I have a Wireguard VPN connecting successfully between London (RB4011) and France (HAP ^2) both on v7.7.The config hasn't changed since I went to v7.7
I can:
- Get to a RPi on 192.168.65.5 serving HTML and by SSH in France from a machine (eg 192.168.64.15) on the London network
- If I connect to the London Router as a Roadwarrior, I can get to a server on 192.168.65.2 and the Router itself on 192.168.65.1
Is there anything obvious in my configs that is stopping me do that?
You may notice that the Allowed IPs in France include 0.0.0.0/0 which I think I need if I want to direct certain French traffic through London using a different Routing table.
Thanks in advance, Charles
London
Code: Select all
# feb/25/2023 08:05:07 by RouterOS 7.7
# software id = YCNI-BQ6N
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E30B14AB4C
/interface bridge add comment="Bridge for Guests" name=bridge-guest-66
/interface bridge add comment="Bridge for Machines" name=bridge-machine-68
/interface bridge add admin-mac=C4:AD:34:60:79:47 auto-mac=no comment="Bridge Main - defconf" name=bridge-main-64
/interface ethernet set [ find default-name=ether1 ] comment="To Internet 1" name="ether1 Internet" rx-flow-control=auto speed=100Mbps tx-flow-control=auto
/interface ethernet set [ find default-name=ether2 ] advertise=10M-half,10M-full name="ether2"
/interface ethernet set [ find default-name=ether4 ] name="ether4"
/interface ethernet set [ find default-name=ether6 ] comment="To LondonPi" name="ether6 LondonPi"
/interface ethernet set [ find default-name=ether7 ] auto-negotiation=no
/interface ethernet set [ find default-name=ether8 ] name="ether8"
/interface ethernet set [ find default-name=ether9 ] auto-negotiation=no comment="To UpUp Router" name="ether9 - UpUp"
/interface ethernet set [ find default-name=ether10 ] comment="To Up Router" name="ether10 - Up"
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard add comment="Wireguard to Road Warriors" listen-port=13232 mtu=1450 name=WireGuard_RoadWarriors
/interface wireguard add comment="Wireguard to France" listen-port=13231 mtu=1450 name=WireGuard_ToFrance
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=2GHz
/interface list add name=5GHz
/ip pool add name=dhcp-pool-home-64 ranges=192.168.64.70-192.168.64.150
/ip pool add name=vpn-pool ranges=192.168.64.201-192.168.64.220
/ip pool add name=dhcp-pool-guest-66 ranges=192.168.66.151-192.168.66.250
/ip pool add name=dhcp-pool-machine-68 ranges=192.168.68.2-192.168.68.254
/ip dhcp-server add address-pool=dhcp-pool-home-64 interface=bridge-main-64 lease-script=LeaseNameAlignment lease-time=1h name=dhcp-home-64
/ip dhcp-server add address-pool=dhcp-pool-guest-66 interface=bridge-guest-66 lease-script=LeaseNameAlignment lease-time=1h name=dhcp-guest-66
/ip dhcp-server add address-pool=dhcp-pool-machine-68 interface=bridge-machine-68 lease-script=LeaseNameAlignment lease-time=1h name=dhcp-machine-68
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port add bridge=bridge-machine-68 comment=defconf ingress-filtering=no interface="ether2"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge-machine-68 comment=defconf ingress-filtering=no interface="ether4"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface=ether5
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface="ether6"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface=ether7
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface="ether8"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface="ether9 - UpUp"
/interface bridge port add bridge=bridge-main-64 comment=defconf ingress-filtering=no interface="ether10 - Up"
/interface bridge port add bridge=bridge-main-64 comment=defconf disabled=yes ingress-filtering=no interface=sfp-sfpplus1
/interface bridge port add bridge=bridge-main-64 comment=defconf disabled=yes ingress-filtering=no interface=wlan1
/interface bridge port add bridge=bridge-main-64 comment=defconf disabled=yes ingress-filtering=no interface=wlan2
/interface list member add comment=defconf interface=bridge-main-64 list=LAN
/interface list member add comment=defconf interface="ether1 Internet" list=WAN
/interface list member add interface=WireGuard_RoadWarriors list=LAN
/interface list member add interface=WireGuard_ToFrance list=LAN
/interface list member add interface=bridge-guest-66 list=LAN
/interface list member add interface=bridge-machine-68 list=LAN
/interface wireguard peers add allowed-address=192.168.65.0/24,192.168.64.0/24,192.168.1.0/24,10.255.255.0/24 comment="To France" interface=WireGuard_ToFrance public-key="KEY"
/interface wireguard peers add allowed-address=10.200.0.3/32 comment=L13 interface=WireGuard_RoadWarriors public-key="KEY"
set bridge=bridge-main-64 caps-man-addresses=127.0.0.1 discovery-interfaces=bridge-main-64 enabled=yes interfaces=wlan1,wlan2
/ip address add address=192.168.64.1/24 comment=defconf interface=bridge-main-64 network=192.168.64.0
/ip address add address=192.168.66.1/24 interface=bridge-guest-66 network=192.168.66.0
/ip address add address=10.255.255.1/30 interface=WireGuard_ToFrance network=10.255.255.0
/ip address add address=10.200.0.1/24 interface=WireGuard_RoadWarriors network=10.200.0.0
/ip address add address=192.168.68.1/24 interface=bridge-machine-68 network=192.168.68.0
/ip address add address=192.168.65.1/24 disabled=yes interface=WireGuard_ToFrance network=192.168.65.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add interface="ether1 Internet"
/ip dhcp-server network add address=192.168.64.0/24 comment="Main network" dns-server=192.168.64.10 gateway=192.168.64.1 ntp-server=192.168.64.1
/ip dhcp-server network add address=192.168.66.0/24 comment="Guest Network" dns-server=192.168.64.10 gateway=192.168.66.1
/ip dhcp-server network add address=192.168.68.0/24 comment="Machine Network" dns-server=192.168.64.10 gateway=192.168.68.1
/ip dns set servers=8.8.8.8,8.8.4.4
/ip firewall address-list add address=192.168.68.0/24 list=GuestNetwork
/ip firewall address-list add address=192.168.65.0/24 list=MainNetwork
/ip firewall address-list add address=192.168.64.13 list=Camera
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall address-list add address=10.100.0.0/24 list=MainNetwork
/ip firewall address-list add address=192.168.67.0/24 list=GuestNetwork
/ip firewall address-list add list=MainNetwork
/ip firewall address-list add address=192.168.66.0/24 list=GuestNetwork
/ip firewall address-list add address=10.255.255.0/30 list=MainNetwork
/ip firewall address-list add address=10.200.0.0/24 list=MainNetwork
/ip firewall address-list add address=192.168.64.0/24 list=AllowToRouter
/ip firewall address-list add address=192.168.65.0/24 list=AllowToRouter
/ip firewall address-list add address=10.200.0.0/24 list=AllowToRouter
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=accept chain=forward dst-address=192.168.64.0/24 log=yes src-address=192.168.65.0/24
/ip firewall filter add action=accept chain=forward dst-address=192.168.65.0/24 log=yes src-address=192.168.64.0/24
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="CH_Track invalid"
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
/ip firewall filter add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
/ip firewall filter add action=drop chain=forward comment="Camera Out" log-prefix="Block Camera out:" out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=add-dst-to-address-list address-list=Catdoor_going_to address-list-timeout=none-static chain=forward comment="Cat Door" log-prefix=Cat src-address-list=CatDoor
/ip firewall filter add action=add-dst-to-address-list address-list=Alarm_going_to address-list-timeout=none-static chain=forward comment=Alarm log-prefix=Alarm src-address-list=Alarm
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix="CH_Track !public" src-address-list=not_in_internet
/ip firewall filter add action=drop chain=forward comment="Stop Machines getting to our stuff" disabled=yes out-interface-list=!WAN src-address=192.168.68.0/24
/ip firewall filter add action=accept chain=input comment="accept input established,related,untracked" connection-state=established,related,untracked log-prefix="accept input established,related,untracked"
/ip firewall filter add action=accept chain=input comment="Accept to Router" src-address-list=AllowToRouter
/ip firewall filter add action=jump chain=input comment="jump to ICMP filters" jump-target=icmp protocol=icmp
/ip firewall filter add action=accept chain=input comment="Accept NTP" dst-port=123 protocol=udp
/ip firewall filter add action=accept chain=input comment="Wireguard to France" dst-port=13231 log-prefix="CH_Track Wireguard" protocol=udp
/ip firewall filter add action=accept chain=input comment="Wireguard Roadwarriors" dst-port=13232 log-prefix="CH_Track Wireguard" protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=fulltimeGreylist address-list-timeout=none-static chain=input in-interface-list=WAN src-address-list=mygreylist3
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist3 address-list-timeout=4h chain=input in-interface-list=WAN src-address-list=mygreylist2
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist2 address-list-timeout=2h chain=input in-interface-list=WAN src-address-list=mygreylist
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=!whitelist
/ip firewall filter add action=drop chain=input comment="Last Rule; Drop Everything" log-prefix="CH_Track Last rule: Input"
/ip firewall filter add action=drop chain=forward comment="Drop everything else that has got through" in-interface-list=WAN log-prefix="CH_Track Last Rule: Forward: Drop"
/ip firewall filter add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="Drop FW Output"
/ip firewall filter add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
/ip firewall filter add action=drop chain=icmp comment="deny all other types"
/ip firewall filter add action=log chain=forward comment="Log last Accepted:" disabled=yes log-prefix="Last Accepted:"
/ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.64.10 dst-port=53 protocol=udp src-address=!192.168.64.10 to-addresses=192.168.64.10
/ip firewall nat add action=dst-nat chain=dstnat dst-address=!192.168.64.10 dst-port=53 protocol=tcp src-address=!192.168.64.10 to-addresses=192.168.64.10
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.64.10 dst-port=53 protocol=udp src-address=192.168.64.0/24
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.64.10 dst-port=53 protocol=tcp src-address=192.168.64.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=0.0.0.0/0
/ip firewall raw add action=drop chain=prerouting log-prefix="Drop Raw" src-address-list=myblacklist
/ip firewall raw add action=drop chain=prerouting dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop PreOut Raw"
/ip firewall raw add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop Output Raw"
/ip ipsec policy set 0 disabled=yes
/ip route add comment=FranceLondon disabled=no distance=1 dst-address=192.168.65.0/24 gateway=WireGuard_ToFrance pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=WireGuard_ToFrance pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Code: Select all
# feb/25/2023 09:04:13 by RouterOS 7.7
# software id = KAE3-NN91
#
# model = RBD52G-5HacD2HnD-TC
# serial number = 8D15083D89AA
/interface bridge add admin-mac=CC:2D:E0:EB:1D:7A auto-mac=no comment=defconf name=bridge
/interface bridge add name=guest_bridge
/interface wireguard add comment="Interface in France to London" listen-port=13231 mtu=1450 name=WireGuard_ToUK
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/ip pool add name=default-dhcp ranges=192.168.65.10-192.168.65.254
/ip pool add name=guest_dhcp ranges=192.168.67.10-192.168.67.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge name=defconf
/ip dhcp-server add address-pool=guest_dhcp interface=guest_bridge name=guest_dhcp_67
/routing table add fib name=use-WG
/interface bridge port add bridge=bridge comment=defconf interface=ether2_Powerline
/interface bridge port add bridge=bridge comment=defconf interface=ether3_Twister
/interface bridge port add bridge=bridge comment=defconf interface=ether4_LegoPi
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface="wlan1 2GHz"
/interface bridge port add bridge=bridge comment=defconf interface="wlan2 5GHz"
/interface bridge port add bridge=guest_bridge ingress-filtering=no interface=guest_67_2ghz
/interface bridge port add bridge=guest_bridge ingress-filtering=no interface=guest_67_5ghz
/interface bridge port add bridge=bridge interface=athome_down
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1_SFR list=WAN
/interface list member add interface=WireGuard_ToUK list=LAN
/interface list member add interface=guest_bridge list=LAN
/interface wireguard peers add allowed-address=0.0.0.0/0 comment="To London" endpoint-address=London endpoint-port=13231 interface=WireGuard_ToUK persistent-keepalive=25s public-key="KEY"
/ip address add address=192.168.65.1/24 comment=defconf interface=bridge network=192.168.65.0
/ip address add address=192.168.67.1/24 interface=guest_bridge network=192.168.67.0
/ip address add address=10.255.255.2/30 interface=WireGuard_ToUK network=10.255.255.0
/ip dhcp-client add add-default-route=no comment=defconf interface=ether1_SFR
/ip dhcp-server network add address=192.168.65.0/24 comment=defconf dns-server=9.9.9.9,149.112.112.112 gateway=192.168.65.1 netmask=24 ntp-server=192.168.1.1
/ip dhcp-server network add address=192.168.67.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=192.168.67.1 ntp-server=192.168.1.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,4.4.4.4
/ip firewall address-list add address=192.168.65.12 comment="Back Door" list=Camera
/ip firewall address-list add address=192.168.65.7 comment=R4 list=Camera
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall address-list add address=8.8.8.8 list=CameraAllowed
/ip firewall address-list add address=192.168.1.254 list=whitelist
/ip firewall address-list add address=8.8.4.4 list=CameraAllowed
/ip firewall address-list add address=192.168.65.15 comment=Garden list=Camera
/ip firewall address-list add address=9.9.9.9 list=CameraAllowed
/ip firewall address-list add address=10.200.0.0/24 list=AllowedToRouter
/ip firewall address-list add address=192.168.64.0/24 list=AllowedToRouter
/ip firewall address-list add address=192.168.65.0/26 list=AllowedToRouter
/ip firewall address-list add address=80.6.235.129 list=AllowedToRouter
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=192.168.1.1 list=whitelist
/ip firewall address-list add address=192.168.65.0/26 comment="IP Range 2-62" list=whitelist
/ip firewall address-list add address=192.168.64.0/24 list=whitelist
/ip firewall address-list add disabled=yes list=whitelist
/ip firewall address-list add address=192.168.65.0/26 list=TrustedIPaddresss
/ip firewall address-list add address=192.168.64.0/24 list=TrustedIPaddresss
/ip firewall address-list add address=80.6.235.129 list=TrustedIPaddresss
/ip firewall address-list add address=10.200.0.0/24 list=TrustedIPaddresss
/ip firewall address-list add address=192.168.1.1 list=TrustedIPaddresss
/ip firewall address-list add address=192.168.67.0/24 list=GuestIP
/ip firewall address-list add address=192.168.65.192/26 list=GuestIP
/ip firewall address-list add address=192.168.65.64/26 disabled=yes list=GuestIP
/ip firewall address-list add address=192.168.65.128/26 list=GuestIP
/ip firewall address-list add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
/ip firewall address-list add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
/ip firewall address-list add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall address-list add address=129.41.46.4 list=Winbox_attempt
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
/ip firewall filter add action=add-src-to-address-list address-list=Winbox_attempt address-list-timeout=none-static chain=input comment="Winbox attempts " dst-port=8291 log=yes log-prefix="8291 attempt" protocol=tcp src-address-list=!TrustedIPaddresss
/ip firewall filter add action=accept chain=input comment="Accept Winbox" dst-port=8291 log=yes log-prefix="CH_Track: Allow in Winbox" protocol=tcp src-address-list=TrustedIPaddresss
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward dst-address=192.168.64.0/24 log=yes src-address=192.168.65.0/24
/ip firewall filter add action=accept chain=forward dst-address=192.168.65.0/24 log=yes src-address=192.168.64.0/24
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Accept to Router" src-address-list=TrustedIPaddresss
/ip firewall filter add action=accept chain=input comment="Wireguard to London" dst-port=13231 log-prefix="CH_Track Wireguard 13231" protocol=udp
/ip firewall filter add action=log chain=input comment="Track Dodgy SSH" dst-port=22 log-prefix="CH_Track Dodgy SSH" protocol=tcp src-address=!192.168.64.6
/ip firewall filter add action=accept chain=input comment="Accept SSH" dst-port=22 log=yes log-prefix="CH_Track: Allow in SSH" protocol=tcp src-address-list=TrustedIPaddresss
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=none-dynamic chain=input comment="defconf: drop all not coming from LAN" src-address-list=!whitelist
/ip firewall filter add action=drop chain=input comment="Last Rule: Drop Everything" log-prefix=Last
/ip firewall filter add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="Stop Guests getting to our stuff" out-interface-list=!WAN src-address-list=GuestIP
/ip firewall filter add action=add-dst-to-address-list address-list=CameraGoingTo address-list-timeout=none-static chain=forward comment="Log Cameras going out" dst-address-list=!CameraAllowed log-prefix=Camera: out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=drop chain=forward comment="Stop Cameras going out" dst-address-list=!CameraAllowed log-prefix=Camera: out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN src-address-list=not_in_internet
/ip firewall filter add action=log chain=output disabled=yes dst-address=10.200.0.2
/ip firewall filter add action=log chain=output disabled=yes dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
/ip firewall filter add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
/ip firewall filter add action=drop chain=icmp comment="deny all other types"
/ip firewall filter add action=log chain=forward comment="Log last Accepted:" disabled=yes log-prefix="Last Accepted:"
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting comment="For Packets coming from Blacklist" src-address-list=Blacklist
/ip firewall raw add action=drop chain=prerouting comment="For Packets passing through the Router" dst-address-list=Blacklist log-prefix="Raw Pre Drop"
/ip firewall raw add action=drop chain=output comment="For Packets originating from the Router" dst-address-list=Blacklist log=yes log-prefix="Raw Output Drop:"
/ip firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall"
/ip firewall raw add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
/ip firewall raw add action=accept chain=prerouting comment="Charlie: accept everything else from SFR" src-address=192.168.1.0/24
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" dst-address=192.168.65.0/24 in-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN src-address=!192.168.65.0/24
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
/ip firewall raw add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
/ip firewall raw add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
/ip firewall raw add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
/ip firewall raw add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting comment="defconf: drop the rest"
/ip firewall raw add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
/ip firewall raw add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
/ip firewall raw add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
/ip firewall raw add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
/ip firewall raw add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip ipsec policy set 0 disabled=yes
/ip route add disabled=no distance=1 dst-address=192.168.64.0/24 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=10.200.0.0/24 gateway=WireGuard_ToUK routing-table=main suppress-hw-offload=no
/ip route add comment="So certain source IPs go through the WG VPN - look in Routing Rules" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WireGuard_ToUK pref-src=0.0.0.0 routing-table=use-WG scope=10 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=1.1.1.1/32 gateway=192.168.1.1 routing-table=main scope=10 suppress-hw-offload=no
/ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=11
/ip route add disabled=no dst-address=1.0.0.1/32 gateway=SFR_SIM routing-table=main scope=10 suppress-hw-offload=no
/ip route add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=SFR_SIM routing-table=main scope=30 suppress-hw-offload=no target-scope=11
/routing rule add action=lookup-only-in-table comment="Pixel 5" disabled=yes src-address=192.168.65.20/32 table=use-WG
/routing rule add action=lookup-only-in-table comment=TV disabled=yes src-address=192.168.65.26/32 table=use-WG
/routing rule add action=lookup-only-in-table comment=T480 disabled=yes src-address=192.168.65.18/32 table=use-WG