sure, no problem.
here's the HQ config:
# jul/22/2022 17:19:03 by RouterOS 7.4
# software id = GTSP-YUM6
#
# model = RB3011UiAS
# serial number = <HIDDEN>
/interface bridge
add name=loopback0
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether4 ] name="eth4 - Transit LAG 10"
set [ find default-name=ether5 ] name="eth5 - Transit LAG 10"
set [ find default-name=ether10 ] name="eth10 - MGT" poe-out=off
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes mac-address=08:55:31:D2:37:0A
set [ find default-name=sfp1 ] disabled=yes loop-protect=off loop-protect-disable-time=1s loop-protect-send-interval=1s
/interface gre
add allow-fast-path=no mtu=1300 name=gre-tunnel1 remote-address=1.1.1.1
add !keepalive local-address=172.20.0.1 name=gre-tunnel2 remote-address=172.18.0.1
add allow-fast-path=no mtu=1300 name=gre-tunnel10 remote-address=3.3.3.3
add disabled=yes !keepalive name=gre-tunnel30 remote-address=DNS_Site_T
/interface vlan
add interface="eth10 - MGT" name="vlan2 - MGT" vlan-id=2
add interface=ether8 name="vlan51 - VLAN0051" vlan-id=51
add interface=eth1-WAN loop-protect=off name="vlan4001 - ISP WAN" vlan-id=4001
/interface bonding
add arp-ip-targets=0.0.0.0 lacp-rate=1sec mode=802.3ad name=LAG10 slaves="eth4 - Transit LAG 10,eth5 - Transit LAG 10"
/interface pppoe-client
add add-default-route=yes allow=chap disabled=no interface="vlan4001 - ISP WAN" name=pppoe-WAN user=<HIDDEN>
/interface vlan
add interface=LAG10 name="vlan10 - SERVER-PRIVATE" vlan-id=10
add interface=LAG10 name="vlan15 - SERVER-PUBLIC" vlan-id=15
add interface=LAG10 name="vlan20 - WORKSTATIONS" vlan-id=20
add interface=LAG10 name="vlan30 - IPTEL" vlan-id=30
add interface=LAG10 name="vlan40 - PRINTERS" vlan-id=40
add interface=LAG10 name="vlan50 - LAB" vlan-id=50
add interface=LAG10 name="vlan60 - WLAN" vlan-id=60
add interface=LAG10 name="vlan100 - TRANSIT" vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=TRANSIT name=TRANSIT
add comment="Out-of-Band Management" name=MGT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=vendor-class-identifier value=<HIDDEN>
add code=77 name=userclass value=<HIDDEN>
add code=90 name=authsend value=<HIDDEN>
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no prf-algorithm=sha256 proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=Profile_Site_B prf-algorithm=sha256 proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 lifetime=1h name=Profile_Site_P nat-traversal=no proposal-check=strict
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 lifetime=1h name=Profile_Site_T nat-traversal=no proposal-check=strict
add dh-group=ecp521 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1h name=Profile_Site_H prf-algorithm=sha512 proposal-check=strict
/ip ipsec peer
add address=DNS_Site_B comment="VPN to B" disabled=yes exchange-mode=ike2 local-address=<local_WAN_IP> name=Peer_Site_B profile=Profile_Site_B
add address=DNS_Site_T comment="VPN to T" disabled=yes local-address=<local_WAN_IP> name=Peer_Site_T profile=Profile_Site_T
add address=1.1.1.1/32 comment="VPN to P" local-address=<local_WAN_IP> name=Peer_Site_P profile=Profile_Site_P
add comment="VPN to H" exchange-mode=ike2 local-address=<local_WAN_IP> name=Peer_Site_H passive=yes profile=Profile_Site_H send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_P pfs-group=modp1536
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_B pfs-group=modp1536
add disabled=yes enc-algorithms=aes-256-cbc lifetime=1h name=Proposal_T pfs-group=modp1536
add auth-algorithms=sha256 enc-algorithms=aes-256-ctr lifetime=1h name=Proposal_H pfs-group=ecp521
/ip pool
add name=dhcp_pool0 ranges=172.20.60.11-172.20.60.200
add name=dhcp_pool1 ranges=172.20.20.11-172.20.20.200
add name=dhcp_pool2 ranges=172.20.30.11-172.20.30.200
add name=dhcp_pool3 ranges=172.20.40.11-172.20.40.200
add name=dhcp_pool4 ranges=172.20.50.11-172.20.50.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="vlan60 - WLAN" lease-time=4h name=dhcp_VLAN60
add address-pool=dhcp_pool1 interface="vlan20 - WORKSTATIONS" lease-time=4h name=dhcp_VLAN20
add address-pool=dhcp_pool2 interface="vlan30 - IPTEL" lease-time=8h name=dhcp_VLAN30
add address-pool=dhcp_pool3 interface="vlan40 - PRINTERS" lease-time=8h name=dhcp_VLAN40 relay=172.20.40.1
add address-pool=dhcp_pool4 interface="vlan50 - LAB" lease-time=8h name=dhcp_VLAN50 relay=172.20.40.1
/ipv6 pool
add name=Pool_WAN_dhcpPool prefix-length=48
/port
set 0 name=serial0
/queue interface
set sfp1 queue=ethernet-default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing id
add comment=OSPF_ID disabled=no id=10.0.0.1 name=OSPF_ID select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-instance-1 originate-default=always router-id=OSPF_ID
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-0
/interface bridge filter
add action=set-priority chain=output disabled=yes dst-port=67 ip-protocol=udp log=yes log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 out-interface=*D passthrough=yes
/interface bridge port
add bridge=*E ingress-filtering=no interface=*D
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment="WAN - Public Fiber" interface=eth1-WAN list=WAN
add comment="Management Interface" interface="eth10 - MGT" list=MGT
add comment=Transit interface=LAG10 list=TRANSIT
add comment="WAN - Public Fiber" interface="vlan4001 - ISP WAN" list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.20.2.10/24 comment=Management interface="eth10 - MGT" network=172.20.2.0
add address=172.20.100.254/24 comment="Transit vlan 100" interface="vlan100 - TRANSIT" network=172.20.100.0
add address=172.20.10.1/24 comment=SERVER-PRIVATE interface="vlan10 - SERVER-PRIVATE" network=172.20.10.0
add address=172.20.20.1/24 comment=WORKSTATIONS interface="vlan20 - WORKSTATIONS" network=172.20.20.0
add address=172.20.30.1/24 comment=IPTEL interface="vlan30 - IPTEL" network=172.20.30.0
add address=172.20.40.1/24 comment=PRINTER interface="vlan40 - PRINTERS" network=172.20.40.0
add address=172.20.50.1/24 comment=LAB interface="vlan50 - LAB" network=172.20.50.0
add address=172.20.60.1/24 comment=WLAN interface="vlan60 - WLAN" network=172.20.60.0
add address=172.30.1.1/30 comment="GRE Tunnel1 - P" interface=gre-tunnel1 network=172.30.1.0
add address=10.10.10.2/30 comment="GRE Tunnel10 - B" interface=gre-tunnel10 network=10.10.10.0
add address=10.10.30.2/30 comment="GRE Tunnel30 - T" interface=gre-tunnel30 network=10.10.30.0
add address=172.30.2.1/30 interface=gre-tunnel2 network=172.30.2.0
add address=172.20.0.1 interface=loopback0 network=172.20.0.1
/ip cloud
set update-time=no
/ip dhcp-client
add !dhcp-options interface=eth1-WAN use-peer-ntp=no
/ip dhcp-server network
add address=172.20.20.0/24 dns-server=172.16.10.20,172.20.20.2 gateway=172.20.20.1 netmask=24
add address=172.20.30.0/24 dns-server=172.16.10.20 gateway=172.20.30.1 netmask=24
add address=172.20.40.0/24 dns-server=172.16.20.2 gateway=172.20.40.1 netmask=24
add address=172.20.50.0/24 dns-server=172.20.50.1,172.16.10.20 gateway=172.20.50.1 netmask=24
add address=172.20.60.0/24 dns-server=8.8.8.8,172.20.60.1,172.16.20.2 gateway=172.20.60.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=130.117.11.11,172.16.10.20
/ip dns static
add address=172.20.2.10 comment=defconf name=<HIDDEN>
add address=130.117.11.11 comment="WAN DNS Server" name=WAN
/ip firewall address-list
add address=172.20.20.0/24 list=NAT
add address=172.20.60.0/24 list=NAT
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=input comment="DROP INVALID PACKETS" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop incoming DNS requests from Internet (DDoS)" dst-port=53 in-interface=pppoe-WAN log=yes protocol=udp
add action=drop chain=input dst-port=22,80,443 in-interface=pppoe-WAN log=yes protocol=tcp
add action=accept chain=forward dst-address=172.20.2.0/24 log=yes out-interface="eth10 - MGT" src-address=172.16.0.0/12
add action=accept chain=forward dst-address=172.16.0.0/12 in-interface="eth10 - MGT" log=yes src-address=172.20.2.0/24
add action=accept chain=input dst-address=172.20.0.0/16 src-address=172.16.0.0/16
add action=accept chain=output dst-address=172.16.0.0/16 src-address=172.20.0.0/16
add action=accept chain=input comment=MANAGEMENT dst-address=172.20.2.10 dst-port=80,443,22 protocol=tcp src-address=172.16.0.0/12
add action=accept chain=forward dst-address=172.20.2.15 log=yes src-address=172.16.0.0/12
add action=accept chain=input comment="Allow internal networks to ping GW" dst-address=172.20.0.0/16 log=yes protocol=icmp src-address=172.16.0.0/12
add action=accept chain=input comment="OSPF debug" dst-address=172.16.0.0/12 in-interface=gre-tunnel2 protocol=ospf src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 protocol=ospf src-address=172.16.0.0/12
add action=accept chain=input disabled=yes src-address=10.0.0.0/30
add action=accept chain=input comment="VPN P" dst-address=<local_WAN_IP> protocol=ipsec-esp src-address=1.1.1.1
add action=accept chain=output dst-address=1.1.1.1 protocol=ipsec-esp src-address=<local_WAN_IP>
add action=accept chain=input dst-address=<local_WAN_IP> dst-port=500 protocol=udp src-address=1.1.1.1 src-port=500
add action=accept chain=output dst-address=1.1.1.1 dst-port=500 protocol=udp src-address=<local_WAN_IP> src-port=500
add action=accept chain=input dst-address=<local_WAN_IP> log=yes protocol=gre src-address=1.1.1.1
add action=accept chain=output dst-address=1.1.1.1 log=yes protocol=gre src-address=<local_WAN_IP>
add action=accept chain=input dst-address=172.30.1.0/30 in-interface=gre-tunnel1 protocol=icmp src-address=172.30.1.0/30
add action=accept chain=input comment="VPN H" dst-address=<local_WAN_IP> dst-port=500,4500 protocol=udp src-address=213.248.108.128/25
add action=accept chain=output dst-address=213.248.108.128/25 protocol=udp src-address=<local_WAN_IP> src-port=500,4500
add action=accept chain=input dst-address=172.20.0.1 protocol=gre src-address=172.18.0.1
add action=accept chain=output dst-address=172.18.0.1 protocol=gre src-address=172.20.0.1
add action=accept chain=input dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=input comment="VPN B" dst-address=<local_WAN_IP> protocol=ipsec-esp src-address=3.3.3.3
add action=accept chain=output dst-address=3.3.3.3 protocol=ipsec-esp src-address=<local_WAN_IP>
add action=accept chain=input dst-address=<local_WAN_IP> protocol=gre src-address=3.3.3.3
add action=accept chain=output dst-address=3.3.3.3 protocol=gre src-address=<local_WAN_IP>
add action=accept chain=input dst-address=10.10.10.0/30 in-interface=gre-tunnel10 protocol=icmp src-address=10.10.10.0/30
add action=accept chain=forward comment="Allow traffic between P and H (temp)" dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=input comment=NTP dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=194.0.5.123 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=82.64.42.185 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=92.222.209.69 src-port=123
add action=accept chain=input dst-port=123 in-interface=pppoe-WAN protocol=udp src-address=162.159.200.123 src-port=123
add action=accept chain=input dst-port=123 protocol=udp src-address=172.16.0.0/12
add action=drop chain=input comment="STEALTH RULE 1: DROP ALL PACKETS NOT EXPLICITLY ALLOWED ABOVE (INPUT CHAIN)" log=yes
add action=accept chain=forward comment="OUTBOUND INTERNET TRAFFIC" connection-nat-state=srcnat in-interface="vlan100 - TRANSIT" src-address=172.20.0.0/16
add action=accept chain=forward comment="Accept trafic to LAB vlan" dst-address=172.20.50.0/24 src-address=172.20.0.0/16
add action=accept chain=forward dst-address=172.20.0.0/16 src-address=172.20.50.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="CLEANUP RULE - DROP ALL PACKETS COMING FROM WAN (FWD CHAIN)" in-interface=pppoe-WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!172.16.0.0/12 out-interface=pppoe-WAN src-address=172.20.0.0/16
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add comment=P peer=Peer_Site_P
add comment=B disabled=yes my-id=fqdn:DNS_Site-HQ peer=Peer_Site_B remote-id=fqdn:DNS_Site-B
add comment=T disabled=yes peer=Peer_Site_T
add comment="H" my-id=fqdn:DNS_Site-HQ peer=Peer_Site_H remote-id=fqdn:DNS_Site-H
/ip ipsec policy
set 0 disabled=yes proposal=Proposal_P
add disabled=yes dst-address=3.3.3.3/32 peer=Peer_Site_B proposal=Proposal_B protocol=gre src-address=<local_WAN_IP>/32 tunnel=yes
add dst-address=1.1.1.1/32 peer=Peer_Site_P proposal=Proposal_P protocol=gre src-address=<local_WAN_IP>/32 tunnel=yes
add disabled=yes dst-address=82.65.173.123/32 peer=Peer_Site_T proposal=Proposal_T protocol=gre src-address=<local_WAN_IP>/32 tunnel=yes
add dst-address=172.18.0.1/32 peer=Peer_Site_H proposal=Proposal_H protocol=gre src-address=172.20.0.1/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=172.16.0.0/16 gateway=gre-tunnel1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.127.0/24 gateway=gre-tunnel1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=172.18.0.0/16 gateway=gre-tunnel2 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=8192 strong-crypto=yes
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-WAN pool-name=WAN_dhcpPool pool-prefix-length=48 rapid-commit=no request=prefix
/lcd
set backlight-timeout=never default-screen=interfaces
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set "eth4 - Transit LAG 10" disabled=yes
set "eth5 - Transit LAG 10" disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set "eth10 - MGT" disabled=yes
/lcd screen
set 1 disabled=yes
set 2 disabled=yes
set 5 disabled=yes
/routing ospf interface-template
add area=ospf-area-0 disabled=no networks=172.30.2.0/30,172.20.0.0/16,10.0.0.0/30 type=ptp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Paris
/system identity
set name=router-HQ
/system logging
set 0 disabled=yes
add disabled=yes topics=ipsec
add topics=ospf
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=194.0.5.123
add address=82.64.42.185
add address=92.222.209.69
add address=162.159.200.123
/tool mac-server
set allowed-interface-list=TRANSIT
/tool mac-server mac-winbox
set allowed-interface-list=TRANSIT
and here's the remote site "H" I am connected to via gre tunnel2:
# jul/22/2022 17:20:14 by RouterOS 7.4
# software id = S1K6-QPTS
#
# model = RBLDFR
# serial number = <HIDDEN>
/interface bridge
add name=Loopback0
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off
/interface gre
add allow-fast-path=no local-address=172.18.0.1 mtu=1300 name=gre-tunnel2 remote-address=172.20.0.1
/interface vlan
add interface=ether1 name="vlan2 - MGT" vlan-id=2
add interface=ether1 name="vlan20 - PC" vlan-id=20
add interface=ether1 name="vlan30 - IPTEL" vlan-id=30
add interface=ether1 name="vlan31 - CCTV" vlan-id=31
add interface=ether1 name="vlan60 - WLAN" vlan-id=60
/interface ethernet switch port
set 0 default-vlan-id=1 vlan-header=add-if-missing vlan-mode=fallback
/interface list
add name=WAN
add name=LAN
/interface lte apn
add apn=<HIDDEN> ip-type=ipv4 name=<HIDDEN> use-network-apn=yes
/interface lte
set [ find ] allow-roaming=no apn-profiles=<HIDDEN> band=1,3,7,20 name=lte1 network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 dpd-interval=30s dpd-maximum-failures=100 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1h name=Profile_H prf-algorithm=sha512 proposal-check=strict
/ip ipsec peer
add address=HQ_IP/32 comment="VPN to H" exchange-mode=ike2 name=Peer_H profile=Profile_H
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-ctr lifetime=1h name=Proposal_H pfs-group=ecp521
/ip pool
add name=dhcp_pool_VLAN20 ranges=172.18.20.11-172.18.20.200
add name=dhcp_pool_VLAN30 ranges=172.18.30.11-172.18.30.200
add name=dhcp_pool_VLAN31 ranges=172.18.31.11-172.18.31.200
add name=dhcp_pool_VLAN60 ranges=172.18.60.11-172.18.60.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN20 interface="vlan20 - PC" lease-time=8h name=dhcp_VLAN20
add address-pool=dhcp_pool_VLAN30 interface="vlan30 - IPTEL" lease-time=8h name=dhcp_VLAN30
add address-pool=dhcp_pool_VLAN31 interface="vlan31 - CCTV" lease-time=8h name=dhcp_VLAN31
add address-pool=dhcp_pool_VLAN60 interface="vlan60 - WLAN" lease-time=8h name=dhcp_VLAN60
/routing id
add comment=Lookpack0 disabled=yes id=172.18.0.1 name=Lookpack0 select-dynamic-id=only-loopback
add comment=OSPF_ID disabled=no id=10.0.0.2 name=OSPF_ID select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-instance-1 originate-default=always router-id=OSPF_ID
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,rest-api
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment="LTE - Mobile Network" interface=lte1 list=WAN
add comment=LAN interface=ether1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=172.18.2.1/24 comment=Management interface="vlan2 - MGT" network=172.18.2.0
add address=172.18.30.1/24 comment=IPTEL interface="vlan30 - IPTEL" network=172.18.30.0
add address=172.18.20.1/24 comment=PC interface="vlan20 - PC" network=172.18.20.0
add address=172.18.31.1/24 comment=CCTV interface="vlan31 - CCTV" network=172.18.31.0
add address=172.18.60.1/24 comment=WLAN interface="vlan60 - WLAN" network=172.18.60.0
add address=172.30.2.2/30 interface=gre-tunnel2 network=172.30.2.0
add address=172.18.0.1 interface=Loopback0 network=172.18.0.1
/ip cloud
set ddns-update-interval=10m update-time=no
/ip dhcp-server network
add address=172.18.20.0/24 dns-server=8.8.8.8 gateway=172.18.20.1 netmask=24
add address=172.18.30.0/24 dns-server=172.16.10.20 gateway=172.18.30.1 netmask=24
add address=172.18.31.0/24 dns-server=172.16.10.20 gateway=172.18.31.1 netmask=24
add address=172.18.60.0/24 dns-server=8.8.8.8,172.16.10.20 gateway=172.18.60.1 netmask=24
/ip firewall address-list
add address=172.18.20.0/24 list=NAT
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=input comment="DROP INVALID PACKETS" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop incoming DNS requests from Internet (DDoS)" dst-port=53 in-interface=lte1 log=yes protocol=udp
add action=drop chain=input dst-port=22,80,443 in-interface=lte1 log=yes protocol=tcp
add action=accept chain=forward dst-address=172.18.2.0/24 out-interface="vlan2 - MGT" src-address=172.16.0.0/12
add action=accept chain=forward dst-address=172.16.0.0/12 in-interface="vlan2 - MGT" src-address=172.18.2.0/24
add action=accept chain=input comment=MANAGEMENT dst-address=172.18.2.1 dst-port=22,80,443 protocol=tcp src-address=172.16.0.0/12
add action=accept chain=input dst-address=172.18.31.1 protocol=udp src-address=172.18.31.0/24 src-port=123
add action=accept chain=input comment="Allow internal networks to ping GW" dst-address=172.18.0.0/16 protocol=icmp src-address=172.16.0.0/12
add action=accept chain=input comment="OSPF debug" dst-address=172.16.0.0/12 in-interface=gre-tunnel2 protocol=ospf src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 protocol=ospf src-address=172.16.0.0/12
add action=accept chain=input src-address=10.0.0.0/30
add action=drop chain=input comment="Droping traffic not originating from internal networks" dst-address=172.18.2.0/24 in-interface="vlan2 - MGT" src-address=!172.16.0.0/12
add action=drop chain=forward dst-address=!172.16.0.0/12 in-interface="vlan30 - IPTEL" src-address=172.18.30.0/24
add action=drop chain=forward dst-address=!172.16.0.0/12 in-interface="vlan31 - CCTV" src-address=172.18.31.0/24
add action=accept chain=input comment="VPN H" in-interface=lte1 protocol=udp src-address=HQ_IP src-port=500,4500
add action=accept chain=output dst-address=HQ_IP dst-port=500,4500 out-interface=lte1 protocol=udp
add action=accept chain=input dst-address=172.18.0.1 protocol=gre src-address=172.20.0.1
add action=accept chain=output dst-address=172.20.0.1 protocol=gre src-address=172.18.0.1
add action=accept chain=input dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=output dst-address=172.16.0.0/12 src-address=172.16.0.0/12
add action=accept chain=forward comment="Internet access vlan 20" dst-address=!172.16.0.0/12 in-interface="vlan20 - PC" out-interface=lte1 src-address=172.18.20.0/24
add action=accept chain=forward connection-state=established,related dst-address=172.18.20.0/24 in-interface=lte1 out-interface="vlan20 - PC" src-address=!172.16.0.0/12
add action=accept chain=input comment=NTP dst-port=123 in-interface=lte1 protocol=udp src-address=194.0.5.123 src-port=123
add action=accept chain=input dst-port=123 in-interface=lte1 protocol=udp src-address=82.64.42.185 src-port=123
add action=accept chain=input dst-port=123 in-interface=lte1 protocol=udp src-address=92.222.209.69 src-port=123
add action=accept chain=input dst-port=123 in-interface=lte1 protocol=udp src-address=162.159.200.123 src-port=123
add action=accept chain=input dst-address=172.18.0.0/16 protocol=udp src-address=172.16.0.0/12
add action=accept chain=forward comment="Zoneminder => Camera" dst-address=172.18.31.200 src-address=172.18.20.0/24
add action=accept chain=forward comment="camera => Zoneminder" dst-address=172.18.20.0/24 src-address=172.18.31.200
add action=drop chain=input comment="STEALTH RULE 1: DROP ALL PACKETS NOT EXPLICITLY ALLOWED ABOVE (INPUT CHAIN)"
add action=drop chain=forward comment="CLEANUP RULE - DROP ALL PACKETS COMING FROM WAN (FWD CHAIN)" in-interface=lte1 log=yes
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=172.20.0.1
add action=masquerade chain=srcnat dst-address=!172.16.0.0/12 out-interface=lte1 src-address=172.18.0.0/16
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec identity
add comment=H my-id=fqdn:<local_site_DNS> peer=Peer_H remote-id=fqdn:<HQ_DNS>
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.20.0.1/32 peer=Peer_H proposal=Proposal_H protocol=gre src-address=172.18.0.1/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=172.20.0.0/16 gateway=gre-tunnel2 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=172.16.0.0/16 gateway=gre-tunnel2 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/routing ospf interface-template
add area=ospf-area-0 disabled=no networks=172.30.2.0/30,172.18.0.0/16,10.0.0.0/30 type=ptp
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=remote_Site
/system logging
set 0 disabled=yes
add disabled=yes topics=ipsec
add topics=script
add topics=ospf
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=194.0.5.123
add address=82.64.42.185
add address=92.222.209.69
add address=162.159.200.123
/system scheduler
add comment="scheduler for OVH Dynamic DNS Updates" interval=15m name=OVHDynDNS on-event="/system script run ovhddns" policy=read,write,test start-time=startup
/system script
add comment="Dynamic OVH DNS updates" dont-require-permissions=no name=ovhddns owner=admin policy=read,write,test source=":local ovhddnsuser <HIDDEN>
//...
//script to update DDNS omitted here...
//...
/system watchdog
set watchdog-timer=no
I've tried several things on the ospf config, this is the current setup.
Quite of the FW rules will need to be removed after tshoot, but the most important ones for this matter is the OSPF-related ones, which are basically 100% permissive.
You can ignore all other VPN's on the main site, we are just focusing on the HQ-SiteH VPN (tunnel gre2)
thanks a lot for your input,
cheers
Denis