/interface bridge
add admin-mac=C4:AD:34:D7:15:C2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1500
set [ find default-name=ether4 ] l2mtu=1500
set [ find default-name=ether5 ] l2mtu=1500
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=v42049471
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=via-ipsec
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.36.1 \
name=Athens
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.36.10-192.168.36.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h \
name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.36.1 local-address=192.168.89.1 \
remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.36.1/24 comment=defconf interface=bridge network=\
192.168.36.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.36.222 client-id=1:0:11:32:be:e1:ca comment=Synology \
mac-address=00:11:32:BE:E1:CA server=defconf
add address=192.168.36.221 mac-address=D4:5E:EC:39:D0:8D server=defconf
add address=192.168.36.220 mac-address=AC:D5:64:6C:62:A9 server=defconf
add address=192.168.36.200 client-id=1:9c:93:4e:ac:5e:2d comment=Xerox_VRN \
mac-address=9C:93:4E:AC:5E:2D server=defconf
add address=192.168.36.100 client-id=1:0:e0:4c:68:1:b8 comment=\
"Toshiba Click2Pro" mac-address=00:E0:4C:68:01:B8 server=defconf
add address=192.168.36.254 client-id=1:fc:5b:39:7d:b3:d8 comment=CiscoAP \
mac-address=FC:5B:39:7D:B3:D8 server=defconf
add address=192.168.36.100 client-id=1:0:e0:6c:38:69:82 comment=\
"Toshiba Click2Pro" disabled=yes mac-address=00:E0:6C:38:69:82 server=\
defconf
/ip dhcp-server network
add address=192.168.36.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.36.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=94.140.14.14
/ip dns static
add address=192.168.36.1 comment=defconf name=router.lan
/ip firewall address-list
add address=HIDDEN list=WAN-IP
add address=wtfismyip.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
protocol=tcp src-address=192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.35.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new disabled=yes dst-address-list=VPN-destinations \
in-interface-list=LAN new-connection-mark=via-ipsec passthrough=yes \
src-address-list=192.168.36.0/24
/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
192.168.35.0/24 src-address=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.99.0/24 log=yes \
src-address=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.98.0/24 log=yes \
src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" out-interface=\
pppoe-out1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.36.0/24 src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1 src-address=\
192.168.36.0/24
add action=dst-nat chain=dstnat comment="Synology Web Management" \
dst-address-list=WAN-IP dst-port=5000-5001 protocol=tcp to-addresses=\
192.168.36.222 to-ports=5000-5001
add action=dst-nat chain=dstnat comment="HTTPS Web Server" dst-address-list=\
WAN-IP dst-port=443 protocol=tcp to-addresses=192.168.36.222 to-ports=443
add action=dst-nat chain=dstnat comment="Synology Cloud Sync" dst-port=6690 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
to-ports=6690
add action=dst-nat chain=dstnat comment="Plex Toshiba" dst-port=32401 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.100 \
to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex disabled=yes dst-port=64200 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
to-ports=32400
add action=dst-nat chain=dstnat comment="HTTP Web Server" dst-address-list=\
WAN-IP dst-port=80 protocol=tcp to-addresses=192.168.36.222 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Athens
/ip ipsec policy
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
add dst-address=192.168.98.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
add dst-address=192.168.99.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
/ip service
set www disabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik_36
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.35.1 interface b\
ridge count=4]<3) do={\r\
\n /ip ipsec installed-sa flush;\r\
\n :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
\n} else={\r\
\n\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/08/2021 start-time=12:27:38
add disabled=yes interval=1d name=Reboot on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jun/17/2021 start-time=05:00:00
/tool graphing interface
add interface=pppoe-out1
add interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/interface bridge
add admin-mac=C4:AD:34:D7:15:C2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1500
set [ find default-name=ether4 ] l2mtu=1500
set [ find default-name=ether5 ] l2mtu=1500
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=v42049471
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=via-ipsec
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.36.1 \
name=Athens
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.36.10-192.168.36.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h \
name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.36.1 local-address=192.168.89.1 \
remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.36.1/24 comment=defconf interface=bridge network=\
192.168.36.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.36.222 client-id=1:0:11:32:be:e1:ca comment=Synology \
mac-address=00:11:32:BE:E1:CA server=defconf
add address=192.168.36.221 mac-address=D4:5E:EC:39:D0:8D server=defconf
add address=192.168.36.220 mac-address=AC:D5:64:6C:62:A9 server=defconf
add address=192.168.36.200 client-id=1:9c:93:4e:ac:5e:2d comment=Xerox_VRN \
mac-address=9C:93:4E:AC:5E:2D server=defconf
add address=192.168.36.100 client-id=1:0:e0:4c:68:1:b8 comment=\
"Toshiba Click2Pro" mac-address=00:E0:4C:68:01:B8 server=defconf
add address=192.168.36.254 client-id=1:fc:5b:39:7d:b3:d8 comment=CiscoAP \
mac-address=FC:5B:39:7D:B3:D8 server=defconf
add address=192.168.36.100 client-id=1:0:e0:6c:38:69:82 comment=\
"Toshiba Click2Pro" disabled=yes mac-address=00:E0:6C:38:69:82 server=\
defconf
/ip dhcp-server network
add address=192.168.36.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.36.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=94.140.14.14
/ip dns static
add address=192.168.36.1 comment=defconf name=router.lan
/ip firewall address-list
add address=HIDDEN list=WAN-IP
add address=wtfismyip.com list=VPN-destinations
add address=facebook.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
protocol=tcp src-address=192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.35.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new disabled=yes dst-address-list=VPN-destinations \
in-interface-list=LAN new-connection-mark=via-ipsec passthrough=yes \
src-address-list=192.168.36.0/24
/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
192.168.35.0/24 src-address=192.168.36.0/24
add action=src-nat chain=srcnat comment="NAT bypass" dst-address-list=\
VPN-destinations to-addresses=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.99.0/24 log=yes \
src-address=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.98.0/24 log=yes \
src-address=192.168.36.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.40.0/24 log=\
yes src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" out-interface=\
pppoe-out1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.36.0/24 src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1 src-address=\
192.168.36.0/24
add action=dst-nat chain=dstnat comment="Synology Web Management" \
dst-address-list=WAN-IP dst-port=5000-5001 protocol=tcp to-addresses=\
192.168.36.222 to-ports=5000-5001
add action=dst-nat chain=dstnat comment="HTTPS Web Server" dst-address-list=\
WAN-IP dst-port=443 protocol=tcp to-addresses=192.168.36.222 to-ports=443
add action=dst-nat chain=dstnat comment="Synology Cloud Sync" dst-port=6690 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
to-ports=6690
add action=dst-nat chain=dstnat comment="Plex Toshiba" dst-port=32401 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.100 \
to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex disabled=yes dst-port=64200 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
to-ports=32400
add action=dst-nat chain=dstnat comment="HTTP Web Server" dst-address-list=\
WAN-IP dst-port=80 protocol=tcp to-addresses=192.168.36.222 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Athens
/ip ipsec policy
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
0.0.0.0/0 tunnel=yes
add dst-address=192.168.98.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
add dst-address=192.168.99.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
/ip service
set www disabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik_36
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.35.1 interface b\
ridge count=4]<3) do={\r\
\n /ip ipsec installed-sa flush;\r\
\n :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
\n} else={\r\
\n\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/08/2021 start-time=12:27:38
add disabled=yes interval=1d name=Reboot on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jun/17/2021 start-time=05:00:00
/tool graphing interface
add interface=pppoe-out1
add interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I did not have in mind subnets but indeed individual (/32) addresses, as the purpose is to clearly separate the policies used for "site to site" (LAN subnet to LAN subnet) traffic from policies used for "site to internet via the other country" traffic. Therefore, G.G.G.G and R.R.R.R should be private addresses outside any subnet you use at either site, used solely to make the traffic "visible" to the policies. Using the local subnets doesn't actually break anything, it just makes the overall configuration a bit less clear. There's also another reason, see below.When you say G.G.G.G and R.R.R.R (which is very specific i can say, because letters really depict specific Countries!) I replace with 192.168.35.0/24 and 192.168.36.0/24
This sounds strange. By design, the traffic gets matched against the traffic selectors of the policies from the topmost policy to the bottommost one until first match, same like when matching firewall rules, routing rules etc. So a policy x.x.x.0/24 -> 0.0.0.0/0 shadows a policy x.x.x.0/24 -> y.y.y.0/24 if the "wider" one is placed earlier (higher) in the policy list, but if the "wider" policy works properly, the fact that the "narrower" one is shadowed should not break the traffic that matches the "narrower" one provided that both policies establish their SAs between the same pair of peers.Also I add (not replace) the IPsec policy as you said on both Mikrotik devices and the PH2 state is established. But if I move it up to be first, all the remaining tunnels immediately disconnect.
