I feel like I'm taking crazy pills. Anav I don't understand why you're being difficult. The OP has said repeatedly he wants to stick with IPSEC if possible. What he wants is not possible via routed IPSEC. So no, it isn't all very doable given the constraints the OP keeps setting. Discussion of Wireguard is fair but if outside the set-up the OP has repeatedly said he wants. I've recommended Wireguard myself multiple times.All very doable, the hex connects to the RB4011 as a wireguard client and that tunnel then allows local users at the RB to reach the HEX as well as any users reaching the RB via wireguard.
Why not ?OP said he wanted devices to connect to a hex that is behind CGNAT for VPN purposes (i.e. Road warrior setup). There is no way to do that via a standard Wireguard config due to the CGNAT.
You are LOL.I feel like I'm taking crazy pills.
Oh holy crap! I went back and read and wow. I've got no excuse other than I'm an idiot. Clearly my guidance would have been different, and in line with yours, had I had the literacy of a 2 yr old. I'll administer a self beating that would make a Canadian like you proud Mesquite.You are LOL.I feel like I'm taking crazy pills.
Concur, remove router seriaal number, any keys public private etc, any public WANIP info or WAN gateway IP info, long assed dhcp lease listsDon't use hide sensitive.
Default ROS7 is to hide most (not all) sensitive info.
Just use /export file=anynameyouwish
Edit that file. There shouldn't be too much sensitive info in there.
My unofficial job is to keep you in line I get bonus pay for that!Oh holy crap! I went back and read and wow. I've got no excuse other than I'm an idiot. Clearly my guidance would have been different, and in line with yours, had I had the literacy of a 2 yr old. I'll administer a self beating that would make a Canadian like you proud Mesquite.
You are LOL.
/ip firewall filter
{Input Chain}
( default rules to keep )
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
( admin added rules, also where you add all your VPN rules )
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" { put this rule in last, without the LAN rule above you will be locked out }
{forward chain}
( default rules to keep )
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
( admin added rules )
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN[/b]
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat[/color] { disable or remove if not required }
add action=drop chain=forward comment="drop all else"
/interface wireguard
add listen-port=13231 name=wireguard1
/ip address
add address=192.168.68.2/24 interface=wireguard1
/interface list member
add interface=wireguard1 list=LAN
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip firewall address-list
add address=192.168.88.0/24 list=Admin
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow wireguard " dst-port=13231 protocol=udp place-before=1
add action=accept chain=input comment="allow wireguard traffic" src-address=192.168.68.2/24 place-before=1
add action=accept chain=input src-address-list=Admin comment="Config Access"
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
protocol=ipsec-esp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="WG traffic" in-interface=Wireguard1 out-interface=LAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
Hi Mesquite,I will see what I can do.
/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback " dst-address=127.0.0.1
(add admin rules here)
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(add admin rules here)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN