Hi,
For testing purposes i use L2TP connection between two Mikrotik devices and then Mangle rules, to only select one client, that must use internet acess through VPN. For quite some time this worked pretty well. Now when i checked it has stopped working. As soon as i enable Mangle rule i loose connection to my Mikrotik, but i can still acess remote Mikrotik and it's internal network.
Opening WEB pages doesn't work, ping works normally, so there is only problem with DNS. I use 7.2.3 on all devices. Devices are Ac2 and Ac3. I can't seem to find what i missed, since this worked before and i didn't realy change anything. I use this to connect to remote Mikrotik devices to test if everything is ok with internet speed. If i connect with my phone to the remote network using L2TP everything works and also if i connect with phone back to my internal network from mobile network everything also works.
I'm using RPI with PiHole as DNS server using Unobund on adress 192.168.3.6 and on Ac3 i have this IP entered at DNS. All other devices on network then get DNS through DHCP at AC3.
The problem as i see it now is that as soon as i enable Mangle rule i loose connection to the DNS ip 192.168.3.3 at AC3 and apparently DNS also isn't resolved on the remote Mikrotik in that case.
Since this worked before and as i remember i did not lost connection to my local Mikrotik when i enabled Mangle rule for that device i'm realy not sure what could be wrong.
Export file is quite long since this is Wireguard, Zerotier, Capsman, L2TP server and my main device:
[admin@MikroTik] > export hide-sensitive
# may/16/2022 11:22:03 by RouterOS 7.2.3
# software id = 4VF2-IWBE
#
# model = RBD53iG-5HacD2HnD
# serial number = X
/caps-man channel
add band=2ghz-b/g/n name=channel2
add band=5ghz-onlyac name=channel5
/interface bridge
add igmp-snooping=yes name="IOT bridge"
add igmp-snooping=yes name="Sejanci IPTV"
add name=Sejanci_Internet
add admin-mac=48:8F:5A:AF:4B:A4 auto-mac=no comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:5E:0C:65:A1:58
set [ find default-name=ether5 ] poe-out=off
/interface wireless
# managed by CAPsMAN
# channel: 2432/20-eC/gn(21dBm), SSID: Kmetija, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set distance=indoors frequency=auto \
frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=Kmetija wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5200/20-eCee/ac(11dBm), SSID: Kmetija 5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set distance=indoors frequency=\
5260 frequency-mode=manual-txpower installation=indoor mode=ap-bridge scan-list=5180-5640 ssid="Kmetija 5" wireless-protocol=\
802.11
/interface l2tp-server
add name=Gregor user=gregor
add name=HapAC2_potovalni_IN user=hapac2
add name="L2TP_server 1" user=vpndani
add name=b535_IN user=b535
/interface wireguard
add listen-port=51821 mtu=1420 name=WG
/interface eoip
add local-address=192.168.69.254 mac-address=02:FC:88:6C:74:D3 name=eoip-tunnel1 remote-address=192.168.69.1 tunnel-id=400
/interface vlan
add interface=eoip-tunnel1 name=IPTV3999 vlan-id=3999
add interface=ether5 name=VLAN3999_ETH5 vlan-id=3999
/caps-man datapath
add bridge=bridge name=datapath1
add bridge="IOT bridge" name=datapath2
/interface wireless
add keepalive-frames=disabled mac-address=4A:8F:5A:AF:4B:A8 master-interface=wlan1 multicast-buffering=disabled name=IOT_WLAN \
ssid=IOT wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=channel2 channel.band=2ghz-b/g/n .extension-channel=eC .tx-power=24 datapath=datapath1 \
datapath.client-to-client-forwarding=yes .local-forwarding=no name=cfg1 security=security1 ssid=Kmetija
add datapath=datapath2 name=cfg_IOT security=security1 ssid=IOT
add channel=channel2 channel.tx-power=24 datapath=datapath1 datapath.client-to-client-forwarding=yes .local-forwarding=no name=\
cfg_Benjamin security=security1 ssid=AP
add channel=channel2 channel.band=2ghz-b country=no_country_set datapath=datapath2 name=cfg_Benjamin_IOT security=security1 ssid=\
IOT
add channel=channel5 channel.band=5ghz-onlyac datapath=datapath1 name=cfg5ghz security=security1 ssid="Kmetija 5"
add channel.band=5ghz-onlyac .tx-power=24 country=etsi datapath=datapath1 installation=any name=cfg_Benjamin_5 security=security1 \
ssid="AP 5"
/caps-man interface
add configuration=cfg_Benjamin disabled=no l2mtu=1600 mac-address=48:8F:5A:35:98:AB master-interface=none name=Benjamin radio-mac=\
48:8F:5A:35:98:AB radio-name=488F5A3598AB
add configuration=cfg_Benjamin_5 datapath.client-to-client-forwarding=yes .local-forwarding=yes disabled=no l2mtu=1600 \
mac-address=48:8F:5A:35:98:AA master-interface=none name="Benjamin 5" radio-mac=48:8F:5A:35:98:AA radio-name=488F5A3598AA
add configuration=cfg_Benjamin_IOT disabled=yes l2mtu=1600 mac-address=4A:8F:5A:35:98:AB master-interface=Benjamin name=\
Benjamin_IOT radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg1 disabled=yes mac-address=48:8F:5A:C9:71:80 master-interface=none name=HapAc2_vecnamenski radio-mac=\
48:8F:5A:C9:71:80 radio-name=488F5AC97180
add configuration=cfg5ghz disabled=yes mac-address=48:8F:5A:C9:71:81 master-interface=none name="HapAc2_vecnamenski 5" radio-mac=\
48:8F:5A:C9:71:81 radio-name=488F5AC97181
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=48:8F:5A:A5:33:FE master-interface=none name=HapLite_Dnevna radio-mac=\
48:8F:5A:A5:33:FE radio-name=488F5AA533FE
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=48:8F:5A:AF:4B:A8 master-interface=none mtu=1500 name=Mansarda \
radio-mac=48:8F:5A:AF:4B:A8 radio-name=488F5AAF4BA8
add configuration=cfg5ghz disabled=no l2mtu=1600 mac-address=48:8F:5A:AF:4B:A9 master-interface=none name=Mansarda5 radio-mac=\
48:8F:5A:AF:4B:A9 radio-name=488F5AAF4BA9
add configuration=cfg_IOT disabled=no l2mtu=1600 mac-address=4A:8F:5A:AF:4B:A8 master-interface=Mansarda name=Mansarda_IOT \
radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=08:55:31:3D:6E:22 master-interface=none mtu=1500 name=Silosi radio-mac=\
08:55:31:3D:6E:22 radio-name=0855313D6E22
add configuration=cfg5ghz disabled=no l2mtu=1600 mac-address=08:55:31:3D:6E:23 master-interface=none name="Silosi 5" radio-mac=\
08:55:31:3D:6E:23 radio-name=0855313D6E23
add configuration=cfg_IOT disabled=no l2mtu=1600 mac-address=0A:55:31:3D:6E:22 master-interface=Silosi name="Silosi IOT" \
radio-mac=00:00:00:00:00:00 radio-name=""
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=48:8F:5A:C9:71:79 master-interface=none name=Sobica radio-mac=\
48:8F:5A:C9:71:79 radio-name=488F5AC97179
add configuration=cfg5ghz disabled=no l2mtu=1600 mac-address=48:8F:5A:C9:71:7A master-interface=none name="Sobica 5" radio-mac=\
48:8F:5A:C9:71:7A radio-name=488F5AC9717A
add configuration=cfg_IOT disabled=no l2mtu=1600 mac-address=4A:8F:5A:C9:71:79 master-interface=Sobica name=Sobica_IOT radio-mac=\
00:00:00:00:00:00 radio-name=""
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=08:55:31:2B:63:8B master-interface=none name=Stala radio-mac=\
08:55:31:2B:63:8B radio-name=0855312B638B
add configuration=cfg5ghz disabled=no l2mtu=1600 mac-address=08:55:31:2B:63:8C master-interface=none name=Stala5 radio-mac=\
08:55:31:2B:63:8C radio-name=0855312B638C
add configuration=cfg_IOT disabled=no l2mtu=1600 mac-address=0A:55:31:2B:63:8B master-interface=Stala name=Stala_IOT radio-mac=\
00:00:00:00:00:00 radio-name=""
add configuration=cfg1 datapath.client-to-client-forwarding=yes .local-forwarding=yes disabled=no l2mtu=1600 mac-address=\
4C:5E:0C:65:A1:62 master-interface=none name=Zahod radio-mac=4C:5E:0C:65:A1:62 radio-name=4C5E0C65A162
add configuration=cfg_IOT datapath.client-to-client-forwarding=no .local-forwarding=no disabled=no l2mtu=1600 mac-address=\
4E:5E:0C:65:A1:62 master-interface=Zahod name=Zahod_IOT radio-mac=00:00:00:00:00:00 radio-name=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d \
tur-sun=0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.3.110-192.168.3.200
add name=IOT_pool ranges=172.16.1.100-172.16.1.254
add name=vpn ranges=192.168.80.2-192.168.80.250
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=23h59m59s name=defconf
add address-pool=IOT_pool interface="IOT bridge" lease-time=23h59m59s name=IOTdhcp
/ppp profile
add name=Koroska use-compression=no use-encryption=yes use-mpls=no
add name=Sejanci
add name=Tadej
add name=Testni
add name=Janko
set *FFFFFFFE local-address=192.168.80.1 remote-address=vpn
/interface l2tp-client
add connect-to=X.sn.mynetname.net disabled=no name=Janko profile=Janko use-ipsec=yes user=vpn
add connect-to=X.sn.mynetname.net disabled=no name=KoroskaL2TP_OUT profile=Koroska use-ipsec=yes user=grabe
add connect-to=X.sn.mynetname.net disabled=no name=SejanciAC2 profile=Sejanci use-ipsec=yes user=vpndani
add connect-to=X disabled=no name=Tadej profile=Tadej use-ipsec=yes user=Tadej
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=t2tv
add fib name=sejanci
add fib name=koroska
add fib name=t2test
add fib name=marko
add fib name=janko
add disabled=no fib name=gregor_net
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" identity="X" name=zt1 port=9993
/zerotier interface
add instance=zt1 name=zerotier1 network=X
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration=cfg1 slave-configurations=cfg_IOT
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn master-configuration=cfg_IOT name-format=prefix-identity \
name-prefix=2ghz
add action=create-dynamic-enabled disabled=yes hw-supported-modes=ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled disabled=yes hw-supported-modes=an name-format=prefix-identity name-prefix=5ghz-an
/interface bridge filter
add action=drop chain=output comment="DROP Multicast on WIFI" out-interface=wlan1 packet-type=multicast
add action=drop chain=output comment="DROP Multicast on WIFI" out-interface=wlan2 packet-type=multicast
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge="IOT bridge" ingress-filtering=no interface=IOT_WLAN
add bridge=bridge ingress-filtering=no interface=ether5
add bridge="Sejanci IPTV" fast-leave=yes ingress-filtering=no interface=IPTV3999
add bridge=Sejanci_Internet fast-leave=yes ingress-filtering=no interface=eoip-tunnel1
add bridge="Sejanci IPTV" interface=VLAN3999_ETH5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes keepalive-timeout=60 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="L2TP_server 1" list=LAN
add interface=HapAC2_potovalni_IN list=LAN
add interface=zerotier1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="Note 10" interface=WG public-key="X"
add allowed-address=10.0.0.3/32 comment="Chromecast TV" interface=WG public-key="X"
add allowed-address=10.0.0.4/32 interface=WG public-key="X"
add allowed-address=10.0.0.5/32 interface=WG public-key="X"
add allowed-address=10.0.0.6/32 interface=WG public-key="X"
add allowed-address=10.0.0.7/32 interface=WG public-key="X"
add allowed-address=10.0.0.8/32 interface=WG public-key="X"
add allowed-address=10.0.0.9/32 interface=WG public-key="X"
add allowed-address=10.0.0.10/32 interface=WG public-key="X"
add allowed-address=10.0.0.11/32 interface=WG public-key="X"
add allowed-address=10.0.0.12/32 interface=WG public-key="X"
add allowed-address=10.0.0.13/32 interface=WG public-key="X"
add allowed-address=10.0.0.14/32 interface=WG public-key="X"
add allowed-address=10.0.0.15/32 interface=WG public-key="X"
add allowed-address=10.0.0.16/32 comment=Katja_Redmi_Note_9 interface=WG public-key="X"
add allowed-address=10.0.0.17/32 interface=WG public-key="X"
add allowed-address=10.0.0.18/32 interface=WG public-key="X"
add allowed-address=10.0.0.19/32 interface=WG public-key="X"
add allowed-address=10.0.0.20/32 interface=WG public-key="X"
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.3.3/24 comment=defconf interface=bridge network=192.168.3.0
add address=172.16.1.1/24 interface="IOT bridge" network=172.16.1.0
add address=192.168.11.1/24 interface="Sejanci IPTV" network=192.168.11.0
add address=10.0.0.1/24 interface=WG network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.3.121 client-id=1:0:e4:0:91:3d:e6 mac-address=00:E4:00:91:3D:E6 server=defconf
add address=192.168.3.130 client-id=1:c:9d:92:83:e0:1d mac-address=0C:9D:92:83:E0:1D server=defconf
add address=192.168.3.150 client-id=1:0:1d:ec:a:35:d8 mac-address=00:1D:EC:0A:35:D8 server=defconf
add address=192.168.3.8 mac-address=E4:5F:01:5F:71:CC server=defconf
add address=192.168.3.110 client-id=1:fc:d5:d9:9f:6c:f mac-address=FC:D5:D9:9F:6C:0F server=defconf
add address=192.168.3.5 client-id=1:b8:27:eb:9d:90:1e mac-address=B8:27:EB:9D:90:1E server=defconf
add address=192.168.3.36 mac-address=48:8F:5A:A5:33:FA server=defconf
/ip dhcp-server network
add address=172.16.1.0/24 comment=IOT dns-server=8.8.8.8 gateway=172.16.1.1
add address=192.168.3.0/24 comment=DHCP dns-server=192.168.3.3 gateway=192.168.3.3
/ip dns
set allow-remote-requests=yes servers=192.168.3.6
/ip dns static
add address=192.168.3.3 comment=defconf name=router.lan
/ip firewall address-list
add address=X list=X
add address=192.168.3.5-192.168.3.6 disabled=yes list="DNS Gregor"
/ip firewall filter
add action=accept chain=input comment="BTEST Janko" disabled=yes protocol=tcp src-address=X
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=IGMP protocol=igmp
add action=accept chain=input comment="WIREGUARD HAP AC3" dst-port=51821 protocol=udp
add action=accept chain=input comment=L2TP dst-port=4500,500,1701 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ppp connection-state=\
established,related hw-offload=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=7461 protocol=tcp
add action=accept chain=input comment=WIREGUARD in-interface=WG protocol=udp
add action=accept chain=input comment=CAPSMAN src-address=192.168.3.3
add action=accept chain=input comment="CAPSMAN PORTS" port=5246,5247 protocol=udp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=drop chain=forward comment="Tadej L2TP drop" in-interface=Tadej
add action=drop chain=forward comment="Gregor L2TP drop" disabled=yes dst-address-list="!DNS Gregor" in-interface=Gregor
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=forward comment="Drop traffic between IOT and Bridge" in-interface="IOT bridge" out-interface=bridge
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="Drop traffic between Bridge and IOT" in-interface=bridge out-interface="IOT bridge"
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment="Mark PPP connections to exclude them from fasttrack" new-connection-mark=ppp \
out-interface=all-ppp passthrough=no
add action=mark-routing chain=prerouting dst-address-list=T2_TV new-routing-mark=t2tv passthrough=yes
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=sejanci passthrough=yes src-address=192.168.3.128
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=koroska passthrough=yes src-address=192.168.3.132
add action=mark-routing chain=prerouting disabled=yes dst-address=X new-routing-mark=t2test passthrough=yes src-address=\
192.168.3.116
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=janko passthrough=yes src-address=192.168.3.132
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=gregor_net passthrough=yes src-address=192.168.3.110
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT dostop kot od zunaj" dst-address=192.168.3.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.80.0/24
add action=masquerade chain=srcnat comment="masq. Wireguard vpn traffic" src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=PPP_Out_Masquarade out-interface=all-ppp
add action=dst-nat chain=dstnat comment=Wireguard_AC2 disabled=yes dst-port=51821 in-interface=ether1 log=yes protocol=udp \
to-addresses=192.168.3.31 to-ports=51821
add action=dst-nat chain=dstnat comment=WOL_Mansarda dst-port=6030 in-interface=ether1 protocol=udp to-addresses=192.168.3.130 \
to-ports=9
add action=dst-nat chain=dstnat comment=WOL_7 disabled=yes dst-port=7 in-interface=ether1 protocol=udp to-addresses=192.168.3.255 \
to-ports=7
add action=dst-nat chain=dstnat comment=WOL_9 disabled=yes dst-port=9 in-interface=ether1 protocol=udp to-addresses=192.168.3.255 \
to-ports=7
add action=dst-nat chain=dstnat comment="Wireguard VPN RPI" dst-port=51820 in-interface=ether1 protocol=udp to-addresses=\
192.168.3.6 to-ports=51820
add action=dst-nat chain=dstnat comment="Wireguard VPN RPI4" dst-port=51822 in-interface=ether1 protocol=udp to-addresses=\
192.168.3.8 to-ports=51822
add action=accept chain=srcnat disabled=yes dst-address=192.168.3.0/24 protocol=tcp src-address=10.0.0.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=Tadej routing-table=t2tv
add disabled=no dst-address=10.6.0.0/24 gateway=192.168.3.6
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=SejanciAC2 pref-src=0.0.0.0 routing-table=sejanci scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=Janko pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Janko pref-src=0.0.0.0 routing-table=janko scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=yes distance=1 dst-address=192.168.4.0/24 gateway=HapAC2_potovalni_IN pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.10.0/24 gateway=SejanciAC2
add disabled=yes distance=1 dst-address=192.168.50.0/24 gateway=KoroskaL2TP_OUT pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.61.0/24 gateway=Gregor pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=Gregor pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Gregor pref-src="" routing-table=gregor_net scope=30 suppress-hw-offload=\
no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=KoroskaL2TP_OUT pref-src=0.0.0.0 routing-table=koroska scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=X
set ssh disabled=yes
set api disabled=yes
set winbox address=0.0.0.0/0 port=X
set api-ssl disabled=yes
/ip smb
set enabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
/ip smb users
add name=root read-only=no
add name=guest
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
add name=vpndani profile=default-encryption
add name=hapac2 profile=default-encryption
add name=koroska profile=default-encryption
add name=gregor profile=default-encryption
add name=b535 profile=default-encryption
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface="Sejanci IPTV" upstream=yes
add interface=bridge
/system clock
set time-zone-name=Europe/Ljubljana
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system logging
add topics=wireless,debug
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.2.1.117
add address=193.2.4.2
/tool bandwidth-server
set enabled=no max-sessions=1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add host=10.255.255.0 interval=25m