No need to explain this. I was a bit surprised you want the functionality to be bi-directional, as if some sites were banned in G and you needed to access them via WAN in R, but technically that's not a big deal.The whole reason I am trying to do this, is that clients on any subnet should be able to reach banned webpages through the other IPsec connected subnet.
It is. There must be some minor issue somewhere.since I have this IPsec, I want to see if it is possible with Mikrotik.
All correct, although since you use IPsec rather than "normal" routing to route the traffic via the tunnel, you can skip the packet marking phase and use matching against the dst-address-list (normally used to choose packets to get a routing mark) in the src-nat rules.I understand the mentality to do it, I just don't freaking understand how to translate this to Mikrotik.
I think I should:
1) create address list with websites I want to route
2) mark packets (Mangle)
3) Create NAT / Filter rules
/interface bridge
add admin-mac=C4:AD:34:D7:15:C2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1500
set [ find default-name=ether4 ] l2mtu=1500
set [ find default-name=ether5 ] l2mtu=1500
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=v42049471
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=via-ipsec
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.36.1 \
name=Athens
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.36.10-192.168.36.254
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=1h \
name=defconf
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.36.1/24 comment=defconf interface=bridge network=\
192.168.36.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.36.222 client-id=1:0:11:32:be:e1:ca comment=Synology \
mac-address=00:11:32:BE:E1:CA server=defconf
add address=192.168.36.221 mac-address=D4:5E:EC:39:D0:8D server=defconf
add address=192.168.36.220 mac-address=AC:D5:64:6C:62:A9 server=defconf
add address=192.168.36.200 client-id=1:9c:93:4e:ac:5e:2d comment=Xerox_VRN \
mac-address=9C:93:4E:AC:5E:2D server=defconf
add address=192.168.36.100 client-id=1:0:e0:4c:68:1:b8 comment=\
"Toshiba Click2Pro" mac-address=00:E0:4C:68:01:B8 server=defconf
add address=192.168.36.254 client-id=1:fc:5b:39:7d:b3:d8 comment=CiscoAP \
mac-address=FC:5B:39:7D:B3:D8 server=defconf
add address=192.168.36.100 client-id=1:0:e0:6c:38:69:82 comment=\
"Toshiba Click2Pro" disabled=yes mac-address=00:E0:6C:38:69:82 server=\
defconf
/ip dhcp-server network
add address=192.168.36.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.36.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=94.140.14.14
/ip dns static
add address=192.168.36.1 comment=defconf name=router.lan
/ip firewall address-list
add address=HIDDEN list=WAN-IP
add address=wtfismyip.com list=VPN-destinations
add address=facebook.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
protocol=tcp src-address=192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.35.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new disabled=yes dst-address-list=VPN-destinations \
in-interface-list=LAN new-connection-mark=via-ipsec passthrough=yes \
src-address-list=192.168.36.0/24
/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
192.168.35.0/24 src-address=192.168.36.0/24
add action=src-nat chain=srcnat comment="NAT VPN" disabled=yes \
dst-address-list=VPN-destinations to-addresses=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.99.0/24 log=yes \
src-address=192.168.36.0/24
add action=accept chain=srcnat dst-address=192.168.98.0/24 log=yes \
src-address=192.168.36.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.40.0/24 log=\
yes src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" out-interface=\
pppoe-out1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.36.0/24 src-address=192.168.36.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1 src-address=\
192.168.36.0/24
add action=dst-nat chain=dstnat comment="Synology Web Management" \
dst-address-list=WAN-IP dst-port=5000-5001 protocol=tcp to-addresses=\
192.168.36.222 to-ports=5000-5001
add action=dst-nat chain=dstnat comment="HTTPS Web Server" dst-address-list=\
WAN-IP dst-port=443 protocol=tcp to-addresses=192.168.36.222 to-ports=443
add action=dst-nat chain=dstnat comment="Synology Cloud Sync" dst-port=6690 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
to-ports=6690
add action=dst-nat chain=dstnat comment="Plex Toshiba" dst-port=32401 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.100 \
to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat comment=Plex disabled=yes dst-port=64200 \
in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.36.222 \
to-ports=32400
add action=dst-nat chain=dstnat comment="HTTP Web Server" dst-address-list=\
WAN-IP dst-port=80 protocol=tcp to-addresses=192.168.36.222 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Athens
/ip ipsec policy
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
add dst-address=192.168.35.0/24 level=unique peer=Athens src-address=\
0.0.0.0/0 tunnel=yes
add dst-address=192.168.98.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
add dst-address=192.168.99.0/24 level=unique peer=Athens src-address=\
192.168.36.0/24 tunnel=yes
/ip service
set www disabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp profile
set *FFFFFFFE dns-server=192.168.36.1 local-address=192.168.89.1 \
remote-address=*2
/ppp secret
add name=vpn
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik_36
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.35.1 interface b\
ridge count=4]<3) do={\r\
\n /ip ipsec installed-sa flush;\r\
\n :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
\n} else={\r\
\n\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/08/2021 start-time=12:27:38
add disabled=yes interval=1d name=Reboot on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jun/17/2021 start-time=05:00:00
/tool graphing interface
add interface=pppoe-out1
add interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/interface bridge
add admin-mac=48:8F:5A:82:D3:17 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.99.50 \
name=Russia
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.35.200-192.168.35.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=WAN
add interface=ether5 list=WAN
add interface=sfp1 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.35.1/24 comment=defconf interface=bridge network=\
192.168.35.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.35.4 client-id=1:fc:ec:da:37:42:84 comment=\
"Ubiquity Access Point" mac-address=FC:EC:DA:37:42:84 server=defconf
add address=192.168.35.5 client-id=1:44:b2:95:31:3a:48 comment=\
"Camera Entrance" mac-address=44:B2:95:31:3A:48 server=defconf
add address=192.168.35.221 client-id=1:ec:5c:68:c0:62:cb comment=\
"Sony TV Wireless" mac-address=EC:5C:68:C0:62:CB server=defconf
add address=192.168.35.3 client-id=1:4c:78:97:0:9a:f4 comment=\
"Home Security Alarm" mac-address=4C:78:97:00:9A:F4 server=defconf
add address=192.168.35.221 client-id=1:cc:98:8b:e6:f3:cb comment=\
"Sony TV Wired" disabled=yes mac-address=CC:98:8B:E6:F3:CB server=defconf
/ip dhcp-server network
add address=192.168.35.0/24 comment=defconf gateway=192.168.35.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.35.1 comment=defconf name=router.lan
/ip firewall address-list
add address=wtfismyip.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
protocol=tcp src-address=192.168.40.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.36.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.35.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block Camera to Internet" src-address=\
192.168.35.5
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
/ip firewall nat
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
192.168.36.0/24 src-address=192.168.35.0/24
add action=src-nat chain=srcnat comment="NAT bypass" dst-address-list=\
VPN-destinations to-addresses=192.168.35.0/24
add action=accept chain=srcnat dst-address=192.168.36.0/24 src-address=\
192.168.98.0/24
add action=accept chain=srcnat dst-address=192.168.36.0/24 src-address=\
192.168.99.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT " disabled=yes \
out-interface=ether1
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
192.168.35.0 src-address=192.168.35.0
add action=accept chain=srcnat disabled=yes dst-address=192.168.40.0/24 \
src-address=192.168.35.0/24
add action=dst-nat chain=dstnat dst-port=10050-11000 in-interface=ether5 \
protocol=udp to-addresses=192.168.35.10 to-ports=10050-11000
add action=dst-nat chain=dstnat dst-port=35060-35061 in-interface=ether5 \
protocol=tcp to-addresses=192.168.35.10 to-ports=35060-35061
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat out-interface=ether5 src-address=\
192.168.35.0/24
/ip firewall service-port
set sip disabled=yes ports=35060,35061
/ip ipsec identity
add peer=Russia
/ip ipsec policy
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
192.168.35.0/24 tunnel=yes
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
192.168.98.0/24 tunnel=yes
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
192.168.99.0/24 tunnel=yes
add dst-address=0.0.0.0/0 level=unique peer=Russia src-address=\
192.168.35.0/24 tunnel=yes
/ip route
add distance=2 gateway=192.168.98.1
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=MikroTik_35
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.36.1 interface b\
ridge count=4]<3) do={\r\
\n /ip ipsec installed-sa flush;\r\
\n :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
\n} else={\r\
\n\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/08/2021 start-time=11:26:42
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
An IPsec-encrypted tunnel uses headers of both IPsec and the inner tunnel, so less space is left in each packet for the payload. This is not the case if you use transport mode of IPsec and IPIP (=ipencap) as the inner tunnel, but to simplify the start, we'll reuse the existing SAs in tunnel mode as suggested earlier. "Vanilla IPsec" with policy matching has its advantages too but only for simple setups.I don't even know the pros / cons of each case. What is the simplest way for easy troubleshoot?
After years, Mikrotik has added a possibility to use regular expression matching on fqdns to choose a DNS server.As I said earlier, some sites in address list resolute in the local ISP "banned" page. How it can pass DNS queries from specific sites from the other site?
Well, if you don't have any alternative internet connection at the remote site, it doesn't make a big difference whether a configuration mistake kills the ability of the router to act as SSTP client or the connectivity of the PhC allowing the remote login.This about the SSTP VPN, is really nice if I thought about it earlier. It's a pity I don't have any Windows / Linux inside to remote login and manage device directly...
IPsec policies always win, so whatever matches a traffic selector of an IPsec policy is sent that way, and is dropped if it doesn't arrive via a Security Association linked to that policy.By this configuration, which sites go through IPsec and which not? How do I declare what goes through what?
This is the key. Mikrotik is not a firewall in the sense the word is used today. It is a router with L3 firewalling capabilities. The address lists resolving complete fqdns to sets of addresses is the maximum it can do above that.On another firewall appliances
To blacklist the whole website completely is easy - if you prevent the browser from downloading the basic html document, it obviously cannot load anything else either. But to ban it from using a particular WAN is equally complicated as forcing it to use a particular WAN if you can only use the weak tools we have discussed until now.I create a rule that just say "from all external interfaces, first interface to reply, win the election and get routed from ether1 or 2 or 3". - election can be Round-Robin, Failover, hybrid solutions.
For websites like the one with images, we just blacklist the whole website from the Interface that we don't want it to get routed, so it naturally goes to the next one.
and even better, if they eventually stop working, chances are really high that replacing the power adaptor will be enough to make them work for another few years.But these Hex S work already two years non stop with little to none hiccups
What I like most about the "Mikrotik world" is that both the tiniest and the most powerful devices all have the same functionality, only the throughput differs.and they are a very nice way to dive into the Mikrotik world.
Yes, the subtle changes between 6.x and the individual versions of 7.x can cause a lot of surprises if you use more complicated configuratons. But in this particular case (VoIP phone not working any more), your configuration is not that complex to be affected, so I'd assume there is something the phone or the PBX do not like about the LAN interface of the adjacent hEX, not something related to the tunnel.Another thing which I understood yesterday is that upgrading from ROS6 to ROS7, break the configuration.
For example till now I am searching why I don't receive phone calls from my PBX located in 35 site, while I am inside 36 site. Port forward work when I switch my mobile to 4G but while I am inside 36 subnet (which is connected with ipsec vpn) the PBX client won't connect.
/interface bridge
add admin-mac=48:8F:5A:82:D3:17 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=HIDDEN exchange-mode=ike2 local-address=192.168.99.50 \
name=Russia
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
lifetime=8h pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.35.200-192.168.35.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=to-ISP1
add disabled=no fib name=to-ISP2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=WAN
add interface=ether5 list=WAN
add interface=sfp1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.35.1/24 comment=defconf interface=bridge network=\
192.168.35.0
add address=192.168.99.50/24 interface=ether5 network=192.168.99.0
add address=192.168.98.50/24 interface=ether4 network=192.168.98.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add add-default-route=no interface=ether5
add add-default-route=no interface=ether4
/ip dhcp-server lease
add address=192.168.35.4 client-id=1:fc:ec:da:37:42:84 comment=\
"Ubiquity Access Point" mac-address=FC:EC:DA:37:42:84 server=defconf
add address=192.168.35.5 client-id=1:44:b2:95:31:3a:48 comment=\
"Camera Entrance" mac-address=44:B2:95:31:3A:48 server=defconf
add address=192.168.35.221 client-id=1:ec:5c:68:c0:62:cb comment=\
"Sony TV Wireless" mac-address=EC:5C:68:C0:62:CB server=defconf
add address=192.168.35.3 client-id=1:4c:78:97:0:9a:f4 comment=\
"Home Security Alarm" mac-address=4C:78:97:00:9A:F4 server=defconf
add address=192.168.35.221 client-id=1:cc:98:8b:e6:f3:cb comment=\
"Sony TV Wired" disabled=yes mac-address=CC:98:8B:E6:F3:CB server=defconf
/ip dhcp-server network
add address=192.168.35.0/24 comment=defconf gateway=192.168.35.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.35.1 comment=defconf name=router.lan
/ip firewall address-list
add address=wtfismyip.com list=VPN-destinations
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Mikrotik Management" dst-port=8291 \
protocol=tcp src-address=192.168.40.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.89.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.36.0/24
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
192.168.35.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="Block Camera to Internet" src-address=\
192.168.35.5
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment=Accept dst-address=192.168.99.0/24
add action=accept chain=prerouting dst-address=192.168.98.0/24
add action=accept chain=prerouting dst-address=192.168.35.0/24
add action=mark-connection chain=input comment=Input in-interface=ether5 \
new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=input in-interface=ether4 \
new-connection-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting comment=Mark-con in-interface=\
ether5 new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=prerouting in-interface=ether4 \
new-connection-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting comment=PCC dst-address-type=\
local in-interface=ether5 new-connection-mark=ISP1 passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=ether4 new-connection-mark=ISP2 passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=output comment=Output connection-mark=ISP1 \
new-routing-mark=to-ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=\
to-ISP2 passthrough=yes
add action=mark-routing chain=prerouting comment=Mark-Route connection-mark=\
ISP1 in-interface=bridge new-routing-mark=to-ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2 in-interface=\
bridge new-routing-mark=to-ISP2 passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=Port-Forward dst-port=10050-11000 \
in-interface=ether5 protocol=udp to-addresses=192.168.35.10 to-ports=\
10050-11000
add action=dst-nat chain=dstnat dst-port=35060-35061 in-interface=ether5 \
protocol=tcp to-addresses=192.168.35.10 to-ports=35060-35061
add action=src-nat chain=srcnat comment="NAT bypass" disabled=yes \
to-addresses=192.168.35.0/24
add action=accept chain=srcnat comment="NAT bypass" dst-address=\
192.168.36.0/24 src-address=192.168.35.0/24
add action=accept chain=srcnat dst-address=192.168.36.0/24 src-address=\
192.168.98.0/24
add action=accept chain=srcnat dst-address=192.168.36.0/24 src-address=\
192.168.99.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT " out-interface-list=\
WAN
add action=masquerade chain=srcnat dst-address=192.168.35.0 src-address=\
192.168.35.0
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.35.0/24
add action=masquerade chain=srcnat
/ip firewall service-port
set sip disabled=yes ports=35060,35061
/ip ipsec identity
add peer=Russia
/ip ipsec policy
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
192.168.35.0/24 tunnel=yes
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
192.168.98.0/24 tunnel=yes
add dst-address=192.168.36.0/24 level=unique peer=Russia src-address=\
192.168.99.0/24 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.98.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.99.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.99.1 \
pref-src=0.0.0.0 routing-table=to-ISP1 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.98.1 \
pref-src=0.0.0.0 routing-table=to-ISP2 scope=30 suppress-hw-offload=no \
target-scope=10
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=MikroTik_35
/system scheduler
add interval=1m name="Flush SA" on-event=":if ([/ping 192.168.36.1 interface b\
ridge count=4]<3) do={\r\
\n /ip ipsec installed-sa flush;\r\
\n :log info \"IPSEC tunnel is down: Flushing Installed SA !!!\"\r\
\n} else={\r\
\n\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/08/2021 start-time=11:26:42
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Here I would assume that it's because when updating the DDNS (the "ip cloud" functionality), RouterOS has sent the update packet via ether4, so the xxxxxxxx.sn.mynetname.net resolves to the public IP behind ether4, so the phone (or more likely the cloud server of Bria) try to register to that address.The problem is that if I don't disable ether4, the port forward won't work (outside or on the .36 site).
In order that push notifications about incoming calls worked, the phone app must either register via an external server operated by the app developer that receives the INVITE and sends the push notification via a link to Google/Apple infrastructure before forwarding the INVITE it the phone, or it must provide an https link with some unique identifier in it that the PBX uses, before sending the INVITE, to ask the developer's server to send the push notification to the phone. To date I don't know about any VoIP app using the latter approach any more. So I'd assume no matter whether the phone is connected to WiFi in Athens or in Russia, or to LTE, the registrations come from the same IP of the external server.I use Bria because it support push notification when I have an incoming call - so the app can "wake up" from sleep.
...
With ROS6 in Athens, it was working perfectly in both sites.
I'm saying the same, I was just trying to explain why you currently had to disable ether4 so that something happened.1) Getting interface physically down will not help much in case of service getting down.
Sometimes indeed scripts need patching to keep working after an upgrade, but it's rare. Aside of many people being scared of scripting, even those who are not often don't want to spend much time learning YAFSL and debugging it. Plus the article by @chupaka is kind of the de facto standard implementation of failover. So it only makes sense to script your own solution if you need to check the uplink transparency more frequenty (or less frequently, for uplinks charged per traffic volume) than 6 times a minute.What is the difference between script-less and scripted actions? ...
You can see any effect only for newly established connections initiated from the LAN side. If there is no computer or other device that would establish temporary connections, there is no way how the per-connection-classifier could distribute the connections between the WANs.2) I changed it to in-interface=bridge and didn't find any difference - I will check it when I will have more time and available computer there.
I've missed two points. One is that you haven't disabled fasttracking, which prevents any mangle rules from working for forwarded traffic (i.e. other than the one of the router itself). Once you disable the action=fasttrack-connection rule, newly created connections will not get fasttracked any more, but existing ones will stay fasttracked, so you'll have to use /ip/firewall/connection/remove [find fasttrack] to clean up the connection tracking table. Another one is only important in a specific situation - you set the connection-mark no matter what in PCC rules, which is not correct given that you also set it up as the response pakets arrive via WAN, which is a way to prevent connections that got established while their preferred WAN was not working from breaking once the preferred WAN starts working again. So you should add a connection-mark=no-mark match condition to the PCC rules.3), 4) It's not DDNS. The moment I bring down ether4, port-forward starts working and DDNS is not updated yet... How it was possible previously it was working on ROS6 and not in ROS7? ...