I'm a Mikrotik noob with very little knowledge of networking. So, please be patient.
I live in a big-brother country where the government keeps a strong hold on the internet, and I wish to connect to the internet safely without worrying that the government is spying on me.
So, I recently purchased a MT router (hAP Lite RB941-2nd-TC) and asked the seller to set it up for me in advance such that I could channel all my internet traffic at home through a secure VPN on this router. The seller has thus configured the router to work with L2TP VPN, and it has been up and running since day one.
But, I have a couple of questions:
1. Is the current configuration on my router correct and secure? For instance, I don’t see any firewall rules!
2. Is L2TP VPN secure enough for my purpose, or should I explore the possibility of setting up OpenVPN or any other VPN protocol? If yes, I will appreciate to receive a link to detailed setup guide.
My network is pretty basic and nothing complicated.
ISP ADSL MODEM (dynamic IP) > Mikrotik Router <-> internal Network (2 Laptop+1 PC+ a few smart phones). That’s all.
This is my current configuration:
# dec/30/2021 15:44:12 by RouterOS 6.49
# software id = 65I6-VCH5
#
# model = RB941-2nD
# serial number = D0550D7B5504
/interface bridge
add name=bridge1-Local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface l2tp-client
add add-default-route=yes connect-to=XXX.XXX.XXX.XXX disabled=no name=ToVPN \
use-ipsec=yes user=XXXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile1-LocalWiFi supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no frequency=2432 hide-ssid=yes mode=ap-bridge security-profile=\
profile1-LocalWiFi ssid=OurHome wps-mode=disabled
/ip pool
add name=dhcp_pool0 ranges=172.16.1.21-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1-Local lease-time=\
3h10m name=dhcp1
/interface bridge port
add bridge=bridge1-Local interface=ether4 multicast-router=disabled
add bridge=bridge1-Local interface=ether3 multicast-router=disabled
add bridge=bridge1-Local interface=wlan1 multicast-router=disabled
add bridge=bridge1-Local interface=ether2 multicast-router=disabled
/ip address
add address=172.16.1.1/24 interface=bridge1-Local network=172.16.1.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.1.0/24
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1
add distance=1 dst-address=XXX.XXX.XXX.XXX/32 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=7911
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Tokyo
/system clock manual
set dst-end="jan/01/2025 00:00:00" dst-start="jan/01/2021 00:00:00" \
time-zone=+03:30