# sep/23/2022 15:54:23 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CC220xxxxxxx
/interface bridge
add admin-mac=DC:2C:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=\
vpn
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=10.10.10.1/24 endpoint-address=192.168.88.1 \
endpoint-port=13231 interface=wireguard1 public-key=\
"b4xWJ41+IB8iaa1sZT3Ka0000000000qEvDUTY5NDT8="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1 interface=wireguard1 network=255.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=00000.dyndns.org list=00000
add address=11111.dyndns.org list=1111
/ip firewall filter
add action=accept chain=input src-address-list=00000
add action=accept chain=input src-address-list=111
add action=accept chain=input dst-address=192.168.88.0/24 src-address=\
192.168.89.0/24
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface=ether1 protocol=gre
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow PPP" in-interface=all-ppp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=9000 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address-list=212 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address-list=mtdale to-addresses=192.168.88.35 to-ports=8035
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
{
/interface lte apn set [ find default=yes ] ip-type=auto use-network-apn=yes
/routing ospf area remove [find]
/routing ospf instance remove [find]
/ipv6 settings set max-neighbor-entries=16384
/interface detect-internet set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface ovpn-server server set auth=sha1,md5,sha256,sha512
/interface bridge set [find] protocol-mode=none
/interface bridge port set [find] ingress-filtering=yes
}
Thank you!You have censored poblic key on last image, and not the private.....
# sep/24/2022 11:09:07 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CC220xxxxxxx
/interface bridge
add admin-mac=DC:2C:xxxxxxxxx auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=\
vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=10.10.10.2/32 endpoint-address=10.10.10.2 endpoint-port=\
13231 interface=wireguard1 public-key=\
"DcTp6igWYbPNfcrRxxxxxxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1 interface=wireguard1 network=255.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxxxx.dyndns.org list=xxxxm
add address=xxxxxx.dyndns.org list=xxxx2
/ip firewall filter
add action=accept chain=input in-interface=wireguard1 log=yes src-address=\
10.10.10.0/24
add action=accept chain=forward log=yes out-interface=wireguard1 src-address=\
10.10.10.0/24 src-address-list=""
add action=accept chain=forward dst-address=10.10.10.0/24 in-interface=\
wireguard1 log=yes
add action=accept chain=forward disabled=yes in-interface=wireguard1 \
out-interface=all-ethernet
add action=accept chain=input src-address-list=mtdale
add action=accept chain=input disabled=yes src-address-list=2xxxxx
add action=accept chain=input dst-address=192.168.88.0/24 src-address=\
192.168.89.0/24
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface=ether1 protocol=gre
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow PPP" in-interface=all-ppp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address-list=192.168.88.1 \
src-address-list=10.10.10.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
src-address-list=mxxxxxe to-addresses=192.168.88.35 to-ports=9000
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000 log=yes protocol=tcp \
src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam disabled=yes dst-port=8080 \
protocol=tcp src-address-list=2xxxx2 to-addresses=192.168.88.35 to-ports=\
8080
add action=dst-nat chain=dstnat comment=cam dst-port=8080 protocol=tcp \
src-address-list=mtxxxxxe to-addresses=192.168.88.35 to-ports=8080
add action=dst-nat chain=dstnat comment=cam dst-port=9000 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=9000
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=554 protocol=tcp \
src-address-list=mxxxxx to-addresses=192.168.88.35 to-ports=554
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address-list=2xxxxx2 to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=1935 protocol=tcp \
src-address-list=mxxxxxxe to-addresses=192.168.88.35 to-ports=1935
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address=192.168.89.1 to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=8035
add action=dst-nat chain=dstnat comment=cam dst-port=8035 protocol=tcp \
src-address-list=mtxxxxx to-addresses=192.168.88.35 to-ports=8035
/ip route
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
# model = RB750Gr3
# serial number = CC220xxxxxxx
/interface bridge
add admin-mac=DC:2C:xxxxxxxxx auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\
"DcTp6igWYbPNfcrRxxxxxxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=255.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxxxx.dyndns.org list=xxxxm
add address=xxxxxx.dyndns.org list=xxxx2
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="allow incoming wireguard connections" dst-port=13231 protocol=udp
add action=accept chain=input in-interface=wireguard1 log=yes src-address=\
10.10.10.0/24 comment="allow admin access via wireguard"
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward log=yes out-interface=wireguard1 src-address=\
10.10.10.0/24 dst-address=192.168.88.0/24 comment="allow wireguard to subnet"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=WAN
add action=accept connection-nat-state=dstnat comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000,8080,8035,1935,554 log=yes protocol=tcp \
src-address-list=xxxxm to-addresses=192.168.88.35
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000,8080,8035,1935,554 log=yes protocol=tcp \
src-address-list=xxxx2 to-addresses=192.168.88.35
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
# sep/24/2022 22:19:13 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CCxxxxx
/interface bridge
add admin-mac=DC:xxxxx auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add interface=wireguard1 public-key=\
"xxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=mxxxx.dyndns.org list=mxxxx
add address=jxxxx.dyndns.org list=2xxxx
/ip firewall filter
add action=accept chain=input src-address-list=mxxxx
add action=accept chain=input src-address-list=2xxxx
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="allow incoming wireguard connections" \
dst-port=13231 protocol=udp
add action=accept chain=input comment="allow admin access via wireguard" \
in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow wireguard to subnet" \
dst-address=192.168.88.0/24 log=yes out-interface=wireguard1 src-address=\
10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
WAN
add action=accept chain=\
"add action=drop chain=forward comment=\"drop all else\"" comment=\
"allow port forwarding" connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 log=yes \
protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\
9000
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\
8080
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
sep/24/2022 22:19:13 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CCxxxxx
/interface bridge
add admin-mac=DC:xxxxx auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\
"xxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=mxxxx.dyndns.org list=mxxxx
add address=jxxxx.dyndns.org list=2xxxx
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="allow incoming wireguard connections" \
dst-port=13231 protocol=udp
add action=accept chain=input comment="allow admin access via wireguard" \
in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow wireguard to subnet" \
dst-address=192.168.88.0/24 log=yes in-interface=wireguard1 src-address=\
10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
WAN
add action=accept chain=forward "allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"" comment=\
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000,8080,554,1935,8035 log=yes \
protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\
9000
add action=dst-nat chain=dstnat comment=cam in-interface-list=WAN dst-port=8080,9000,554,1935,8035 \
protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\
8080
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
# sep/25/2022 10:25:52 by RouterOS 7.5
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CCxxxxxxx
/interface bridge
add admin-mac=DC:xxxxxxx auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\
"DcTpxxxxxxxxxxxc="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=mxxxx.dyndns.org list=mxxxx
add address=jxxxx.dyndns.org list=2xxxxx
/ip firewall filter
add action=accept chain=input comment="allow incoming wireguard connections" \
dst-port=13231 protocol=udp
add action=accept chain=forward comment="Allow wireguard to subnet" \
dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes src-address=\
10.10.10.0/24
add action=accept chain=input comment="allow wireguard to subnet" \
in-interface=wireguard1 log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=accept chain=input comment="allow admin access via wireguard" \
in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=accept chain=input src-address-list=mxxxx
add action=accept chain=input src-address-list=2xxxx
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 \
in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
src-address-list=2xxxx to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35
/system clock
set time-zone-name=America/New_York
/system identity
set name="371 Mikrotik"
/system logging
add topics=account
add topics=event
add topics=firewall
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=sniffed only-headers=yes
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=1000
add interface=wireguard1 name=tmon2
TWO GROSS Errors that are preventing success (1,5) and a couple of minor items.
(1) Missing allowed address on wireguard peer settings.
From:
/interface wireguard peers
add interface=wireguard1 public-key="xxxxx"
TO:
/interface wireguard peers
add add allowed-address=10.10.10.2/32 interface=wireguard1 allowed-address=public-key=\
"xxxxx"
(2) Absolutely NOT! firewall security mistake.
/ip firewall filter
add action=accept chain=input src-address-list=mxxxx
add action=accept chain=input src-address-list=2xxxx
Lets think about this. You are allowing two public IP address, direct access to the router. Why not hire a good year blimp that says HACK ME?
The whole point about VPN and wireguard is so that we can safely access the Lan Side of the router and then access the config/router from there.
So delete those rules!
Remember we have rules in the input chain, (to the router) for your access via wireguard already, this rule is the way to do it.........
add action=accept chain=input comment="allow admin access via wireguard" \
in-interface=wireguard1 log=yes src-address=10.10.10.0/24
Also if you are at home and not remote you have access to the router via this rule........... Which says, drop anything coming to the router that is NOT from the LAN. So your LAN PC will be able to reach the router. You can rely on your user name and password via winbox to make sure you are the only one that can config the router.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
I personally go one step further and only allow a src address list of LANIPs ( my desktop, laptop, ipad ) from the LAN to access the router, not other users.
But we can tackle that at a later date if you want...........
(3) MY MISTAKE APOLOGIES on the forward firewall rule to allow you to access the LAN resourcres
add action=accept chain=forward comment="allow wireguard to subnet" \
dst-address=192.168.88.0/24 log=yes out-interface=wireguard1 src-address=\
10.10.10.0/24
Should be:
add action=accept chain=forward comment="allow wireguard to subnet" \
dst-address=192.168.88.0/24 log=yes in-interface=wireguard1 src-address=\
10.10.10.0/24
(4) Remember the error you made on the format of dstnat rules regarding the case of simple port forwarding........
What is missing?
add action=dst-nat chain=dstnat ??????????? dst-port=9000,8080,554,1935,8035 log=yes \
protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\
9000
add action=dst-nat chain=dstnat comment=cam ???????????? dst-port=8080,9000,554,1935,8035 \
protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\
8080
(5) YOu have jumbled together two rules by accident in the forward chain..........
add action=accept chain=\
"add action=drop chain=forward comment=\"drop all else\"" comment=\
"allow port forwarding" connection-nat-state=dstnat
Should be:
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
(6) Remember from last post, the mac server by itself is not encyrpted and should be set to NONE. Only the mac-server mac-winbox is set to LAN.
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
+++++++++++++++++++++++++++++++++++++++++++++++++
In summary, the missing allowed address was preventing wireguard connectivity and the firewall rule in error would have prevented accessing the server.
The jumbled up end of the forward chain needs to be fixed as well.
Remove the dangerous input chain rules and you should be safe to go. Fix the format of port forwarding rules and that will work too.
Looks like
...Code: Select allsep/24/2022 22:19:13 by RouterOS 7.5 # software id = 9QHQ-45Y2 # # model = RB750Gr3 # serial number = CCxxxxx /interface bridge add admin-mac=DC:xxxxx auto-mac=no comment=defconf name=bridge \ protocol-mode=none /interface wireguard add listen-port=13231 mtu=1420 name=wireguard1 /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=dhcp interface=bridge name=defconf /port set 0 name=serial0 /ppp profile set *FFFFFFFE dns-server=8.8.8.8 /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 /ip neighbor discovery-settings set discover-interface-list=LAN /ipv6 settings set disable-ipv6=yes max-neighbor-entries=16384 /interface l2tp-server server set use-ipsec=yes /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN /interface sstp-server server set default-profile=default-encryption /interface wireguard peers add allowed-address=10.10.10.2/32 interface=wireguard1 public-key=\ "xxxxx" /ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=\ 192.168.88.0 add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0 /ip cloud set ddns-enabled=yes /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,4.4.4.4 \ gateway=192.168.88.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4 /ip dns static add address=192.168.88.1 comment=defconf name=router.lan /ip firewall address-list add address=mxxxx.dyndns.org list=mxxxx add address=jxxxx.dyndns.org list=2xxxx /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="allow incoming wireguard connections" \ dst-port=13231 protocol=udp add action=accept chain=input comment="allow admin access via wireguard" \ in-interface=wireguard1 log=yes src-address=10.10.10.0/24 add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=accept chain=forward comment="allow wireguard to subnet" \ dst-address=192.168.88.0/24 log=yes in-interface=wireguard1 src-address=\ 10.10.10.0/24 add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN add action=accept chain=forward in-interface=wireguard1 out-interface-list=\ WAN add action=accept chain=forward "allow port forwarding" connection-nat-state=dstnat add action=drop chain=forward comment="drop all else"" comment=\ /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=9000,8080,554,1935,8035 log=yes \ protocol=tcp src-address-list=2xxxx to-addresses=192.168.88.35 to-ports=\ 9000 add action=dst-nat chain=dstnat comment=cam in-interface-list=WAN dst-port=8080,9000,554,1935,8035 \ protocol=tcp src-address-list=mxxxx to-addresses=192.168.88.35 to-ports=\ 8080 /system clock set time-zone-name=America/New_York /system identity set name="371 Mikrotik" /system logging add topics=account add topics=event add topics=firewall /system package update set channel=development /tool mac-server set allowed-interface-list=NONE /tool mac-server mac-winbox set allowed-interface-list=LAN /tool sniffer set file-name=sniffed only-headers=yes /tool traffic-monitor add interface=ether1 name=tmon1 threshold=1000
ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow incoming wireguard connections" \
dst-port=13231 protocol=udp
add action=accept chain=input src-address-list=mxxxx comment="temp until wireguard works"
add action=accept chain=input src-address-list=2xxxx comment="temp until wireguard works"
add action=accept chain=input comment="allow wireguard to Routert" \
in-interface=wireguard1 src-address=10.10.10.0/24 log=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="Allow wireguard to subnet" \
dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes src-address=\
10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow incoming wireguard connections" \
dst-port=13231 protocol=udp
add action=accept chain=input src-address-list=m
add action=accept chain=input src-address-list=2
add action=accept chain=input comment="Alow wireguard to router" \
in-interface=wireguard1 log=yes src-address=10.10.10.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes
add action=accept chain=forward comment="Allow wireguard to subnet" \
dst-address=192.168.88.0/24 in-interface=wireguard1 log=yes src-address=\
10.10.10.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 \
in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
src-address-list=2 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
protocol=tcp src-address-list=m to-addresses=192.168.88.35