please help with setting wireguard. I have public IP on hAP AX2 and no public IP on hAP AC3. I have handshake but I can not ping from one device to another... I have deleted some private in export..please check wireguard setting and help me...
hAP AX2 with public IP
Code: Select all
/interface bridge
add admin-mac=:A9:08 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=:DD:78 name=\
"ether1 POE"
set [ find default-name=ether2 ] mac-address=:DD:79 name=\
"ether2 Internet"
set [ find default-name=ether3 ] name="ether3 NAS"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=bridge comment=defconf interface="ether3 NAS"
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface="MATRIX 5G"
add bridge=bridge comment=defconf interface="MATRIX 2G"
add bridge=bridge interface="ether1 POE"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether2 Internet" list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.1.168.101/24,10.1.168.38/24 endpoint-address=\
185.5.225.240 endpoint-port=13231 interface=wireguard1 \
persistent-keepalive=25s public-key=\
"yh5i1.......="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.255.255.1/30 interface=wireguard1 network=10.255.255.0
/ip dhcp-client
add comment=defconf interface="ether2 Internet"
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
/ip firewall filter
add action=drop chain=forward disabled=yes src-address=192.168.1.12
add action=accept chain=forward dst-address=109.105.48.0/24 src-address=\
10.1.168.0/24
add action=accept chain=forward dst-address=10.1.168.0/24 src-address=\
109.105.48.0/24
add action=jump chain=forward comment=DDOS connection-state=new jump-target=\
detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos comment=DDOS
add action=add-src-to-address-list address-list=bruteforce_blacklist \
address-list-timeout=4w2d chain=input comment="BRUTEFORCE Blacklist" \
connection-state=new dst-port=22 protocol=tcp src-address-list=\
connection3
add action=add-src-to-address-list address-list=connection3 \
address-list-timeout=1d chain=input comment="Third attempt" \
connection-state=new dst-port=22 protocol=tcp src-address-list=\
connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
address-list-timeout=5h chain=input comment="Second attempt" \
connection-state=new dst-port=22 protocol=tcp src-address-list=\
connection1
add action=add-src-to-address-list address-list=connection1 \
address-list-timeout=2h chain=input comment="First attempt" \
connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment=BRUTEFORCE dst-port=22 protocol=tcp \
src-address-list=!bruteforce_blacklist
add action=return chain=detect-ddos comment="SYN Flood" dst-limit=\
32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
185.5.225.240
# zerotier1 not ready
add action=accept chain=input in-interface=zerotier1
# zerotier1 not ready
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets \
src-address-list=ddos-attackers
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=bridge type=internal
add interface="ether1 POE" type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="TAP AX2"
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.1.0/24
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="" host=192.168.2.4 http-codes="" interval=1m \
test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script="" host=192.168.1.11 http-codes="" interval=1m \
test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script="" host=192.168.2.2 http-codes="" interval=1m \
test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script="" host=192.168.2.3 http-codes="" interval=1m \
test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script="" host=192.168.2.5 http-codes="" test-script="" \
type=simple up-script=""
add disabled=no down-script="" host=192.168.2.6 http-codes="" test-script="" \
type=simple up-script=""
add disabled=no down-script="" host=192.168.3.2 http-codes="" test-script="" \
type=simple up-script=""
add disabled=no down-script="" host=192.168.3.3 http-codes="" interval=1m \
test-script="" timeout=1s type=simple up-script=""
add disabled=no down-script=":log error \"Ping to 8.8.8.8 LOST\"" host=\
8.8.8.8 http-codes="" interval=1m test-script="" timeout=1s type=simple \
up-script=":log error \"Ping to 8.8.8.8 OK\""
add disabled=no down-script="" host=192.168.3.1 http-codes="" test-script="" \
type=simple up-script=""
add disabled=no down-script="" host=192.168.4.1 http-codes="" test-script="" \
type=simple up-script=""
Code: Select all
/interface bridge
add admin-mac=:A4:CC auto-mac=no comment=defconf name=bridge
add name="bridge Bratr" protocol-mode=stp
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip kid-control
add mon=7h-22h name=ECHO sat=7h-22h sun=7h-22h thu=7h-22h tue=7h-22h wed=\
7h-22h
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface="ether1 Internet" list=WAN
add interface=bridge list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=109.105.48.173/24 endpoint-address=109.105.48.173 \
endpoint-port=13231 interface=wireguard1 persistent-keepalive=25s \
public-key="Jgyhw......."
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge network=\
192.168.3.0
add address=192.168.2.1/24 interface="bridge Bratr" network=192.168.2.0
add address=10.255.255.2/24 interface=wireguard1 network=10.255.255.0
/ip dhcp-client
add comment=defconf interface="ether1 Internet"
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.3.1 comment=defconf name=router.lan
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=accept chain=forward dst-address=10.1.168.0/24 src-address=\
109.105.48.0/24
add action=accept chain=forward dst-address=109.105.48.0/24 src-address=\
10.1.168.0/24
add action=drop chain=forward comment=Ring disabled=yes src-address=\
192.168.3.187
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
109.105.48.173
add action=accept chain=input in-interface=zerotier5
add action=accept chain=forward in-interface=zerotier5
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"\"defconf: accept to local loopback (for CAPsMAN)\"" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip kid-control device
add mac-address=:4F:AA name=ECHO user=ECHO
/ip route
add disabled=no distance=2 dst-address=192.168.1.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
/ip smb shares
set [ find default=yes ] disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add disabled=yes interface="ether1 Internet" type=external
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="Rap AC3"
/system logging
add disabled=yes topics=wireguard
add topics=firewall
add disabled=yes topics=wireguard
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.3.0/24
add allow-address=192.168.1.0/24 store-on-disk=no
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool traffic-monitor
add disabled=yes interface=bridge name=tmonBridge on-event=\
"log info \"Traffic\"" traffic=received