Yes, but EoIP tunneling is bridging right ? So this means the user must "extend" his office LAN down to the home. What about the different VLAN's in the office.Or an EOIP layer over wireguard.
Even ROMON works then.
/interface bridge filter
add action=accept chain=forward dst-address=224.0.0.251/32 dst-mac-address=\
01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 ip-protocol=udp \
mac-protocol=ip out-interface=EoIP src-port=5353 comment=mDNS
add action=accept chain=forward comment=SSDP dst-address=239.255.255.250/32 \
dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 \
ip-protocol=udp mac-protocol=ip out-interface=EoIP
add action=drop chain=output out-interface=EoIP
add action=drop chain=forward out-interface=EoIP
Network discovery is mostly based on broadcast/multicast. And those packets are not routed from one network to another over the router.network discovery because network discovery only works for devices on the same subnet?
If you do not already have WINS deployed on your network, do not deploy WINS - instead, deploy Domain Name System (DNS). DNS also provides computer name registration and resolution services, and includes many additional benefits over WINS, such as integration with Active Directory Domain Services.
If you have already deployed WINS on your network, it is recommended that you deploy DNS and then decommission WINS.
And that's the a good approach. If you can get these discoverable things into unicast DNS that's really the best plan. You options are limited with RouterOS since there DNS services are limited, but if you have Windows Active Directory, that is totally the place to do this. And work will with wireguard just fine.I also think bpwl is onto something...the main devices my partner is trying to access through the wireguard tunnel are Windows computers, and printers...I am already running a windows Active Directory Domain Controller at work, and I have a server at home the data backs up to. I can make the server at home an additional domain controller, and enable its DNS capability, then it should be trivial from there.
If you have already deployed WINS on your network, it is recommended that you deploy DNS and then decommission WINS.
Yes WINS is old, very old, just as I am, and as is NBT (Netbios over TCP). It went with the TCP/UDP ports 137,138 and 139, and was replaced by connection on TCP 445 after Windows 2000.I was looking into WINS Microsoft recommends avoiding and decomissioning WINS servers for DNS now:
As for subnets seeing each others broadcasts it depends on the protocol.@ UpRunTech, were the subnets you connected via EOIP, different. My understanding is that spanning has to be to the same subnet??
or DISCOVERY needs to be in the same L2 segment. Therefore I dont think its normally possible........
Hello, but then in the end you solved? if you could explain how?Many thanks to all who have contributed so far. I've got loads of reading to do and my work cut out for me, but this has been fun and got me on the right track to get a solution of some degree to make this work well.
I will say, my Mikrotik and networking experience so far has been along the lines of "If it's difficult, then someone has made a tool/protocol for an easier way". I'm hooked.
and also can be quite dangerous if your STP goes nuts then ...I prefer my approach.
Not that much words.
Okay, I've gotten there. But I don't understand how to do it if the two LANs have different subnets.Set up an EOIP tunnel using the 2 WG end point addresses.
Connect that EOIP tunnel on both ends to bridge.
Done.
HI ! Sorry, I actually missed your post. I'm a very basic MK user and my scenario is this:If you actually read my post you would see that you need to create a common intermediary VLAN. ( vlan55 ).
MY LAN (192.168.0.0/24) REMOTE LAN (192.168.88.0/24)
Synology NAS (192.168.0.6) SAMSUNG TV (192.168.88.5)
WINDOWS PC (192.168.0.10) WINDOWS PC (192.168.88.6)
HP PRINT (192.168.0.7) ANDROID CLIENT (192.168.88.8)
SAMSUNG TV (192.168.0.18)
HAP AC2 (ROS 7.14) <-------WIREGUARD---->> RB MAP (ROS 7.14)
Well the even older NBF (NetBEUI) come up the other day (viewtopic.php?t=205901). I was left wondering if "NetBIOS discovery" actually work across WG -> EoIP -> LAN+"NetBEUI" - then felt old that even knew NetBEUI.Yes WINS is old, very old, just as I am, and as is NBT (Netbios over TCP).I was looking into WINS Microsoft recommends avoiding and decomissioning WINS servers for DNS now:
Unless you post your config, I am unable to comment
/export file=anyname youwish ( minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)
While not exact: Apple thing always use mDNS, Printers also use mDNS, but Google/Security Cams/VoIP more typically use SSDP. TVs generally do both. Reason why it's relevant is mDNS requires some specific tricks, while if only SSDP you might be able to only use a IGMP Proxy.I still don't quite understand the difference between mDNS and SSDP I think I need both..
Hello! Ok I understand this... there not the possibility to allow all these protocols of discovery? (I would not like to be trivial) anyway I'm talking for example about the classic Samba, DLNA, the service "transmit" on screen from Android to TV. things like that in shortWhile not exact: Apple thing always use mDNS, Printers also use mDNS, but Google/Security Cams/VoIP more typically use SSDP. TVs generally do both. Reason why it's relevant is mDNS requires some specific tricks, while if only SSDP you might be able to only use a IGMP Proxy.I still don't quite understand the difference between mDNS and SSDP I think I need both..
"Network discovery" is pretty broad... so SSDP/mDNS aren't the only approaches apps/protocols use — so exactly what devices need to be discovered be an important detail here too.
Unless you post your config, I am unable to comment
/export file=anyname youwish ( minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)
# 2024-03-17 17:12:10 by RouterOS 7.14
# software id = XXXXX
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXX
/interface bridge
add admin-mac=XXXXX arp=proxy-arp auto-mac=no comment=defconf \
name=bridge port-cost-mode=short
/interface sstp-server
add comment="VPN - \"RB-Map - Lavoro\"" name=sstp-in1 user=Lavoro
add comment="VPN - \"Valerio\"" name=sstp-in2 user=Valerio
/interface wireless
# managed by CAPsMAN
# channel: 2462/20-eC/gn(17dBm), SSID: XXXXX, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-onlyn comment="Wlan 2.4 Ghz" \
country=no_country_set distance=indoors frequency=auto frequency-mode=\
manual-txpower installation=indoor mode=ap-bridge scan-list=\
2412,2437,2462 ssid=Rete-Privata tx-power=18 tx-power-mode=\
all-rates-fixed wireless-protocol=802.11 wmm-support=enabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(21dBm), SSID: XXXXX, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
comment="Wlan 5 Ghz" country=no_country_set distance=indoors frequency=\
auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge \
skip-dfs-channels=10min-cac ssid=Rete-Privata-5 tx-power=22 \
tx-power-mode=all-rates-fixed wireless-protocol=802.11 wmm-support=\
enabled
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="Switch Principale"
set [ find default-name=ether3 ] comment="Centralino VOIP"
set [ find default-name=ether4 ] comment="Camera Luca"
set [ find default-name=ether5 ] comment=NAS
/interface eoip
add comment="EoIP \"RB-Map - Lavoro\"" local-address=192.168.0.206 \
mac-address=XXXXX name=eoip-tunnel1 remote-address=\
192.168.89.206 tunnel-id=7
/interface wireless manual-tx-power-table
# managed by CAPsMAN
# channel: 2462/20-eC/gn(17dBm), SSID: XXXXX, CAPsMAN forwarding
set wlan1 comment="Wlan 2.4 Ghz"
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(21dBm), SSID: XXXXX, CAPsMAN forwarding
set wlan2 comment="Wlan 5 Ghz"
/interface wireless nstreme
# managed by CAPsMAN
# channel: 2462/20-eC/gn(17dBm), SSID: XXXXX, CAPsMAN forwarding
set wlan1 comment="Wlan 2.4 Ghz"
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(21dBm), SSID: XXXXX, CAPsMAN forwarding
set wlan2 comment="Wlan 5 Ghz"
/interface wireguard
add listen-port=13233 mtu=1420 name=WG-RemoteLAN
add listen-port=13232 mtu=1420 name=WG-Roberto
add listen-port=13231 mtu=1420 name=WG-Valerio
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
Default
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-key-update=5m name=Default
/caps-man configuration
add channel.band=2ghz-onlyn .control-channel-width=20mhz .frequency=\
2412,2437,2462 .reselect-interval=1h country=italy datapath=Default \
datapath.bridge=bridge .client-to-client-forwarding=yes mode=ap name=\
XXXXX security=Default ssid=XXXXX
add channel.band=5ghz-n/ac .frequency=5180,5200,5220 .reselect-interval=1h \
.skip-dfs-channels=no .tx-power=24 country="united states" datapath=\
Default datapath.bridge=bridge .client-to-client-forwarding=yes mode=ap \
name=XXXXX security=Default ssid=XXXXX
/caps-man interface
add channel.frequency=2412,2437,2462 comment="Wlan 2.4 Ghz" configuration=\
XXXXX disabled=no l2mtu=1600 mac-address=XXXXX \
master-interface=none name=HAP_AC2_Principale-Wlan1 radio-mac=\
XXXXX radio-name=XXXXX
add comment="Wlan 5 Ghz" configuration=XXXXX disabled=no l2mtu=1600 \
mac-address=XXXXX master-interface=none name=\
HAP_AC2_Principale-Wlan2 radio-mac=XXXXX radio-name=\
XXXXX
add channel.frequency=2412,2437,2462 comment="Wlan 2.4 Ghz" configuration=\
XXXXX disabled=no l2mtu=1600 mac-address=XXXXX \
master-interface=none name=HAP_AC2_Salotto-Wlan1 radio-mac=\
XXXXX radio-name=XXXXX
add comment="Wlan 5 Ghz" configuration=XXXXX disabled=no l2mtu=1600 \
mac-address=XXXXX master-interface=none name=\
HAP_AC2_Salotto-Wlan2 radio-mac=XXXXX radio-name=XXXXX
add channel.frequency=2412,2437,2462 comment="Wlan 2.4 Ghz" configuration=\
XXXXX disabled=no l2mtu=1600 mac-address=XXXXX \
master-interface=none name=RB_MAP_Ingresso-Wlan1 radio-mac=\
XXXXX radio-name=XXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi steering
add name=steering1 neighbor-group=dynamic-XXXXX-2538aa67 rrm=yes wnm=\
yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.0.30-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes authoritative=after-2sec-delay \
interface=bridge lease-time=10m name="DHCP Home"
/ip smb users
set [ find default=yes ] read-only=no
/ppp profile
set *0 dns-server=192.168.0.1 interface-list=LAN local-address=dhcp \
remote-address=vpn
set *FFFFFFFE dns-server=192.168.0.1 local-address=dhcp remote-address=vpn
/queue tree
add comment="- - - - - - - - - - DOWNLOAD LINE - - - - - - - - - -" limit-at=\
1G max-limit=1G name=DOWNLOAD parent=bridge queue=default
add comment="- - - - - - - - - - UPLOAD LINE - - - - - - - - - -" limit-at=1G \
max-limit=1G name=UPLOAD parent=ether1 queue=default
add comment="PRIORITY 1 [VOIP]" limit-at=5M max-limit=10M name=Traffic_IN_1 \
packet-mark="VOIP_RTP - Packet,VOIP_SIP - Packet" parent=DOWNLOAD \
priority=1 queue=default
add comment="PRIORITY 8 [All - Traffic]" name=Traffic_IN_8 packet-mark=\
no-mark parent=DOWNLOAD queue=default
add comment="PRIORITY 1 [VOIP]" limit-at=5M max-limit=10M name=Traffic_OUT_1 \
packet-mark="VOIP_RTP - Packet,VOIP_SIP - Packet" parent=UPLOAD priority=\
1 queue=default
add comment="PRIORITY 8 [All - Traffic]" name=Traffic_OUT_8 packet-mark=\
no-mark parent=UPLOAD queue=default
add comment="PRIORITY 3 [NAS]" limit-at=10M max-limit=400M name=Traffic_IN_3 \
packet-mark="NAS - Packet" parent=DOWNLOAD priority=3 queue=default
add comment="PRIORITY 3 [NAS]" limit-at=10M max-limit=400M name=Traffic_OUT_3 \
packet-mark="NAS - Packet" parent=UPLOAD priority=3 queue=default
add comment="PRIORITY 2 [PS4 & Streaming Service]" limit-at=30M max-limit=\
