More details:
Mikrotik router's IP is 192.168.162.1, OpenWrt router's IP is 192.168.77.1 and have WLAN in AP mode. Both have internet on WAN port and both have DHCP servers. Printer has IP 192.168.77.200.
Diagram: Mikrotik config:
Code: Select all
# mar/29/2023 21:06:55 by RouterOS 7.8
# software id = JDS9-ZLIT
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXXXXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=poland disabled=no installation=indoor mode=ap-bridge ssid=KRS
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=poland disabled=no installation=indoor mode=\
ap-bridge ssid=KRS wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
name=Hotspot supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name=huawei \
supplicant-identity=""
/ip pool
add name=dhcp ranges=192.168.162.100-192.168.162.255
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=1h name=dhcp
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=*2 cipher=aes256-cbc default-profile=openvpn \
enabled=yes require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.0.0.2/32 interface=wireguard1 public-key=\
""
add allowed-address=10.0.0.3/32 interface=wireguard1 public-key=\
""
/ip address
add address=192.168.162.1/24 interface=ether2 network=192.168.162.0
add address=192.168.8.2/24 disabled=yes interface=ether1 network=192.168.8.0
add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface=ether1
add disabled=yes interface=wlan2
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.162.0/24 dns-server=192.168.162.1 gateway=192.168.162.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.162.10 name=raspberrypi.karnas
add address=192.168.162.1 name=routeros.karnas
add address=192.168.162.105 name=lgtv.karnas
add address=192.168.162.11 name=pihole.karnas
/ip firewall address-list
add address=192.168.162.2-192.168.162.254 list=allowed_to_router
add address=192.168.8.1-192.168.8.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=XXX.XXX.XXX.XXX list=WAN
add address=192.168.162.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment=\
"defconf: drop all not coming from LAN - OFF" disabled=yes \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input comment="drop input - OFF" disabled=yes
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP - OFF" disabled=yes \
in-interface=ether1 log=yes log-prefix=!public src-address-list=\
not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Pi Server" dst-address=\
XXX.XXX.XXX.XXX dst-port=80,443 protocol=tcp to-addresses=192.168.162.10
add action=dst-nat chain=dstnat comment="SSH Raspberry Pi" dst-address=\
XXX.XXX.XXX.XXX dst-port=16222 protocol=tcp to-addresses=192.168.162.10 \
to-ports=22
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address=\
192.168.162.10 out-interface=bridge1 protocol=tcp src-address=\
192.168.162.0/24
add action=dst-nat chain=dstnat comment="Supla App Pi Docker" dst-address=\
XXX.XXX.XXX.XXX dst-port=2015,2016 protocol=tcp to-addresses=\
192.168.162.10
add action=dst-nat chain=dstnat comment="Moonlight Internet Stream" \
dst-address=XXX.XXX.XXX.XXX dst-port=47984,47989,48010 protocol=tcp \
to-addresses=192.168.162.100
add action=dst-nat chain=dstnat comment="Moonlight Internet Stream" \
dst-address=XXX.XXX.XXX.XXX dst-port=47998,47999,48000,48002,48010 \
protocol=udp to-addresses=192.168.162.100
add action=dst-nat chain=dstnat comment="COD Warzone" dst-address-list=WAN \
dst-port=3074,27014-27050 protocol=tcp to-addresses=192.168.162.100
add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=\
3074,3478,4379-4380,27000-27031,27036 protocol=udp to-addresses=\
192.168.162.100
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.8.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=1622
set api disabled=yes
set api-ssl disabled=yes
/ppp profile
add dns-server=172.31.88.1 local-address=10.0.0.1 name=openvpn \
remote-address=*2 use-encryption=required
/ppp secret
add name=user profile=openvpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system script
add dont-require-permissions=no name=WakeOnLan_MSI-B660-KRS owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="tool wol interface=ether3 mac=XXXXXXXXXXXXXXXXX"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN