i've migrated all my config from OPNSense to Mikrotik, but there is a little issue.
My setup is composed by:
2 LAN, one main and one for IoT stuff
2 PPPoE WAN
1 LTE WAN
3 WireGuard, 1 for remote accesse, 1 for public IP thru a VPS (used ad 3rd WAN for remote access in case of fault of the 2 PPPoE) and 1 for Surfshark VPN
Now here is my current export configuration (i've removed some personal stuff):
Code: Select all
/interface bridge
add comment="LAN Bridge - vmbr3" ingress-filtering=no name=bridge1 vlan-filtering=yes
add comment="Docker Containers" name=dockers
/interface ethernet
set [ find default-name=ether1 ] comment="Transito - vmbr3" name=vnic0
set [ find default-name=ether2 ] comment="Transito - vmbr1" name=vnic1
set [ find default-name=ether3 ] comment="Transito - vmbr2" name=vnic2
/interface veth
add address=172.17.0.2/24 comment="UDP Broadcast Relay Container" gateway=172.17.0.1 name=veth1
add address=172.17.1.2/24 comment="Tailscale Container" gateway=172.17.1.1 name=veth2
/interface wireguard
add comment="WireGuard VPN" listen-port=64001 mtu=1280 name=wg0
add comment="WireGuard VPS" listen-port=13231 mtu=1360 name=wg1
add comment="WireGuard SurfShark" listen-port=13232 mtu=1420 name=wg2
/interface vlan
add comment="VLAN IoT - vmbr3" interface=bridge1 name=vlan2 vlan-id=2
add comment="VLAN WWAN - vmbr3" interface=bridge1 name=vlan99 vlan-id=99
add comment="VLAN PPPoE TIM" interface=vnic1 name=vlan835 vlan-id=835
add comment="VLAN PPPoE Poste" interface=vnic2 name=vlan835-poste vlan-id=835
/interface list
add include=static name=LAN
add include=static name=WAN
add include=all name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add comment="DHCP Scope - LAN" name=LAN-Pool ranges=10.0.1.120-10.0.1.245
add comment="DHCP Scope - IoT" name=IoT-Pool ranges=10.0.2.150-10.0.2.250
/ip dhcp-server
add address-pool=LAN-Pool interface=bridge1 lease-time=1d name=dhcp_s_lan
add address-pool=IoT-Pool interface=vlan2 lease-time=1d name=dhcp_s_iot
/ppp profile
add change-tcp-mss=yes name=ppp-dyndns on-down="delay 10s\r\
\n:execute \"dyndns\"" on-up="delay 10s\r\
\n:execute \"dyndns\""
/interface pppoe-client
add add-default-route=yes comment="WAN Poste" default-route-distance=2 disabled=no interface=vlan835-poste name=Poste profile=ppp-dyndns user=\
XXXXX@postepay
add add-default-route=yes comment="WAN TIM" disabled=no interface=vlan835 name=TIM profile=ppp-dyndns user=timadsl
/routing table
add disabled=no fib name=WG_DF_VPS
add disabled=no fib name=WG_DF_SS
add disabled=no fib name=MGMT_TIK_VPS
/container
add envlist=tailscale hostname=tailscale-proxy interface=veth2 logging=yes start-on-boot=yes
add interface=veth1 logging=yes start-on-boot=yes
/container config
set registry-url=https://ghcr.io tmpdir=docker/pull
/container envs
add key=PASSWORD name=tailscale value=XXXXX
add key=DOMAIN name=tailscale value=XXXXXX
add key=AUTH_KEY name=tailscale value=XXXX
add key=API_KEY name=tailscale value=XXXXX
add key=ADVERTISE_ROUTES name=tailscale value=10.0.1.0/24,10.0.2.0/24
add key=CONTAINER_GATEWAY name=tailscale value=172.17.1.1
add key=TAILSCALE_ARGS name=tailscale value=--accept-routes
/interface bridge port
add bridge=bridge1 interface=vnic0
add bridge=bridge1 ingress-filtering=no interface=veth1 pvid=100
add bridge=dockers interface=veth2
/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s tcp-syn-received-timeout=2m tcp-syn-sent-timeout=\
2m tcp-time-wait-timeout=2m udp-timeout=30s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 comment="VLAN IoT" tagged=bridge1,vnic0,veth1 vlan-ids=2
add bridge=bridge1 comment="VLAN WWAN" tagged=bridge1,vnic0 vlan-ids=99
add bridge=bridge1 tagged=veth1 vlan-ids=1
/interface list member
add interface=bridge1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan99 list=WAN
add interface=TIM list=WAN
add interface=Poste list=WAN
add interface=wg0 list=VPN
add interface=wg1 list=WAN