500M name=Traffic_IN_2 packet-mark=\
"PS4 - Packet,Streaming_Service - Packet" parent=DOWNLOAD priority=2 \
queue=default
add comment="PRIORITY 2 [PS4 & Sreaming Service]" limit-at=30M max-limit=500M \
name=Traffic_OUT_2 packet-mark="PS4 - Packet,Streaming_Service - Packet" \
parent=UPLOAD priority=2 queue=default
/system logging action
add email-to=XXXXX name=Email target=email
/ip smb
set comment=USB_RB_HAP domain=WORKGROUP enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment="EoIP \"Lavoro\"" ingress-filtering=no interface=\
eoip-tunnel1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WG-Roberto list=LAN
add interface=WG-Valerio list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set authentication=mschap2 certificate=VPN-SSTP enabled=yes \
max-mru=1400 max-mtu=1400 pfs=yes tls-version=only-1.2
/interface wireguard peers
add allowed-address=192.168.89.1/32 comment=\
"Valerio - Cell [IP: 192.168.89.1]" interface=WG-Valerio \
persistent-keepalive=20s public-key=\
"XXXXX"
add allowed-address=192.168.89.33/32 comment=\
"Roberto - Cell [IP: 192.168.89.33]" interface=WG-Roberto \
persistent-keepalive=20s public-key=\
"XXXXX"
add allowed-address=10.10.10.0/30,192.168.53.0/24 comment=\
"VPN - StudioDP [IP: LAN 10.10.10.1 <---> 10.10.10.2 LAN_53]" \
endpoint-address=XXXXX endpoint-port=13231 interface=WG-RemoteLAN \
persistent-keepalive=20s public-key=\
"XXXXX"
add allowed-address=10.10.10.4/30,192.168.54.0/24 comment=\
"VPN - CasaDP [IP: LAN 10.10.10.5 <---> 10.10.10.6 LAN_54]" \
endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
public-key="XXXXX"
add allowed-address=10.10.10.8/30,192.168.50.0/24 comment=\
"VPN - CasaMazzaro [IP: LAN 10.10.10.9 <---> 10.10.10.10 LAN_50]" \
endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
public-key="XXXXX"
add allowed-address=10.10.10.12/30,192.168.52.0/24 comment=\
"VPN - SpSu [IP: LAN 10.10.10.13 <---> 10.10.10.14 LAN_52]" \
endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
public-key="XXXXX"
add allowed-address=10.10.10.16/30,192.168.55.0/24 comment=\
"VPN - CasaDaniAndra [IP: LAN 10.10.10.17 <---> 10.10.10.18 LAN_55]" \
endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
public-key="XXXXX"
add allowed-address=192.168.89.2/32 comment=\
"Valerio - PC HP [IP: 192.168.89.2]" interface=WG-Valerio \
persistent-keepalive=20s public-key=\
"XXXXX"
add allowed-address=10.10.10.20/30,192.168.51.0/24 comment=\
"VPN - RB-Nonna [IP: LAN 10.10.10.21 <---> 10.10.10.22 LAN_51]" \
endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
public-key="XXXXX"
add allowed-address=192.168.89.34/32 comment=\
"Roberto - PC [IP: 192.168.89.34]" interface=WG-Roberto \
persistent-keepalive=20s public-key=\
"XXXXX"
add allowed-address=10.10.10.24/30,192.168.56.0/24 comment=\
"VPN - Carolina&Simone [IP: LAN 10.10.10.25 <---> 10.10.10.26 LAN_56]" \
endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
public-key="XXXXX"
add allowed-address=10.10.10.28/30,192.168.57.0/24 comment=\
"VPN - CasaMichi [IP: LAN 10.10.10.29 <---> 10.10.10.30 LAN_57]" \
endpoint-port=13231 interface=WG-RemoteLAN persistent-keepalive=20s \
public-key="XXXXX"
/interface wireless access-list
add allow-signal-out-of-range=always comment=\
"Allow Connection HP Lavoro Valerio" interface=wlan2 mac-address=\
84:1B:77:8B:CD:B5 signal-range=-80..120
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
192.168.0.0
add address=192.168.89.0/27 comment=\
"WG-Valerio [192.168.89.1 - 192.168.89.30]" interface=WG-Valerio network=\
192.168.89.0
add address=192.168.89.32/27 comment=\
"WG-Roberto [192.168.89.33 - 192.168.89.62]" interface=WG-Roberto \
network=192.168.89.32
add address=10.10.10.1/30 comment="VPN - StudioDP [10.10.10.1 - 10.10.10.3]" \
interface=WG-RemoteLAN network=10.10.10.0
add address=10.10.10.5/30 comment="VPN - CasaDP [10.10.10.5 - 10.10.10.7]" \
interface=WG-RemoteLAN network=10.10.10.4
add address=10.10.10.9/30 comment=\
"VPN - CasaMazzaro [10.10.10.9 - 10.10.10.11]" interface=WG-RemoteLAN \
network=10.10.10.8
add address=10.10.10.13/30 comment=\
"VPN - SpSu [10.10.10.13 - 10.10.10.15]" interface=WG-RemoteLAN \
network=10.10.10.12
add address=10.10.10.17/30 comment=\
"VPN - CasaDaniAndra [10.10.10.17 - 10.10.10.19]" interface=WG-RemoteLAN \
network=10.10.10.16
add address=10.10.10.21/30 comment=\
"VPN - RB-Nonna [10.10.10.21 - 10.10.10.23]" interface=WG-RemoteLAN \
network=10.10.10.20
add address=10.10.10.25/30 comment=\
"VPN - Carolina&Simone [10.10.10.25 - 10.10.10.27]" interface=\
WG-RemoteLAN network=10.10.10.24
add address=10.10.10.29/30 comment=\
"VPN - CasaMichi [10.10.10.29 - 10.10.10.31]" interface=WG-RemoteLAN \
network=10.10.10.28
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server config
set store-leases-disk=1h
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 domain=\
HomeLAN gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=45.90.28.22,45.90.30.22
/ip dns static
add address=192.168.0.1 comment="[HomeLAN] HAP_AC2" name=Router.HomeLAN
add address=192.168.0.4 comment="[HomeLAN] HAP_AC2_Salotto" name=\
Router2.HomeLAN
add address=192.168.0.20 comment="[HomeLAN] RB_MAP_Ingresso" name=\
Router3.HomeLAN
add address=192.168.0.6 comment="[HomeLAN] NAS_Casa" name=NAS.HomeLAN
add address=192.168.0.5 comment="[HomeLAN] NAS_Casa_BK" name=NAS2.HomeLAN
add address=192.168.0.13 comment="[HomeLAN] PC-Roberto" name=\
PC-Roberto.HomeLAN
add address=192.168.0.17 comment="[HomeLAN] PC-Camera (Luca)" name=\
PC-Camera.HomeLAN
add address=192.168.0.19 comment="[HomeLAN] PC-Valerio (Cameretta)" name=\
PC-Valerio.HomeLAN
add address=192.168.50.1 comment="[LAN50] RB951 \"CasaMazzaro\"" name=\
Router.LAN50
add address=192.168.50.2 comment="[LAN50] PWR-Line-IN" name=Router2.LAN50
add address=192.168.50.3 comment="[LAN50] PWR-Line-Cucina" name=Router3.LAN50
add address=192.168.50.4 comment="[LAN50] PWR-Line-Camere" name=Router4.LAN50
add address=192.168.50.5 comment="[LAN50] PWR-Line-Garage" name=Router5.LAN50
add address=192.168.51.1 comment="[LAN51] RB \"RB-Nonna\"" name=Router.LAN51
add address=192.168.51.2 comment="[LAN51] mAP-Repeater \"RB-Nonna\"" name=\
Router2.LAN51
add address=192.168.52.1 comment="[LAN52] HAP_AC3 \"SplendorSuite\"" name=\
Router.LAN52
add address=192.168.52.2 comment="[LAN52] WAP-103 \"SplendorSuite\"" name=\
Router2.LAN52
add address=192.168.52.3 comment="[LAN52] WAP-101 \"SplendorSuite\"" name=\
Router3.LAN52
add address=192.168.52.4 comment="[LAN52] WAP-SP \"SplendorSuite\"" name=\
Router4.LAN52
add address=192.168.53.1 comment="[LAN53] HAP_AC2 \"StudioDiPirro\"" name=\
Router.LAN53
add address=192.168.53.252 comment="[LAN53] Server HP StudioDPR" name=\
Server.LAN53
add address=192.168.53.242 comment="[LAN53] PC-Fabio \"StudioDiPirro\"" name=\
PC-Fabio.LAN53
add address=192.168.53.249 comment="[LAN53] PC-Stefania \"StudioDiPirro\"" \
name=PC-Stefania.LAN53
add address=192.168.54.1 comment="[LAN54] HAP_AC2 \"CasaDiPirro\"" name=\
Router.LAN54
add address=192.168.54.246 comment="[LAN54] NAS_Home \"CasaDiPirro\"" name=\
NAS.LAN54
add address=192.168.54.147 comment="[LAN54] PC-Michele \"CasaDiPirro\"" name=\
PC-Michele.LAN54
add address=192.168.54.131 comment="[LAN54] PC-ASUS \"CasaDiPirro\"" name=\
PC-ASUS.LAN54
add address=192.168.55.1 comment="[LAN55] HAP_AC2 \"CasaDaniAndra\"" name=\
Router.LAN55
add address=192.168.55.2 comment="[LAN55] PWR-IN \"CasaDaniAndra\"" name=\
Router2.LAN55
add address=192.168.55.3 comment="[LAN55] PWR-Salotto \"CasaDaniAndra\"" \
name=Router3.LAN55
add address=192.168.55.4 comment="[LAN55] PWR-Cameretta \"CasaDaniAndra\"" \
name=Router4.LAN55
add address=192.168.56.1 comment="[LAN56] HAP_AX2 \"Carolina&Simone\"" name=\
Router.LAN56
add address=192.168.57.1 comment="[LAN57] HAP_AX2 \"CasaMichi\"" name=\
Router.LAN57
/ip firewall address-list
add address=192.168.0.12 comment="Sky Q Decoder IP" list=Streaming_Service_IP
add address=192.168.0.9 comment="TV Salotto" list=Streaming_Service_IP
add address=192.168.0.10 comment="TV Stanza Luca" list=Streaming_Service_IP
add address=192.168.0.11 comment="TV Cucina" list=Streaming_Service_IP
/ip firewall filter
add action=drop chain=input comment="[ROS - Security] Drop Ping from WAN" \
in-interface=ether1 protocol=icmp
add action=add-src-to-address-list address-list=Banned_IP \
address-list-timeout=4w2d chain=input comment=\
"[ROS - Security] Port Scanner Detect (Banned)" protocol=tcp psd=\
21,3s,3,1
add action=add-src-to-address-list address-list=Banned_IP \
address-list-timeout=4w2d chain=input comment=\
"[ROS - Security] Brute Froce Access Detect (Banned)" connection-state=\
new disabled=yes dst-port=2190,2295,8081,8291 in-interface-list=!LAN \
protocol=tcp src-address-list=Brute_Force_Attempt_3
add action=add-src-to-address-list address-list=Brute_Force_Attempt_3 \
address-list-timeout=30s chain=input comment=\
"[ROS - Security] Brute Froce Access Detect (Attempt 3)" \
connection-state=new disabled=yes dst-port=2190,2295,8081,8291 \
in-interface-list=!LAN protocol=tcp src-address-list=\
Brute_Force_Attempt_2
add action=add-src-to-address-list address-list=Brute_Force_Attempt_2 \
address-list-timeout=30s chain=input comment=\
"[ROS - Security] Brute Froce Access Detect (Attempt 2)" \
connection-state=new disabled=yes dst-port=2190,2295,8081,8291 \
in-interface-list=!LAN protocol=tcp src-address-list=\
Brute_Force_Attempt_1
add action=add-src-to-address-list address-list=Brute_Force_Attempt_1 \
address-list-timeout=30s chain=input comment=\
"[ROS - Security] Brute Froce Access Detect (Attempt 1)" \
connection-state=new disabled=yes dst-port=2190,2295,8081,8291 \
in-interface-list=!LAN protocol=tcp
add action=drop chain=input comment=\
"[ROS - Security] Drop from Banned_IP List" in-interface-list=!LAN \
src-address-list=Banned_IP
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="[VPN] Allow Wireguard" dst-port=\
13231,13232,13233 in-interface=ether1 protocol=udp
add action=accept chain=input comment="[VPN] Allow SSTP" dst-port=443 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="[VPN] Allow IPSec" dst-port=4500 \
