT" disabled=no dst-port=\
    4500 protocol=udp
add action=accept chain=input comment="allow l2tp" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=yes !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=1701 \
    !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=udp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input comment="allow sstp" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=yes !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=443 \
    !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=input comment="*B* defconf: drop invalid" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="rsc DROP *B*" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !realm !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    dst-address=127.0.0.1 !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=input comment="*** WireGuard ***" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=\
    13231 !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=yes log-prefix=\
    "rsc WIREGUARD VPN UDP" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=udp !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="*** WireGuard  ***" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=\
    13231 !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix=\
    "rsc WIREGUARD VPN TCP" !nth !out-bridge-port !out-bridge-port-list \
    !out-interface !out-interface-list !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=tcp !psd !random \
    !routing-mark !src-address !src-address-list !src-address-type \
    !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=drop chain=input comment=\
    "*C* defconf: drop all not coming from LAN-Blocca tutto il Reverse NAT" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !icmp-options \
    !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=!LAN \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="rsc DROP *C*" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority !protocol !psd \
    !random !realm !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="*D* defconf: drop invalid" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
    !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
    !layer7-protocol !limit log=no log-prefix="rsc DROP *D*" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !realm !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
add action=drop chain=forward comment=\
    "*E* defconf: drop all from WAN not DSTNATed" !connection-bytes \
    !connection-limit !connection-mark connection-nat-state=!dstnat \
    !connection-rate connection-state=new !connection-type !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="rsc DROP *E*" \
    !nth !out-bridge-port !out-bridge-port-list !out-interface \
    !out-interface-list !packet-mark !packet-size !per-connection-classifier \
    !port !priority !protocol !psd !random !realm !routing-mark !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !tls-host !ttl
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-ports
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=no \
    src-address=192.168.89.0/24 !to-addresses !to-ports
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content disabled=yes \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    dst-port=1988 !fragment !hotspot !icmp-options !in-bridge-port \
    !in-bridge-port-list in-interface=pppoe-out1 !in-interface-list \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=yes log-prefix="NAT TCP:1988" !nth !out-bridge-port \
    !out-bridge-port-list !out-interface !out-interface-list !packet-mark \
    !packet-size !per-connection-classifier !port !priority protocol=tcp !psd \
    !random !realm !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
    10.3.50.2 !to-ports !ttl
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
    disabled=no name=default-trial
/ip ipsec identity
add auth-method=digital-signature certificate=12345678.sn.mynetname.net \
    disabled=no generate-policy=port-strict match-by=certificate mode-config=\
    modeconf-12345678.sn.mynetname.net peer=peer-80.181.227.212 \
    policy-template-group=group-12345678.sn.mynetname.net \
    remote-certificate=VPN-CASA@12345678.sn.mynetname.net remote-id=\
    user-fqdn:VPN-CASA@12345678.sn.mynetname.net
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
add disabled=no dst-address=10.0.88.0/24 group=\
    group-12345678.sn.mynetname.net proposal=\
    proposal-12345678.sn.mynetname.net protocol=all src-address=0.0.0.0/0 \
    template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip service
set telnet address="" disabled=no max-sessions=20 port=23 vrf=main
set ftp address="" disabled=yes max-sessions=20 port=21 vrf=main
set www address="" disabled=no max-sessions=20 port=80 vrf=main
set ssh address="" disabled=yes max-sessions=20 port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes max-sessions=20 port=443 \
    tls-version=any vrf=main
set api address="" disabled=no max-sessions=20 port=8728 vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api-ssl address="" certificate=none disabled=yes max-sessions=20 port=\
    8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=yes \
    invalid-users="" name=pub read-only=no require-encryption=no valid-users=\
    ""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=\
    200 port=1080 version=4 vrf=main
/ip ssh
set always-allow-password-login=no ciphers=auto forwarding-enabled=no \
    host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=32k enabled=no \
    inactive-flow-timeout=15s interfaces=all packet-sampling=no \
    sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
    yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
    out-interface=yes packets=yes protocol=yes src-address=yes \
    src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
    tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
    ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \
    disabled=no hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no \
    ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=medium \
    reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/lcd
set backlight-timeout=30m color-scheme=light default-screen=log enabled=yes \
    flip-screen=no read-only-mode=yes time-interval=min touch-screen=enabled
/lcd pin
set hide-pin-number=no pin-number=1234
/lcd interface
set sfp1 disabled=no max-speed=auto timeout=10s
set ether1 disabled=no max-speed=auto timeout=10s
set ether2 disabled=no max-speed=auto timeout=10s
set ether3 disabled=no max-speed=auto timeout=10s
set ether4 disabled=no max-speed=auto timeout=10s
set ether5 disabled=no max-speed=auto timeout=10s
set ether6 disabled=no max-speed=auto timeout=10s
set ether7 disabled=no max-speed=auto timeout=10s
set ether8 disabled=no max-speed=auto timeout=10s
set ether9 disabled=no max-speed=auto timeout=10s
set ether10 disabled=no max-speed=auto timeout=10s
set wlan1 disabled=no max-speed=auto timeout=10s
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10,wlan1"
/lcd screen
set 0 disabled=no timeout=10s
set 1 disabled=no timeout=10s
set 2 disabled=no timeout=10s
set 3 disabled=no timeout=10s
set 4 disabled=no timeout=10s
set 5 disabled=no timeout=10s
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s \
    use-circuit-id-in-nas-port-id=no use-radius=no
/ppp secret
add caller-id="" disabled=no ipv6-routes="" limit-bytes-in=0 limit-bytes-out=\
    0 !local-address name=Mazzieri3Parma profile=default !remote-address \
    !remote-ipv6-prefix routes="" service=any
/radius incoming
set accept=no port=3799 vrf=main
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: \
    trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Rome
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start=\
    "1970-01-01 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name=MikroTik
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" regex="" topics=info
set 1 action=memory disabled=no prefix="" regex="" topics=error
set 2 action=memory disabled=no prefix="" regex="" topics=warning
set 3 action=echo disabled=no prefix="" regex="" topics=critical
add action=memory disabled=no prefix="" regex="" topics=wireguard
add action=memory disabled=no prefix="" regex="" topics=wireguard
add action=memory disabled=no prefix="" regex="" topics=wireguard,debug
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no \
    local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=\
    main
/system package local-update mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
/system resource usb settings
set authorization=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=no baud-rate=115200 boot-delay=2s boot-device=\
    nand-if-fail-then-ethernet boot-protocol=bootp enable-jumper-reset=yes \
    enter-setup-on=any-key force-backup-booter=no protected-routerboot=\
    disabled reformat-hold-button=20s reformat-hold-button-max=10m \
    silent-boot=no
/system routerboard usb
set usb-mode=automatic
/system script
add dont-require-permissions=no name=ClearLog owner=Rapisarda81 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system logging action set memory memory-lines=1\r\
    \n:delay 1s\r\
    \n/system logging action set memory memory-lines=1000\r\
    \n"
add dont-require-permissions=no name=log-on.rsc owner=Rapisarda81 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    put \"Replacing log=no with log=no in all the firewall filters with a mess\
    age to log\"\r\
    \n:local ruleList [/ip firewall filter find log=no]\r\
    \n:foreach ruleId in=\$ruleList do={\r\
    \n  /ip firewall filter set \$ruleId log=yes\r\
    \n}\r\
    \n:put \"**** Firewall rules updated.log=yes ****\"\r\
    \n\r\
    \n\r\
    \n\r\
    \n"
add dont-require-permissions=no name=log-off.rsc owner=Rapisarda81 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    put \"Replacing log=yes with log=no in all the firewall filters with a mes\
    sage to log\"\r\
    \n:local ruleList [/ip firewall filter find log=yes]\r\
    \n:foreach ruleId in=\$ruleList do={\r\
    \n  /ip firewall filter set \$ruleId log=no\r\
    \n}\r\
    \n:put \"**** Firewall rules updated.log=no ****\"\r\
    \n\r\
    \n\r\
    \n\r\
    \n"
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m \
    ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 allowed-addresses4="" allowed-addresses6="" \
    authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 polling=no port=none receive-enabled=no \
    sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
    filter-dst-ip-address="" filter-dst-ipv6-address="" \
    filter-dst-mac-address="" filter-dst-port="" filter-interface=wlan1 \
    filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
    filter-mac-address=E0:51:D8:EB:1F:B6/FF:FF:FF:FF:FF:FF \
    filter-mac-protocol="" filter-operator-between-entries=or filter-port="" \
    filter-size="" filter-src-ip-address="" filter-src-ipv6-address="" \
    filter-src-mac-address="" filter-src-port="" filter-stream=no \
    filter-vlan="" memory-limit=100KiB memory-scroll=yes only-headers=no \
    quick-rows=20 quick-show-frame=no streaming-enabled=no streaming-server=\
    0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=yes \
    stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 23722
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard no longer works

Thu May 08, 2025 9:32 pm

Not sure what command you used LOL but it wasnt what I gave you which doesnt bode well for future advice not being followed ;-PP

I suspect you used something like
/export verbose file=expoanythingyouwish

Please post without the verbose........
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Thu May 08, 2025 10:13 pm

Sorry, as you can see I am posting in Beginner Basics!
I hope this is exactly what you requested!
Code: Select all
# 2025-05-08 21:02:06 by RouterOS 7.18.2
# software id = LQJ4-4CGL
#
# model = RB2011UiAS-2HnD
# serial number = ZZZZZZZZZZZZ
/interface bridge
add admin-mac=6C:3B:6B:72:AB:4B auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
    aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan-TIM vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-TIM name=pppoe-out1 \
    use-peer-dns=yes user=0521939281
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1d mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec policy group
add name=group-121212121212.sn.mynetname.net
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048,modp1536,modp1024 dpd-interval=2m dpd-maximum-failures=\
    5 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=\
    profile-121212121212.sn.mynetname.net
/ip ipsec peer
add exchange-mode=ike2 local-address=80.181.227.212 name=peer-80.181.227.212 \
    passive=yes profile=profile-121212121212.sn.mynetname.net
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    lifetime=8h name=proposal-121212121212.sn.mynetname.net pfs-group=none
/ip pool
add name=dhcp ranges=10.3.50.91-10.3.50.99
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool-121212121212.sn.mynetname.net ranges=10.0.88.2-10.0.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip ipsec mode-config
add address-pool=pool-121212121212.sn.mynetname.net address-prefix-length=32 \
    name=modeconf-121212121212.sn.mynetname.net split-include=0.0.0.0/0 \
    static-dns=10.0.88.1 system-dns=no
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=10.3.50.11 local-address=192.168.89.1 \
    remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add disabled=yes interface=*10 list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:FD:41:00:B7:34 name=ovpn-server1
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=10.3.53.0/24 interface=wireguard1 name=peer5 private-key=\
    "12345678+x5heP9Jtyk18+VADKp4tV2Z8S3E=" public-key=\
    "987654321+IcGxbs30vd2QkA="
/ip address
add address=10.3.50.11/24 comment=defconf interface=bridge network=10.3.50.0
add address=10.3.53.1/24 interface=wireguard1 network=10.3.53.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.3.50.52 mac-address=B0:EC:71:27:8A:0E
add address=10.3.50.53 mac-address=C8:AA:21:78:D8:F8
add address=10.3.50.54 mac-address=00:16:EA:65:2B:72
add address=10.3.50.55 mac-address=90:4C:E5:5D:A3:EB
add address=10.3.50.4 mac-address=00:19:DB:A6:2D:63
add address=10.3.50.56 mac-address=60:01:94:01:6C:5A
add address=10.3.50.61 mac-address=A4:50:46:06:7F:73
add address=10.3.50.111 mac-address=80:7D:3A:3E:59:87
add address=10.3.50.100 mac-address=30:AE:A4:F0:0D:1C
add address=10.3.50.154 mac-address=00:1D:72:3E:EA:04
add address=10.3.50.201 mac-address=3C:71:BF:48:10:80
add address=10.3.50.115 mac-address=84:0D:8E:B1:19:85
add address=10.3.50.112 mac-address=CC:50:E3:3C:02:75
add address=10.3.50.210 mac-address=E8:DB:84:C5:39:5C
add address=10.3.50.110 mac-address=18:FE:34:9E:F3:0A
add address=10.3.50.20 mac-address=00:19:AF:83:50:51 server=*1
add address=10.3.50.117 mac-address=84:F3:EB:07:09:EA server=defconf
add address=10.3.50.116 mac-address=A8:48:FA:DC:80:52 server=defconf
add address=10.3.50.118 mac-address=4C:75:25:35:DA:B9 server=defconf
add address=10.3.50.119 mac-address=E8:9F:6D:92:C1:73 server=defconf
add address=10.3.50.122 mac-address=B8:D6:1A:68:E8:FC
add address=10.3.50.104 mac-address=40:F5:20:48:89:A8 server=defconf
add address=10.3.50.101 client-id=1:40:f5:20:48:87:ec mac-address=\
    40:F5:20:48:87:EC server=defconf
add address=10.3.50.103 client-id=1:c0:49:ef:dd:2:80 mac-address=\
    C0:49:EF:DD:02:80 server=defconf
add address=10.3.50.106 client-id=1:c0:49:ef:dd:2:b4 mac-address=\
    C0:49:EF:DD:02:B4 server=defconf
add address=10.3.50.105 client-id=1:c0:49:ef:dd:2:e0 mac-address=\
    C0:49:EF:DD:02:E0 server=defconf
add address=10.3.50.62 client-id=1:78:d8:40:83:91:be mac-address=\
    78:D8:40:83:91:BE server=defconf
add address=10.3.50.63 client-id=1:24:f0:d3:97:1:25 mac-address=\
    24:F0:D3:97:01:25 server=defconf
add address=10.3.50.120 client-id=1:e0:51:d8:eb:1f:b6 mac-address=\
    E0:51:D8:EB:1F:B6 server=defconf
add address=10.3.50.121 client-id=1:70:4:1d:56:30:2c mac-address=\
    70:04:1D:56:30:2C server=defconf
add address=10.3.50.15 client-id=1:24:5e:be:24:ba:b7 mac-address=\
    24:5E:BE:24:BA:B7 server=defconf
add address=10.3.50.16 client-id=1:24:5e:be:24:ba:b8 mac-address=\
    24:5E:BE:24:BA:B8 server=defconf
add address=10.3.50.81 mac-address=A8:41:F4:B2:B5:C9 server=defconf
add address=10.3.50.131 client-id=1:60:1:94:7a:49:91 mac-address=\
    60:01:94:7A:49:91 server=defconf
add address=10.3.50.133 mac-address=80:7D:3A:3E:5A:1D server=defconf
add address=10.3.50.123 client-id=1:94:54:c5:aa:2b:38 mac-address=\
    94:54:C5:AA:2B:38 server=defconf
add address=10.3.50.124 client-id=1:c8:c9:a3:64:b8:dc mac-address=\
    C8:C9:A3:64:B8:DC server=defconf
add address=10.3.50.3 client-id=1:e0:cb:4e:f7:d:29 mac-address=\
    E0:CB:4E:F7:0D:29 server=defconf
add address=10.3.50.71 client-id=1:f4:ce:46:10:c7:35 mac-address=\
    F4:CE:46:10:C7:35 server=defconf
add address=10.3.50.72 client-id=1:b6:86:8d:77:31:46 mac-address=\
    B6:86:8D:77:31:46 server=defconf
add address=10.3.50.132 mac-address=60:01:94:7A:49:8F server=defconf
add address=10.3.50.82 mac-address=A8:41:F4:18:34:CF server=defconf
add address=10.3.50.83 mac-address=20:0B:74:56:0C:73 server=defconf
add address=10.3.50.17 mac-address=00:13:97:B5:0E:FD server=defconf
/ip dhcp-server network
add address=10.3.50.0/24 comment=defconf dns-server=10.3.50.11 gateway=\
    10.3.50.11 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=8.8.8.8
/ip dns adlist
add ssl-verify=no url=https://adaway.org/hosts.txt
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=10.3.50.11 name=router.lan type=A
add address=10.3.50.4 name=Acer.lan type=A
add address=10.3.50.5 name=Asus.lan type=A
add address=10.3.50.52 name=Junior.lan type=A
add address=10.3.50.53 name=Motorola.lan type=A
add address=10.3.50.54 name=Aacer-wan.lan type=A
add address=10.3.50.55 name=pbell.lan type=A
add address=10.3.50.56 name=newphone.lan type=A
add address=10.3.50.71 name=small-eth.lan type=A
add address=10.3.50.61 name=xiaomi.lan type=A
add address=10.3.50.101 name=tappa1.lan type=A
add address=10.3.50.103 name=tappa3.lan type=A
add address=10.3.50.104 name=tappa4.lan type=A
add address=10.3.50.105 name=tappa5.lan type=A
add address=10.3.50.106 name=tappa6.lan type=A
add address=10.3.50.110 name=thermo.lan type=A
add address=10.3.50.111 name=baker.lan type=A
add address=10.3.50.12 name=tplink.lan type=A
add address=10.3.50.112 name=clock.lan type=A
add address=10.3.50.2 name=asus2.lan type=A
add address=10.3.50.113 name=captest.lan type=A
add address=10.3.50.73 name=gtmedia.lan type=A
add address=10.3.50.6 name=DOS-VM.lan type=A
add address=10.3.50.100 name=master.lan type=A
add address=10.3.50.13 name=Dlink.lan type=A
add address=10.3.50.102 name=tappa2.lan type=A
add address=10.3.50.154 name=Aacer-lan.lan type=A
add address=10.3.50.114 name=lab32.lan type=A
add address=10.3.50.115 name=GPSClock.lan type=A
add address=10.3.50.15 name=qnap1.lan type=A
add address=10.3.50.16 name=qnap2.lan type=A
add address=10.3.50.14 name=tik2.lan type=A
add address=10.3.50.116 name=powermeter.lan type=A
add address=10.3.50.117 name=presa1.lan type=A
add address=10.3.50.210 name=lab12.lan type=A
add address=10.3.50.7 name=rigol.lan type=A
add address=10.3.50.207 name=rigolEspEth.lan type=A
add address=10.3.50.118 name=rigolEspWiFi.lan type=A
add address=10.3.50.119 name=KitchenTimer.lan type=A
add address=10.3.50.120 name=webcam1.lan type=A
add address=10.3.50.121 name=camehelper.lan type=A
add address=10.3.50.122 name=webcam2.lan type=A
add address=10.3.50.62 name=redmi.lan type=A
add address=10.3.50.63 name=tab.lan type=A
add address=10.3.50.81 name=fuji1.lan type=A
add address=10.3.50.83 name=fuji3.lan type=A
add address=10.3.50.82 name=fuji2.lan type=A
add address=10.3.50.123 name=3D_Cam.lan type=A
add address=10.3.50.124 name=frigofan.lan type=A
add address=10.3.50.3 name=bill.lan type=A
add address=10.3.50.72 name=small-wifi.lan type=A
add address=10.3.50.131 name=fuji1c.lan type=A
add address=10.3.50.132 name=fuji2c.lan type=A
add address=10.3.50.133 name=fuji3c.lan type=A
add address=10.3.50.17 name=sat.lan type=A
/ip firewall address-list
add address=139.59.181.152 list=Invaders2
add address=71.6.199.23 list=Invaders2
add address=152.32.149.118 list=Invaders2
add address=167.94.138.138 list=Invaders2
add address=167.94.138.125 list=Invaders2
add address=154.209.125.190 list=Invaders2
add address=183.136.225.29 list=Invaders2
add address=146.88.241.120 list=Invaders2
add address=167.94.138.129 list=Invaders2
add address=167.94.138.52 list=Invaders2
/ip firewall filter
add action=drop chain=input comment="Invaders2 list" log-prefix=\
    "rsc: INVADERS2" src-address-list=Invaders2
add action=drop chain=input comment="**** BLOCK PPTP ****" dst-port=1723 \
    log-prefix="rsc **** PPTP **** dropped" protocol=tcp
add action=drop chain=input comment="**** BLOCK L2TP ***" dst-port=1701 \
    log-prefix="rsc **** L2TP ****" protocol=udp
add action=drop chain=forward comment="**** BABA SPY ****" dst-address=\
    47.90.2.43 log-prefix="*** BABA SPY***"
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Open for DNS From outside the LAN" \
    log-prefix="rsc DNS request" port=53 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="*B* defconf: drop invalid" \
    connection-state=invalid log-prefix="rsc DROP *B*"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="*** WireGuard ***" dst-port=13231 log=\
    yes log-prefix="rsc WIREGUARD VPN UDP" protocol=udp
add action=accept chain=input comment="*** WireGuard  ***" dst-port=13231 \
    log-prefix="rsc WIREGUARD VPN TCP" protocol=tcp
add action=drop chain=input comment=\
    "*C* defconf: drop all not coming from LAN-Blocca tutto il Reverse NAT" \
    in-interface-list=!LAN log-prefix="rsc DROP *C*"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="*D* defconf: drop invalid" \
    connection-state=invalid log-prefix="rsc DROP *D*"
add action=drop chain=forward comment=\
    "*E* defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN log-prefix=\
    "rsc DROP *E*"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=1988 in-interface=\
    pppoe-out1 log=yes log-prefix="NAT TCP:1988" protocol=tcp to-addresses=\
    10.3.50.2
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec identity
add auth-method=digital-signature certificate=121212121212.sn.mynetname.net \
    generate-policy=port-strict match-by=certificate mode-config=\
    modeconf-121212121212.sn.mynetname.net peer=peer-80.181.227.212 \
    policy-template-group=group-121212121212.sn.mynetname.net \
    remote-certificate=VPN-CASA@121212121212.sn.mynetname.net remote-id=\
    user-fqdn:VPN-CASA@121212121212.sn.mynetname.net
/ip ipsec policy
add dst-address=10.0.88.0/24 group=group-121212121212.sn.mynetname.net \
    proposal=proposal-121212121212.sn.mynetname.net src-address=0.0.0.0/0 \
    template=yes
/ip service
set ftp disabled=yes
set ssh disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/lcd
set color-scheme=light default-screen=log read-only-mode=yes
/ppp secret
add name=Mazzieri3Parma
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=wireguard
add topics=wireguard
add topics=wireguard,debug
/system note
set show-at-login=no
/system script
add dont-require-permissions=no name=ClearLog owner=Rapisarda81 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system logging action set memory memory-lines=1\r\
    \n:delay 1s\r\
    \n/system logging action set memory memory-lines=1000\r\
    \n"
add dont-require-permissions=no name=log-on.rsc owner=Rapisarda81 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    put \"Replacing log=no with log=no in all the firewall filters with a mess\
    age to log\"\r\
    \n:local ruleList [/ip firewall filter find log=no]\r\
    \n:foreach ruleId in=\$ruleList do={\r\
    \n  /ip firewall filter set \$ruleId log=yes\r\
    \n}\r\
    \n:put \"**** Firewall rules updated.log=yes ****\"\r\
    \n\r\
    \n\r\
    \n\r\
    \n"
add dont-require-permissions=no name=log-off.rsc owner=Rapisarda81 policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    put \"Replacing log=yes with log=no in all the firewall filters with a mes\
    sage to log\"\r\
    \n:local ruleList [/ip firewall filter find log=yes]\r\
    \n:foreach ruleId in=\$ruleList do={\r\
    \n  /ip firewall filter set \$ruleId log=no\r\
    \n}\r\
    \n:put \"**** Firewall rules updated.log=no ****\"\r\
    \n\r\
    \n\r\
    \n\r\
    \n"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=wlan1 filter-mac-address=\
    E0:51:D8:EB:1F:B6/FF:FF:FF:FF:FF:FF
and this is the output of > /tool sniffer quick port=13231 (IP altered)
Code: Select all
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE  TIME    NUM  DIR  SRC-MAC            DST-MAC            SRC-ADDRESS       DST-ADDRESS         PROTOCOL  SIZE  CPU
wlan1      19.372    1  <-   78:D8:40:83:91:BE  6C:3B:6B:72:AB:4B  10.3.50.62:13231  79.34.567.88:13231  ip:udp     190    0
bridge     19.372    2  <-   78:D8:40:83:91:BE  6C:3B:6B:72:AB:4B  10.3.50.62:13231  79.34.567.88:13231  ip:udp     190    0
wlan1      24.481    3  <-   78:D8:40:83:91:BE  6C:3B:6B:72:AB:4B  10.3.50.62:13231  79.34.567.88:13231  ip:udp     190    0
bridge     24.481    4  <-   78:D8:40:83:91:BE  6C:3B:6B:72:AB:4B  10.3.50.62:13231  79.34.567.88:13231  ip:udp     190    0
wlan1      29.677    5  <-   78:D8:40:83:91:BE  6C:3B:6B:72:AB:4B  10.3.50.62:13231  79.34.567.88:13231  ip:udp     190    0
bridge     29.677    6  <-   78:D8:40:83:91:BE  6C:3B:6B:72:AB:4B  10.3.50.62:13231  79.34.567.88:13231  ip:udp     190    0
Top
 
rplant
Long time Member
Long time Member
Posts: 654
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard no longer works

Mon May 12, 2025 3:06 am

Some reasons for wireguard not working (no reply):

Possibly modified private keys. (Seemed to maybe be an issue with Mikrotiks at an earlier stage)
Incorrect public keys on endpoints. (Perhaps caused by previous issue)
Incorrect (different) date/time on peers
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Mon May 12, 2025 9:41 am

Ok, date/time verified and is correct. The keys worked for 1.5 years and nothing has been changed. Anyway, what is the best method to "remove" all the possible wrong stuff to re-create a working configuration? Is it enough to delete the interface and the only peer on the router? I don't see a WireGuard package, so I assume there is nothing else to do on the router. On the clients, of course, I will remove and reinstall Wireguard APP and Software.
Top
 
rplant
Long time Member
Long time Member
Posts: 654
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard no longer works

Mon May 12, 2025 1:16 pm

I think remove interface and peer, and recreate them.
Maybe with a reboot somewhere.

You could export current config (with show-sensitive) and try to recreate them with same keys as previous, and see if they magically work again :(
If not, recreate them from scratch.
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Mon May 12, 2025 3:30 pm

I made several tests, I removed and recreated everything on both router and on Android. I still see only incoming packets with /tool sniffer quick port=13231 and no packets with /tool sniffer quick interface=wg0. I also noticed a route through wg0 (my present wireguard interface) was missing, and this looks a problem of the code that creates the interface or the peer. Anyway, I added it, but I guess I should see "something" reaching the wireguard interface. My feeling is that packets "accepted" by the firewall filter do not reach the Wireguard interface. Why? Is there a way to understand what happens at this "switching" level? In other words, when a packet is "accepted" where is it "sent"? It is also surprising everything worked fine for over one and an half year!
That said, I need a VPN (or sort of). If Wireguard is not suggested, let me know what may be a more robust/solid solution for both android and linux clients. I could also accept a paid consultant intervention on-site, providing he can be found locally, of course!
Top
 
rplant
Long time Member
Long time Member
Posts: 654
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard no longer works

Tue May 13, 2025 2:07 am

Hi,

Not sure,

Other People have had somewhat similar issues and had to change the port wireguard was listening on
which fixed the problem (for a while).
Top
 
boingolover
just joined
Posts: 7
Joined: Sat Feb 11, 2023 6:41 pm

Re: Wireguard no longer works

Tue May 13, 2025 3:12 am

One thing that might be helpful is cranking up the logging for wireguard.

Code: Select all
/system logging add topics=wireguard
should get you some debug logs, might see if there is anything helpful in there
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 23722
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard no longer works

Tue May 13, 2025 4:48 am

1. What third party wirguard vpn are you connecting to??
2. If the router is acting as server peer for handshake, ( no third party, then your peer is wrong it needs to be the exact wireguard IP /32 of the client peer )
3. What is the purpose of stating a private key in wireguard peers? Its not asked for nor used.

4. THis is very bad SECURITY risk and likely to get you banned by your ISP.
add action=accept chain=input comment="Open for DNS From outside the LAN" \
log-prefix="rsc DNS request" port=53 protocol=udp

5. Why two rules?? Did you not know that wireguard is UDP only................remove TCP rule....
add action=accept chain=input comment="*** WireGuard ***" dst-port=13231 log=\
yes log-prefix="rsc WIREGUARD VPN UDP" protocol=udp
add action=accept chain=input comment="*** WireGuard ***" dst-port=13231 \
log-prefix="rsc WIREGUARD VPN TCP" protocol=tcp
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Tue May 13, 2025 12:12 pm

1) I am not connecting to anything form MikroTik, I just want to receive incoming connections from my Android or linux devices when I am away from home. MikroTik is connected via FTTH and the devices connect rhrough 4/5G network. NO need to connect more than one each time. Obviously, once connected, the remote devices shuold be able to access all devices in my home network and use my internal MikroTik DNS. It worked perfectly for over one and half year, then suddenly stopped.
2) Plese clarify.
3) I don't fully follow you! I never created a private key. I see there are some private keys createt both by the Andoid app and/or MikroTik itself. And, I never removed them from anywhere. Had I to delete them? Please note I filed this post in Beginner Basics because I am just a common user and not an expert of this kind of stuff! I was an expert in X.25 and Uniscope protocols...!
4) Again I don't follow you: while I HAVE NO Opendns but I see SEVERAL attempts to connect, I log the attempts to ban those IP addresses that are trying to connect. Why my provider would be uspest for this? Action=accept is surely wrong here, and I will change it as soon as at home.
5) No, I didn't know. I discovered it few days ago and I removed the TCP rule.

My main problem may be I never found a CLEAR example with giudelines to setup an environment like mine: I generally found router-to-router examples or Androd to other routers, but not MikroTik and I try to interpret. I say again: it perfectly worked for more that 1.5 years.
Top
 
boingolover
just joined
Posts: 7
Joined: Sat Feb 11, 2023 6:41 pm

Re: Wireguard no longer works

Tue May 13, 2025 4:50 pm


3. What is the purpose of stating a private key in wireguard peers? Its not asked for nor used.
The private key is used for show-client-config QR code generation, for one thing.
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Tue May 13, 2025 6:21 pm

Regarding point 4) my previous answer was totally wrong (I was away, without my notes). Port 53 is opened to allow my phone and my linux when remote to connected through Wireguard to address my home hosts by name! I found this suggestion somewhere. Is it wrong? I say again: a clean, simple, guideline to setup an environment like my one, that should be very common, seems not present anywhere!
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Tue May 13, 2025 6:51 pm

Other People have had somewhat similar issues and had to change the port wireguard was listening on
which fixed the problem (for a while).
Bingo! After a dozen unsuccessful remove/reinstall all the stuff, with an other port it works again!!!
I would never imagined this. Thanks a lot!

By the way, I would like to know, should the opening of port 53 be so dangerous/forbidden, how am I supposed to reach the home hosts by the name that may be delivered only from my DNS, i.e. the Mikrotik Router itself!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 23722
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard no longer works

Tue May 13, 2025 8:31 pm

You are stating how you achieve some goal but not articulating the requirements clearly.
Identify the external users that need access to your device.
Identify what they need access to.
State how they should connect to you device ( wireguard? port forwarding? )
Also the mechanism.
By WANIP, by LANIP, by DYNDNS URL? etc.....

Easy to do if the originating device is behind another MT device because one set a static DNS, such that the domain name is associated with a LANIP, which exists on the server router so to speak.
One ensure a route exists for that subnet on the MT device so it knows where to send the traffic......aka through the wireguard tunnel.

Not so sure on other types of devices.............
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Tue May 13, 2025 10:08 pm

You are stating how you achieve some goal but not articulating the requirements clearly.
I think this was very clear from the very beginning!
One MTK router, FTTH connected, one between Android or Linux client (no more than one each time) connected from remote via 4 or 5G networks. No users: just myself when I travel. The need? Just to access my home network when I am away, may be one NAS or one ESP or one PC, addressed by name.
I think this is the need of 99.9% of home users. For this I found the ONLY way is to open UDP port 53 and it worked 1.5 years. Is this is not correct, let me know which is the better solution.

Why, suddenly, it stopped to work is unknown but the solution, cleverly and kindly indicated by rplant on Tue May 13, 2025 1:07 am (use another port) solved the issue. Unfortunately he also says for a while. I think this is a bug in the firmware because I guess the incoming packet is lost between the accept of the firewall and the wireguard code! Port number should be meaningless.
Top
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1712
Joined: Thu Nov 12, 2020 12:07 pm

Re: Wireguard no longer works

Tue May 13, 2025 10:16 pm

BTH would suit your needs. But requires ARM platform. https://mikrotik.com/bth/
Last edited by infabo on Tue May 13, 2025 10:19 pm, edited 1 time in total.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 23722
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard no longer works

Tue May 13, 2025 10:16 pm

Correct, opening up dns on the input chain, to anything but the LAN, is a bad security practice.

WRONG:
/interface wireguard peers
add allowed-address=10.3.53.0/24 interface=wireguard1 name=peer5 private-key=\
"12345678+x5heP9Jtyk18+VADKp4tV2Z8S3E=" public-key=\
"987654321+IcGxbs30vd2QkA="
RIGHT:
/interface wireguard peers
add allowed-address=10.3.53.2/32 interface=wireguard1 name=android1 public-key="------"

and if you have more peers each needs their specific address
add allowed-address=10.3.53.3/32 interface=wireguard1 name=android2 public-key="--+----"|
add allowed-address=10.3.53.4/32 interface=wireguard1 name=android2 public-key="--++----"|
add allowed-address=10.3.53.5/32 interface=wireguard1 name=linux1 public-key="--+++---"
add allowed-address=10.3.53.6/32 interface=wireguard1 name=linux2 public-key="--++++--"

WRONG:
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add disabled=yes interface=*10 list=WAN
RIGHT:
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add disabled=yes interface=wireguard1 list=WAN
Top
 
rplant
Long time Member
Long time Member
Posts: 654
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard no longer works

Wed May 14, 2025 2:16 am

If you trust your phone, (and things that might be tethered to it), I would perhaps make wireguard1 a member of the LAN interface list,
and remove access to port 53 externally.

If you don't trust it, allow access to DNS from 10.3.53.0/24 should be sufficient.
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Wed May 14, 2025 7:48 am

BTH would suit your needs. But requires ARM platform. https://mikrotik.com/bth/
This sounds very interesting. For sure I will consider it the day I will change my not-arm router. By the way, I don't need the MikroTik gateway while I do have a public IP and I wonder what extra benefits I would get in addition to the present Wireguard connection. Of course, if this is the official MTK solution, it may be more robust, easier to configure and have a better support.
Top
 
resca
newbie
Topic Author
Posts: 44
Joined: Sat Mar 26, 2016 12:23 pm

Re: Wireguard no longer works

Wed May 14, 2025 7:52 am

I would perhaps make wireguard1 a member of the LAN interface list
I posted in Beginner Basics in the hope to have no cryptic answers!
Top
 
rplant
Long time Member
Long time Member
Posts: 654
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard no longer works

Wed May 14, 2025 10:55 am

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add disabled=no interface=wireguard1 list=LAN

Reason:
In default firewall ruleset (including this one), LAN interfaces are given access to
router input chain, so can login and access dns server, etc.

/ip firewall filter
...
add action=drop chain=input comment=\
"*C* defconf: drop all not coming from LAN-Blocca tutto il Reverse NAT" \
in-interface-list=!LAN log-prefix="rsc DROP *C*"
Top
Post Reply
  4. RouterOS
  5. Beginner Basics