add interface=wg2 list=WAN
add interface=vnic1 list=WAN
add interface=vnic2 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=*1 cipher=aes128 port=64000 protocol=udp tls-version=only-1.2
/interface wireguard peers
add allowed-address=172.19.255.3/32 comment="iPhone" interface=wg0 public-key="XXXX"
add allowed-address=172.19.255.4/32 comment="MBP" interface=wg0 public-key="XXXXX"
add allowed-address=172.19.255.5/32 comment="Laptop" interface=wg0 public-key="XXXXX"
add allowed-address=172.19.255.2/32,192.168.179.0/24 comment="MF286" interface=wg0 public-key=\
"XXXXX"
add allowed-address=0.0.0.0/0,VPS_PUB_IP/32 endpoint-address=VPS_ENTRY_POINT endpoint-port=65011 interface=wg1 persistent-keepalive=15s \
public-key="XXXXXX"
add allowed-address=0.0.0.0/0 endpoint-address=de-fra.prod.surfshark.com endpoint-port=51820 interface=wg2 persistent-keepalive=15s public-key=\
"XXXXX"
/ip address
add address=10.0.2.1/24 comment="IoT Network" interface=vlan2 network=10.0.2.0
add address=10.0.1.1/24 comment="LAN Network" interface=bridge1 network=10.0.1.0
add address=192.168.99.151/24 comment="WWAN Network" interface=vlan99 network=192.168.99.0
add address=192.168.0.151/24 comment="XGSPON Network" interface=vnic1 network=192.168.0.0
add address=192.168.1.151/24 comment="GPON Network" interface=vnic2 network=192.168.1.0
add address=172.19.255.1/24 comment="WG Gateway" interface=wg0 network=172.19.255.0
add address=172.17.1.1/24 comment="Docker Gateway" interface=dockers network=172.17.1.0
add address=185.25.205.34/24 comment="VPS Public IP" interface=wg1 network=185.25.205.0
add address=10.14.0.2/16 comment="SurfShark IP" interface=wg2 network=10.14.0.0
/ip dhcp-server network
add address=10.0.1.0/24 comment="DHCP Scope - LAN" dns-server=10.0.1.41,10.0.1.42 domain=my.home gateway=10.0.1.1 netmask=24
add address=10.0.2.0/24 comment="DHCP Scope - IoT" dns-server=8.8.8.8,8.8.4.4 gateway=10.0.2.1 netmask=24
/ip dns
set cache-max-ttl=1d servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall filter
add action=accept chain=input disabled=yes
add action=accept chain=forward disabled=yes
add action=accept chain=input comment="Accept Webfig/SSH from LAN" dst-address=10.0.1.254 dst-port=22,80 protocol=tcp src-address=10.0.1.0/24
add action=accept chain=input comment="Accept VPN Tailscale" in-interface=dockers src-address=100.64.0.0/10
add action=accept chain=input comment="Accept RDP Proxy from XXX" dst-port=8080-8443 in-interface-list=WAN protocol=tcp src-address=\
1.0.0.0/24
add action=accept chain=input comment="Accept VPN Remote Access" dst-port=64001 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accept any ICMP" protocol=icmp
add action=accept chain=input comment="Accept inbound ESTABLISHED,RELATED,UNTRACKED - Input" connection-state=established,related,untracked
add action=drop chain=input comment="Drop any to WAN" in-interface-list=WAN
add action=accept chain=input comment="LAN to IoT - Accept" dst-address=10.0.2.0/24 src-address=10.0.1.0/24
add action=accept chain=input comment="LAN to Any" src-address=10.0.1.0/24
add action=accept chain=input comment="SkyQ to LAN" dst-address=10.0.1.0/24 src-address-list=skyq
add action=accept chain=input comment="IoT to LAN - MQTT" dst-address=10.0.1.41 dst-port=1883 protocol=tcp src-address=10.0.2.0/24
add action=accept chain=input comment="IoT to LAN - Co-IoT" dst-address=10.0.1.42 dst-port=5683 protocol=udp src-address=10.0.2.0/24
add action=drop chain=input comment="Drop Invalid - Input" connection-state=invalid
add action=drop chain=input comment="Cleanup - Input"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept inbound ESTABLISHED,RELATED,UNTRACKED - Forward" connection-state=established,related,untracked
add action=accept chain=forward comment="Accept from WAN DSTNATed" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Invalid - Forward" connection-state=invalid
add action=accept chain=forward comment="Forward LAN to Any" in-interface=bridge1
add action=accept chain=forward comment="Forward Docker to Any" in-interface=dockers
add action=accept chain=forward comment="Forward IoT to LAN" in-interface=vlan2 out-interface=bridge1
add action=accept chain=forward comment="Forward VPN to Any" in-interface-list=VPN
add action=accept chain=forward comment="Forward LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=reject chain=forward comment="Cleanup - Forward" reject-with=icmp-network-unreachable
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="NoNAT - LAN to IoT" dst-address=10.0.2.0/24 src-address=10.0.1.0/24
add action=accept chain=srcnat comment="NoNAT - IoT to LAN" dst-address=10.0.1.0/24 src-address=10.0.2.0/24
add action=masquerade chain=srcnat comment="MASQ LAN" out-interface-list=WAN src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment="MASQ IoT" out-interface-list=WAN src-address=10.0.2.0/24
add action=masquerade chain=srcnat comment="MASQ Docker" src-address=172.17.1.0/24
add action=dst-nat chain=dstnat comment="NAT Stunnel" dst-address-type=local dst-port=8443 in-interface-list=WAN protocol=tcp to-addresses=\
10.0.1.199 to-ports=8443
add action=dst-nat chain=dstnat comment="NAT Guacamole" dst-address-type=local dst-port=8080 in-interface-list=WAN protocol=tcp to-addresses=\
10.0.1.6 to-ports=443
/ip route
add check-gateway=ping comment="Routing to LTE" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.99.1 pref-src=0.0.0.0 routing-table=\
main scope=30 suppress-hw-offload=no target-scope=40
add comment="Routing Tailscale" disabled=no distance=1 dst-address=100.64.0.0/10 gateway=172.17.1.2 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Routing Peer VPS to LTE" disabled=no distance=1 dst-address=VPS_PUB_IP/32 gateway=192.168.99.1 pref-src=0.0.0.0 routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Routing to VPS" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=185.25.205.1 pref-src=0.0.0.0 routing-table=\
main scope=30 suppress-hw-offload=no target-scope=10
add comment="Routing WG VPS - Tabella WG_DF_VPS" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src=0.0.0.0 routing-table=WG_DF_VPS \
scope=30 suppress-hw-offload=no target-scope=10
add comment="Routing WG SurfShark - Tabella WG_DF_SS" disabled=no dst-address=0.0.0.0/0 gateway=wg2 routing-table=WG_DF_SS suppress-hw-offload=no
add comment="Routing Peer VP per MGMT" disabled=no distance=1 dst-address=VPS_ENTRY_POINT/32 gateway=TIM pref-src="" routing-table=MGMT_TIK_VPS \
scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.1.0/24
set ssh address=10.0.1.0/24
set api disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/routing rule
add action=lookup-only-in-table disabled=no dst-address=VPS_ENTRY_POINT/32 src-address=10.0.1.199/32 table=MGMT_TIK_VPS
/system clock
set time-zone-name=Europe/Rome
/system hardware
set allow-x86-64=yes
/system identity
set name=rossy
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp1.ien.it
add address=ntp2.ien.it
/tool graphing interface
add
/tool graphing resource
Code: Select all
add action=accept chain=srcnat comment="NoNAT - LAN to IoT" dst-address=10.0.2.0/24 src-address=10.0.1.0/24
add action=accept chain=srcnat comment="NoNAT - IoT to LAN" dst-address=10.0.1.0/24 src-address=10.0.2.0/24
Code: Select all
add action=masquerade chain=srcnat comment="MASQ LAN" out-interface-list=WAN src-address=10.0.1.0/24
add action=masquerade chain=srcnat comment="MASQ IoT" out-interface-list=WAN src-address=10.0.2.0/24
Code: Select all
/interface list member
add interface=bridge1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan99 list=WAN
add interface=TIM list=WAN
add interface=Poste list=WAN
add interface=wg0 list=VPN
add interface=wg1 list=WAN
add interface=wg2 list=WAN
add interface=vnic1 list=WAN
add interface=vnic2 list=WAN
Any suggestion?
Thanks in advance!