in-interface=ether1 protocol=udp
add action=accept chain=input comment=\
"[ROS] Allow FTP - SSH - WebFig - WinBox" dst-port=2190,2295,8081,8291 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS" new-mss=\
clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment="Change MSS to WG-Valerio (TEST)" \
disabled=yes new-mss=clamp-to-pmtu out-interface=WG-Valerio passthrough=\
yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment="[VOIP] SIP Connection Mark" \
dst-address=192.168.0.8 dst-port=5060 new-connection-mark=\
"VOIP_SIP - Connection" passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="[VOIP] SIP Packet Mark" \
connection-mark="VOIP_SIP - Connection" new-packet-mark=\
"VOIP_SIP - Packet" passthrough=yes
add action=mark-connection chain=forward comment="[VOIP] RTP Connection Mark" \
dst-address=192.168.0.8 dst-port=5004 new-connection-mark=\
"VOIP_RTP - Connection" passthrough=yes protocol=udp
add action=mark-packet chain=forward comment="[VOIP] RTP Packet Mark" \
connection-mark="VOIP_RTP - Connection" new-packet-mark=\
"VOIP_RTP - Packet" passthrough=yes
add action=change-dscp chain=postrouting comment="[VOIP] DSCP Priority" \
dst-address=192.168.0.8 new-dscp=46 packet-mark="VOIP_RTP - Packet" \
passthrough=yes
add action=mark-connection chain=forward comment=\
"[Streaming Service] Connection Mark" dst-address-list=\
Streaming_Service_IP new-connection-mark="Streaming_Service - Connection" \
passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=\
"[Streaming Service] Packet Mark" connection-mark=\
"Streaming_Service - Connection" new-packet-mark=\
"Streaming_Service - Packet" passthrough=yes
add action=mark-connection chain=forward comment=\
"[PS4 - Luca] Connection Mark" dst-address=192.168.0.14 \
new-connection-mark="PS4 - Connection" passthrough=yes
add action=mark-packet chain=forward comment="[PS4 - Luca] Packet Mark" \
connection-mark="PS4 - Connection" new-packet-mark="PS4 - Packet" \
passthrough=yes
add action=mark-connection chain=forward comment="[NAS] Connection Mark" \
dst-address=192.168.0.6 new-connection-mark="NAS - Connection" \
passthrough=yes
add action=mark-packet chain=forward comment="[NAS] Packet Mark" \
connection-mark="NAS - Connection" new-packet-mark="NAS - Packet" \
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="[VPN] Traffic OUT for RemoteLAN" \
out-interface=WG-RemoteLAN
add action=masquerade chain=srcnat comment=\
"[VPN] Traffic OUT for RemoteLAN SSTP" out-interface=sstp-in1
add action=dst-nat chain=dstnat comment="[VOIP] UDP Traffic Centralino" \
dst-address=XXXXX dst-port=5004,5060 in-interface=ether1 protocol=\
udp to-addresses=192.168.0.8
add action=dst-nat chain=dstnat comment=\
"[NAS] TCP Traffic HTTP - HTTPS - SFTP - Torrent - eMule" dst-port=\
8080,5001,2224,16881,4662 in-interface=ether1 protocol=tcp to-addresses=\
192.168.0.6
add action=dst-nat chain=dstnat comment="[NAS] UDP Traffic Torrent - eMule" \
dst-port=6881,4672 in-interface=ether1 protocol=udp to-addresses=\
192.168.0.6
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set pptp disabled=yes
/ip route
add comment="Rotta -->> LAN CasaMazzaro" disabled=no distance=1 dst-address=\
192.168.50.0/24 gateway=10.10.10.10 pref-src="" routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN SplendorSuite" disabled=no distance=1 \
