The ONT is at, 192.168.1.1.
Router has a static addresss, 192.168.1.2/24 and routing table has a dynamically generated path,
Code: Select all
DAc 192.168.1.0/24 ether5 0
This is my router's config. It is undoubtly a mess but I am quite sure that my firewall and all the other configuration is okay in this context. It has been working perfectly for the last few months now and this problem has only started happening when I changed by ISP on last Friday.
Code: Select all
# apr/24/2022 19:01:31 by RouterOS 7.1.5
# software id = HH6E-47K7
#
# model = RB450Gx4
/interface bridge
add comment=defconf ingress-filtering=no name=bridge protocol-mode=none pvid=\
10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="1F Switch" l2mtu=9200 mtu=9200 \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] comment=empty l2mtu=1520 mac-address=\
D8:07:B6:B4:7E:AF
set [ find default-name=ether3 ] comment=c3po
set [ find default-name=ether4 ] comment=r2d2
set [ find default-name=ether5 ] comment="BSNL ONT" mac-address=\
52:96:9F:CC:AA:24 mtu=1520 poe-out=off
/interface wireguard
add comment="Ishan VPN" listen-port=51820 mtu=1400 name=personal-vpn
/interface vlan
add interface=bridge name=lab-vlan vlan-id=50
add interface=bridge name=lte-vlan vlan-id=130
add interface=bridge name=vlan-10 vlan-id=10
add comment="Internet for everyone else " interface=bridge name=vlan-20 \
vlan-id=20
add interface=bridge name=vlan-99 vlan-id=99
add interface=bridge name=vlan-150 vlan-id=150
add interface=bridge name=vlan-160 vlan-id=160
/interface pppoe-client
add comment="BSNL WAN" interface=ether5 keepalive-timeout=5 name=pppoe-bsnl \
user=<user>@ftth.bsnl.in
add comment="BSNL WAN" disabled=no interface=ether5 keepalive-timeout=5 name=\
pppoe-out1 user=<user>
/interface list
add comment=WAN name=WAN
add comment=LAN name=LAN
add comment=ONT name=ExternalMainLAN
add comment="LTE Modem" name=ExternalFailoverLAN
add comment=VPN name=VPN
add name=LAB
add comment="All LAN and LAB interfaces" include=LAN,LAB name=ALAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan-99 ranges=10.0.99.10-10.0.99.254
add name=vlan-10 ranges=10.0.10.15-10.0.10.50
add name=vlan-20 ranges=10.0.20.10-10.0.20.30
add name=vlan-150 ranges=10.0.150.10-10.0.150.254
add name=vlan-160 ranges=10.0.160.10-10.0.160.254
add name=vlan-50 ranges=10.0.50.10-10.0.50.254
/ip dhcp-server
add address-pool=vlan-99 interface=vlan-99 lease-time=15m name=vlan-99
add address-pool=vlan-10 interface=vlan-10 name=vlan-10
add address-pool=vlan-20 interface=vlan-20 name=vlan-20
add address-pool=vlan-150 interface=vlan-150 lease-time=1h name=vlan-150
add address-pool=vlan-160 interface=vlan-160 lease-time=1h name=vlan-160
add address-pool=vlan-50 interface=lab-vlan lease-time=30m name=vlan-50
/port
set 0 name=serial0
/ppp profile
set *0 only-one=yes use-mpls=no use-upnp=no
/routing table
add fib name=via-personal-vpn
add fib name=lte-failover
add fib name=primary-wan
/system logging action
set 0 memory-lines=10000
/user group
add name=prometheus policy="read,winbox,api,rest-api,!local,!telnet,!ssh,!ftp,\
!reboot,!write,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!dude\
,!tikapp"
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether3 pvid=99
add bridge=bridge ingress-filtering=no interface=ether4 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=99
/ip firewall connection tracking
set icmp-timeout=30s loose-tcp-tracking=no tcp-close-wait-timeout=1m \
tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s \
tcp-syn-received-timeout=1m tcp-syn-sent-timeout=1m \
tcp-time-wait-timeout=2m udp-stream-timeout=2m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=LAN protocol=""
/ip settings
set accept-source-route=yes max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="Management VLAN" tagged=bridge,ether1 untagged=\
ether4,ether3 vlan-ids=99
add bridge=bridge comment="Home VLAN" tagged=ether1,bridge,ether4 vlan-ids=10
add bridge=bridge comment="Home Ext /Guest VLAN" tagged=ether1,bridge,ether4 \
vlan-ids=20
add bridge=bridge comment="LTE VLAN" tagged=ether1,bridge vlan-ids=130
add bridge=bridge comment="BSNL WAN Only VLAN" tagged=\
ether4,ether1,bridge,ether3 vlan-ids=150
add bridge=bridge comment="LTE WAN Only VLAN" tagged=\
ether4,ether1,bridge,ether3 vlan-ids=160
add bridge=bridge comment="Lab VLAN" tagged=ether1,ether4,bridge vlan-ids=50
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=pppoe-bsnl list=WAN
add comment=ONT interface=ether5 list=ExternalMainLAN
add comment="Personal VPN" interface=personal-vpn list=VPN
add interface=vlan-10 list=LAN
add interface=vlan-20 list=LAN
add interface=vlan-99 list=LAN
add interface=lte-vlan list=ExternalFailoverLAN
add interface=lte-vlan list=WAN
add interface=vlan-150 list=LAB
add interface=vlan-160 list=LAB
add interface=lab-vlan list=LAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=172.105.47.175 endpoint-port=\
51820 interface=personal-vpn persistent-keepalive=10s public-key=\
"Ftofwp9TdZBqBNs+wvaNkt0vzij0J53RoM4Iz8UFl38="
add allowed-address=10.0.99.0/24,10.0.10.0/24,10.11.11.3/32 interface=\
personal-vpn public-key="aIegmQ3df216exysEw2e+lohpaJD7wgAW8+ZzIUiyHs="
add allowed-address=10.0.99.0/24,10.0.10.0/24,10.11.11.4/32 interface=\
personal-vpn public-key="Tf2b6sXliCxdDBpMPHFkNZKA7V56UChZzWHnFYPJgR0="
/ip address
add address=192.168.1.2/24 comment="Static IP for ONT" interface=ether5 \
network=192.168.1.0
add address=10.11.11.2/24 interface=personal-vpn network=10.11.11.0
add address=10.0.10.1/24 interface=vlan-10 network=10.0.10.0
add address=10.0.20.1/24 interface=vlan-20 network=10.0.20.0
add address=10.0.99.1/24 interface=vlan-99 network=10.0.99.0
add address=10.0.150.1/24 interface=vlan-150 network=10.0.150.0
add address=10.0.160.1/24 interface=vlan-160 network=10.0.160.0
add address=10.0.50.1/24 interface=lab-vlan network=10.0.50.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add add-default-route=no interface=lte-vlan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=10.0.99.7 client-id=1:0:31:92:76:47:39 mac-address=\
00:31:92:76:47:39 server=vlan-99
add address=10.0.99.2 client-id=1:60:a4:b7:47:8e:94 mac-address=\
60:A4:B7:47:8E:94 server=vlan-99
add address=10.0.10.5 client-id=1:18:c0:4d:8:4d:54 mac-address=\
18:C0:4D:08:4D:54 server=vlan-10
add address=10.0.99.4 mac-address=D8:07:B6:B4:7E:9E server=vlan-99
add address=10.0.99.6 mac-address=34:E8:94:76:A6:1C server=vlan-99
add address=10.0.99.3 client-id=\
ff:26:38:ff:d9:0:2:0:0:ab:11:f6:c2:2e:cf:62:a3:12:8c mac-address=\
B8:27:EB:08:8E:F2 server=vlan-99
add address=10.0.99.8 mac-address=A8:A1:59:61:D6:F3 server=vlan-99
add address=10.0.99.11 client-id=1:b4:b0:24:98:c:fa mac-address=\
B4:B0:24:98:0C:FA server=vlan-99
add address=10.0.10.34 client-id=1:5e:e7:e0:c8:e3:cf mac-address=\
5E:E7:E0:C8:E3:CF server=vlan-10
add address=10.0.99.10 client-id=\
ff:df:2b:3e:e:0:2:0:0:ab:11:f6:c2:2e:cf:62:a3:12:8c mac-address=\
B8:27:EB:73:EA:E8 server=vlan-99
/ip dhcp-server network
add address=10.0.10.0/24 comment="Home Network" dns-server=\
10.0.99.3,10.0.99.10 domain=arpa gateway=10.0.10.1 netmask=24 ntp-server=\
10.0.10.1
add address=10.0.20.0/24 comment="Home Ext Network" dns-server=10.0.99.3 \
domain=arpa gateway=10.0.20.1 netmask=24 ntp-server=10.0.20.1
add address=10.0.50.0/24 comment="LAB VLAN" dns-server=10.0.99.3,10.0.99.10 \
domain=arpa gateway=10.0.50.1 netmask=24 ntp-server=10.0.50.1
add address=10.0.99.0/24 comment="Management Network" dns-server=\
10.0.99.3,10.0.99.10 domain=arpa gateway=10.0.99.1 netmask=24 ntp-server=\
10.0.99.1
add address=10.0.150.0/24 comment="BSNL WAN Only Network" dns-server=\
10.0.99.3,10.0.99.10 gateway=10.0.150.1 netmask=24 ntp-server=10.0.150.1
add address=10.0.160.0/24 comment="BSNL WAN Only Network" dns-server=\
10.0.99.3,10.0.99.10 gateway=10.0.160.1 netmask=24 ntp-server=10.0.160.1
/ip dns
set allow-remote-requests=yes servers=10.0.99.3
/ip dns static
add address=10.0.99.1 comment=defconf name=home.arpa
add address=10.0.99.3 name=dns.ishan.pw
add address=10.0.50.2 name=pve.arpa
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=1.1.1.1 comment=DNS list=Cloudflare
add address=1.0.0.1 comment=DNS list=Cloudflare
add address=255.255.255.255 comment=RFC6890 list=not_in_internet
add list=ddos-attackers
add list=ddos-targets
add address=10.11.11.0/24 comment="Personal VPN Block" list=allowed_to_router
add address=10.11.11.0/24 comment="IP Block used by the Personal VPN" list=\
personal_vpn
add address=51.83.67.72 list=seedbox
add address=192.168.8.0/24 list=banned_from_guest
add address=192.168.1.0/24 list=banned_from_guest
add address=10.11.11.0/24 list=banned_from_guest
add address=10.0.99.0/24 comment=LAN list=allowed_to_router
add address=10.0.99.3 list=dns-servers
add address=10.0.99.10 list=dns-servers
/ip firewall filter
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \
log-prefix="from wan no dstnat"
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface-list=\
WAN src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop all from non-VPN IP block in VPN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=VPN \
src-address-list=!personal_vpn
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=invalid
add action=accept chain=forward comment="Allow DNS Traffic(UDP) from LAN" \
dst-address-list=dns-servers dst-port=53 in-interface-list=ALAN protocol=\
udp
add action=accept chain=forward comment="Allow DNS Traffic(TCP) from LAN" \
dst-address-list=dns-servers dst-port=53 in-interface-list=ALAN protocol=\
tcp
add action=accept chain=forward comment=\
"Allow connections to DNS(DoT) from LAN" dst-address-list=dns-servers \
dst-port=853 in-interface-list=ALAN protocol=tcp
add action=accept chain=forward comment="Allow ICMP to DNS Server" \
dst-address-list=dns-servers in-interface-list=ALAN protocol=icmp
add action=jump chain=forward comment="Jump to Forward Rules for VLAN-150" \
in-interface=vlan-150 jump-target=vlan-150
add action=jump chain=vlan-150 comment="Allow ICMP Traffic" jump-target=icmp \
protocol=icmp
add action=accept chain=vlan-150 comment="Allow WAN access" dst-address-list=\
!not_in_internet
add action=accept chain=vlan-150 comment=\
"Allow it to talk to other devices in VLAN 150" out-interface=vlan-150
add action=reject chain=vlan-150 comment="Drop All Traffic" connection-state=\
!established,related,untracked log=yes log-prefix=vlan150dropped \
reject-with=icmp-network-unreachable
add action=jump chain=forward comment="Jump to Forward Rules for VLAN-160" \
in-interface=vlan-160 jump-target=vlan-160
add action=jump chain=vlan-160 comment="Allow ICMP Traffic" jump-target=icmp \
protocol=icmp
add action=accept chain=vlan-160 comment="Allow WAN access" dst-address-list=\
!not_in_internet
add action=accept chain=vlan-160 comment=\
"Allow it to talk to other devices in VLAN 160" out-interface=vlan-160
add action=reject chain=vlan-160 comment="Drop All Traffic" connection-state=\
!established,related,untracked log=yes log-prefix=vlan160dropped \
reject-with=icmp-network-unreachable
add action=jump chain=forward comment="Jump to Forward Rules for VLAN-20" \
in-interface=vlan-20 jump-target=vlan-20
add action=jump chain=vlan-20 comment="Allow ICMP Traffic" jump-target=icmp \
protocol=icmp
add action=accept chain=vlan-20 comment="Allow WAN access" dst-address-list=\
!not_in_internet
add action=accept chain=vlan-20 comment=\
"Allow it to talk to other devices in VLAN 20" out-interface=vlan-20
add action=accept chain=vlan-20 comment=\
"Allow it to talk to other devices in LAB" out-interface=lab-vlan
add action=reject chain=vlan-20 comment="Drop All Traffic" connection-state=\
!established,related,untracked dst-address-type=!broadcast,multicast log=\
yes log-prefix=vlan20dropped reject-with=icmp-network-unreachable
add action=jump chain=forward comment="Jump to Forward Rules for VLAN-30" \
in-interface=lte-vlan jump-target=vlan-130
add action=reject chain=vlan-130 comment=\
"Drop all new connections from this vlan" connection-state=\
!established,related,untracked log=yes log-prefix=vlan130dropped \
reject-with=icmp-network-unreachable
add action=jump chain=forward comment="Jump to Forward Rules for VLAN-99" \
in-interface=vlan-99 jump-target=vlan-99
add action=jump chain=forward comment="Jump to Forward Rules for VLAN-10" \
in-interface=vlan-10 jump-target=vlan-10
add action=jump chain=vlan-10 comment="Allow ICMP Traffic" jump-target=icmp \
protocol=icmp
add action=accept chain=vlan-10 comment="Allow WAN access" \
out-interface-list=WAN
add action=accept chain=vlan-10 comment="Allow VPN access" \
out-interface-list=VPN
add action=accept chain=vlan-10 comment="Allow VLAN 10 to talk to VLAN 99" \
out-interface=vlan-99
add action=accept chain=vlan-10 comment="Allow VLAN 10 to talk to VLAN 50" \
out-interface=lab-vlan
add action=accept chain=vlan-10 comment="Allow VLAN 10 to talk to VLAN 20" \
out-interface=vlan-20
add action=accept chain=vlan-10 comment=\
"Allow VLAN 10 to talk to ExternalFailoverLAN" out-interface-list=\
ExternalFailoverLAN
add action=accept chain=vlan-10 comment=\
"Allow VLAN 10 to talk to ExternalMainLAN" out-interface-list=\
ExternalMainLAN
add action=accept chain=vlan-10 comment=\
"Allow it to talk to other devices in VLAN 10" out-interface=vlan-10
add action=reject chain=vlan-10 comment="Drop All Traffic" connection-state=\
!established,related,untracked dst-address-type=!broadcast,multicast log=\
yes log-prefix=vlan10dropped reject-with=icmp-network-unreachable
add action=jump chain=forward comment="Jump to Forward Rules for VLAN-50" \
in-interface=lab-vlan jump-target=vlan-50
add action=accept chain=vlan-50 comment="Allow WAN access" \
out-interface-list=WAN
add action=reject chain=vlan-50 comment="Drop All Traffic" connection-state=\
!established,related,untracked dst-address-type=!broadcast,multicast log=\
yes log-prefix=vlan50dropped reject-with=icmp-network-unreachable
add action=drop chain=forward comment="Drop tries to reach non-public addresse\
s from LAN while still allowing access to Personal VPN Subnet and LTE Mode\
m" dst-address=!192.168.8.1 dst-address-list=not_in_internet \
in-interface-list=LAN log-prefix=wan-non-public out-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=\
"icmp ping recv" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked log-prefix="accept es,re,un"
add action=accept chain=input comment="Accept access to router" \
src-address-list=allowed_to_router
add action=accept chain=input comment="Allow Wireguard Traffic to Come in" \
dst-port=51820 protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming DHCP from lte-vlan" \
dst-address-type="" in-interface=lte-vlan protocol=udp src-port=67
add action=accept chain=input comment=\
"Allow DHCP Traffic from LAN interfaces" dst-address-type="" dst-port=67 \
in-interface-list=ALAN protocol=udp src-port=68
add action=accept chain=input comment=\
"Allow LAN interfaces to reach DNS(tcp/53)" dst-address-type="" \
in-interface-list=ALAN protocol=udp src-port=53
add action=accept chain=input comment="Allow DNS Traffic from LAN interface" \
dst-address-type="" in-interface-list=ALAN protocol=tcp src-port=53
add action=accept chain=input comment="Accept ICMP from vlan 20" \
dst-address-type="" in-interface=vlan-20 protocol=icmp
add action=accept chain=input comment="Accept NTP" dst-address-type="" \
dst-port=123 in-interface=vlan-20 protocol=udp
add action=drop chain=input comment=\
"Drop all connections from non-public IPs in VPN" in-interface-list=VPN \
src-address-list=!personal_vpn
add action=reject chain=input comment="Drop all not coming from LAN" \
in-interface-list=WAN log-prefix="not from lan" reject-with=\
icmp-network-unreachable
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log-prefix=invalid
add action=jump chain=forward comment="Jump to ICMP Filters" jump-target=icmp \
protocol=icmp
add action=return chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=return chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=return chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=return chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=return chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=return chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=return chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types" log=yes log-prefix=\
"icmp blocked"
add action=jump chain=forward comment="Jump to DDOS Detection" \
connection-state=new in-interface-list=WAN jump-target=detect-ddos
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
protocol=tcp tcp-flags=syn,ack
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark SSH Connections" \
connection-mark=no-mark connection-state=new dst-address-list=\
!not_in_internet dst-address-type=!local dst-port=22 new-connection-mark=\
via-personal-vpn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"Mark SSH Traffic on 4556 port over VPN" connection-mark=no-mark \
connection-state=new dst-port=4556 new-connection-mark=via-personal-vpn \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=\
"Mark IRC Bouncer Traffic" connection-mark=no-mark connection-state=new \
dst-address=172.105.47.175 dst-address-type=!local dst-port=40000 \
new-connection-mark=via-personal-vpn passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="Mark Traffic going via lte" \
connection-mark=no-mark connection-state=new new-connection-mark=via-lte \
out-interface=lte-vlan passthrough=yes
add action=mark-routing chain=prerouting comment=\
"Route NTP Packets from network over LTE" dst-address-list=\
!not_in_internet dst-port=123 in-interface-list=LAN log-prefix=\
route-over-lte-mark-added new-routing-mark=lte-failover passthrough=no \
protocol=udp
add action=mark-routing chain=prerouting comment=\
"Connnection with VPN traffic mark to VPN" connection-mark=\
via-personal-vpn in-interface-list=LAN new-routing-mark=via-personal-vpn \
passthrough=no
add action=mark-routing chain=prerouting comment=\
"Route traffic with via-lte over LTE interface" connection-mark=via-lte \
in-interface-list=LAN new-routing-mark=lte-failover passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DNS Hijack" dst-address-list=\
!dns-servers dst-port=53 in-interface-list=LAN protocol=udp \
src-address-list=!dns-servers to-addresses=10.0.99.3 to-ports=53
add action=dst-nat chain=dstnat comment="DNS Hijack" dst-address-list=\
!dns-servers dst-port=53 in-interface-list=LAN protocol=tcp \
src-address-list=!dns-servers to-addresses=10.0.99.3 to-ports=53
add action=dst-nat chain=dstnat comment=\
"Force Traffic to Public DoT to Local DoT Server" dst-address=\
172.105.47.175 dst-port=853 in-interface-list=LAN protocol=tcp \
to-addresses=10.0.99.3 to-ports=853
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=ExternalMainLAN
add action=masquerade chain=srcnat comment=\
"Masquerade Connections for Personal VPN" out-interface-list=VPN
add action=dst-nat chain=dstnat comment="Torrent Port Forward" dst-port=51413 \
in-interface-list=WAN protocol=tcp to-addresses=10.0.50.10 to-ports=51413
add action=dst-nat chain=dstnat comment="Torrent Port Forward" dst-port=51413 \
in-interface-list=WAN protocol=udp to-addresses=10.0.50.10 to-ports=51413
/ip firewall service-port
set tftp disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes ports=20000
/ip route
add comment="Main WAN Route" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=pppoe-bsnl pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
10.11.11.1%personal-vpn pref-src="" routing-table=via-personal-vpn scope=\
30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=100.0.0.1%lte-vlan \
pref-src=0.0.0.0 routing-table=lte-failover scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=no dst-address=192.168.8.1/32 gateway=lte-vlan routing-table=\
main suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=lte-vlan pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-bsnl pref-src=\
"" routing-table=primary-wan scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.0.99.3/32 gateway=vlan-99 pref-src=\
"" routing-table=lte-failover scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.0.99.3/32 gateway=vlan-99 pref-src=\
"" routing-table=primary-wan scope=30 suppress-hw-offload=no \
target-scope=10
add comment="NTP Over LTE" disabled=no distance=1 dst-address=\
216.239.35.12/32 gateway=lte-vlan pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="NTP Over LTE" disabled=no distance=1 dst-address=216.239.35.8/32 \
gateway=lte-vlan pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="NTP Over LTE" disabled=no distance=1 dst-address=216.239.35.4/32 \
gateway=lte-vlan pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="NTP Over LTE" disabled=no distance=1 dst-address=216.239.35.0/32 \
gateway=lte-vlan pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Main WAN Route" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.99.0/24,10.0.10.0/24,10.11.11.0/24
set ssh address=10.0.99.0/24,10.0.10.0/24,10.11.11.0/24
set www-ssl address=10.0.99.0/24,10.0.10.0/24,10.11.11.0/24 certificate=\
ca-template disabled=no tls-version=only-1.2
set api address=10.0.99.0/24,10.0.10.0/24,10.11.11.0/24
set winbox address=10.0.99.0/24,10.0.10.0/24,10.11.11.0/24
set api-ssl address=10.0.99.0/24,10.0.10.0/24,10.11.11.0/24 certificate=\
ca-template
/ip socks
set max-connections=500
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set cache-entries=8M
/ip upnp
set enabled=yes
/ip upnp interfaces
add disabled=yes interface=pppoe-bsnl type=external
add interface=vlan-10 type=internal
/ipv6 nd
set [ find default=yes ] interface=vlan-10
/ppp aaa
set accounting=no
/routing igmp-proxy
set quick-leave=yes
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.0.150.0/24 table=\
primary-wan
add action=lookup-only-in-table disabled=no src-address=10.0.160.0/24 table=\
lte-failover
/system clock
set time-zone-name=Asia/Kolkata
/system identity
set name="Ishan's Mikrotik"
/system logging
add topics=pppoe,debug,packet
add topics=firewall,packet,debug
add topics=upnp
add prefix=ntp topics=ntp,debug,packet
add topics=info,radius,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=time.google.com
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes cpu-frequency=auto
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=24hours
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=1000000KiB file-name=ipv6.issue filter-interface=all \
filter-ip-protocol=tcp filter-port=http memory-limit=30000KiB
Also, I want to stress that everything is fine for quite some time after turning on the router but then something happens and the ONT becomes inaccessible.
My ISP(GPON) has setup very recently so I only received PPPoE username/password and no VLAN ID. I sometimes see PADI traffic from other customers of this ISP and although I have not yet been able to match the timing of receiving a PADI packet like this and the ONT becoming inaccessible but I suspect these two are somehow related?