dst-address=192.168.52.0/24 gateway=10.10.10.14 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN StudioDP" disabled=no distance=1 dst-address=\
192.168.53.0/24 gateway=10.10.10.2 pref-src="" routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN CasaDP" disabled=no distance=1 dst-address=\
192.168.54.0/24 gateway=10.10.10.6 pref-src="" routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN CasaDaniAndra" disabled=no distance=1 \
dst-address=192.168.55.0/24 gateway=10.10.10.18 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Rotta OUT LAN Lavoro" disabled=no dst-address=192.107.93.0/24 \
gateway=sstp-in1
add comment="Rotta OUT LAN \"Lavoro\"" disabled=no dst-address=\
192.168.116.0/24 gateway=sstp-in1
add comment="Rotta OUT LAN \"Lavoro\"" disabled=no dst-address=\
192.168.125.0/24 gateway=sstp-in1
add comment="Rotta OUT LAN \"Lavoro\"" disabled=no dst-address=\
192.168.126.0/24 gateway=sstp-in1
add comment="Rotta OUT LAN \"Lavoro\"" disabled=no dst-address=\
192.168.127.0/24 gateway=sstp-in1
add comment="Rotta OUT \"RBNonna\" (Accesso 4G Key)" disabled=no dst-address=\
192.168.8.1/32 gateway=*F
add comment="Rotta OUT LAN \"Lavoro\" (Subnet RB)" disabled=no dst-address=\
192.168.88.0/24 gateway=sstp-in1
add comment="Rotta -->> LAN RB-Nonna" disabled=no distance=1 dst-address=\
192.168.51.0/24 gateway=10.10.10.22 pref-src="" routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN Carolina&Simone" disabled=no distance=1 \
dst-address=192.168.56.0/24 gateway=10.10.10.26 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Rotta -->> LAN CasaMichi" disabled=no distance=1 dst-address=\
192.168.57.0/24 gateway=10.10.10.30 pref-src="" routing-table=main scope=\
30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp port=2190
set www port=8081
set ssh port=2295
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub disabled=no
add directory=usb1 name=USB
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add local-address=192.168.0.206 name=Lavoro remote-address=192.168.89.206
add name=Valerio
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=HAP_AC2
/system leds
add interface=HAP_AC2_Principale-Wlan1 leds=user-led type=interface-activity
/system logging
set 0 topics=info,!wireguard
add action=Email disabled=yes prefix="[RB_HAP_AC2-Casa]" topics=account
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add comment="Abilita il wireless" disabled=yes interval=1d name=Wlan-on \
on-event="/interface wifi enable wlan1\r\
\n/interface wifi enable wlan2" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
2016-01-15 start-time=06:00:00
add comment="Disabilita il wireless" disabled=yes interval=1d name=Wlan-off \
on-event="/interface wifi disable wlan1\r\
\n/interface wifi disable wlan2" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
2016-01-15 start-time=02:00:00
add comment="Disabilita il wireless (CAPsMAN)" interval=1d name=Caps-off \
on-event="caps-man manager set enabled=no" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
2016-01-15 start-time=02:00:00
add comment="Abilita il wireless (CAPsMAN)" interval=1d name=Caps-on \
on-event="caps-man manager set enabled=yes" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
2016-01-15 start-time=06:00:00
/tool e-mail
set from=<RB951> port=587 server=smtp.gmail.com tls=starttls user=\
XXXXX
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN