ping and dns problem on ipsec tunnel (2024)

Again, all these questions and assumptions would be unnecessary if you posted the complete configurations.

Here goes the complete configuration. I was recultant to send it all, because it is quite long, and I'm not sure if I could replace all sensitive information.

router 1:

Code: Select all

# jan/16/2022 12:46:02 by RouterOS 6.48.5# software id = R847-LG5N## model = RBD52G-5HacD2HnD# serial number = *************/caps-man channeladd band=2ghz-onlyn extension-channel=XX frequency="" name=channels-2.4 \ secondary-frequency="" tx-power=-10add band=5ghz-onlyac extension-channel=XXXX frequency="" name=channels-5 \ secondary-frequency="" skip-dfs-channels=yes tx-power=15add band=2ghz-onlyn extension-channel=XX frequency=2412 name=c24-1 tx-power=\ -10add band=2ghz-onlyn extension-channel=XX frequency=2437 name=c24-6 tx-power=\ -10add band=2ghz-onlyn extension-channel=XX frequency=2462 name=c24-11 tx-power=\ -10/caps-man datapathadd local-forwarding=yes name=datapath-blue vlan-id=10 vlan-mode=use-tagadd local-forwarding=yes name=datapath-green vlan-id=20 vlan-mode=use-tagadd local-forwarding=yes name=datapath-red vlan-id=30 vlan-mode=use-tagadd local-forwarding=yes name=datapath-cyan vlan-id=40 vlan-mode=use-tagadd local-forwarding=yes name=datapath-base vlan-id=99 vlan-mode=use-tag/interface bridgeadd frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BR1 \ vlan-filtering=yesadd name=ipsec protocol-mode=none/interface ethernetset [ find default-name=ether1 ] name=ether1-trunkset [ find default-name=ether2 ] name=ether2-grayset [ find default-name=ether3 ] name=ether3-grayset [ find default-name=ether4 ] name=ether4-lteset [ find default-name=ether5 ] name=ether5-wan/interface wireless# managed by CAPsMAN# channel: 2437/20-Ce/gn(-13dBm), SSID: base, local forwardingset [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \ amsdu-limit=4096 band=2ghz-onlyn basic-rates-a/g=12Mbps basic-rates-b="" \ country=hungary disabled=no distance=indoors frequency=2437 mode=\ ap-bridge rate-set=configured ssid=lacinet_24 station-roaming=enabled \ supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \ supported-rates-b="" tx-power-mode=all-rates-fixed wireless-protocol=\ 802.11 wps-mode=disabled# managed by CAPsMAN# channel: 5300/20-eeCe/ac/DP(12dBm), SSID: base, local forwardingset [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \ amsdu-limit=4096 band=5ghz-onlyac basic-rates-a/g=12Mbps,36Mbps,48Mbps \ channel-width=20/40mhz-Ce country=hungary disabled=no distance=indoors \ mode=ap-bridge ssid=lacinet_5 station-roaming=enabled \ supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \ tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled/interface vlanadd interface=BR1 name=BASE_VLAN vlan-id=99add interface=BR1 name=BLUE_VLAN vlan-id=10add interface=BR1 name=CYAN_VLAN vlan-id=40add interface=BR1 name=GREEN_VLAN vlan-id=20add interface=BR1 name=HALL_VLAN vlan-id=200add interface=BR1 name=RED_VLAN vlan-id=30/caps-man ratesadd basic=12Mbps name=rates-2.4 supported=\ 12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbpsadd basic=12Mbps name=rates-5 supported=\ 12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps/caps-man securityadd authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ security-blueadd authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ security-greenadd authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ security-cyanadd authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ security-redadd authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\ security-base/caps-man configurationadd channel=channels-5 country=hungary datapath=datapath-blue installation=\ any name=caps-blue-5 rates=rates-5 security=security-blue ssid=blueadd channel=channels-2.4 country=hungary datapath=datapath-blue installation=\ any name=caps-blue-2.4 rates=rates-2.4 security=security-blue ssid=blueadd channel=channels-2.4 country=hungary datapath=datapath-green \ installation=any name=caps-green-2.4 rates=rates-2.4 security=\ security-green ssid=greenadd channel=channels-5 country=hungary datapath=datapath-green installation=\ any name=caps-green-5 rates=rates-5 security=security-green ssid=greenadd channel=channels-5 country=hungary datapath=datapath-red installation=any \ name=caps-red-5 rates=rates-5 security=security-red ssid=redadd channel=channels-2.4 country=hungary datapath=datapath-red installation=\ any name=caps-red-2.4 rates=rates-2.4 security=security-red ssid=redadd channel=channels-2.4 country=hungary datapath=datapath-cyan installation=\ any name=caps-cyan-2.4 rates=rates-2.4 security=security-cyan ssid=cyanadd channel=channels-5 country=hungary datapath=datapath-cyan installation=\ any name=caps-cyan-5 rates=rates-5 security=security-cyan ssid=cyanadd channel=channels-2.4 country=hungary datapath=datapath-base hide-ssid=yes \ installation=any name=caps-base-2.4 rates=rates-2.4 security=\ security-base ssid=baseadd channel=channels-5 country=hungary datapath=datapath-base hide-ssid=yes \ installation=any name=caps-base-5 rates=rates-5 security=security-base \ ssid=base/caps-man interfaceadd channel=c24-11 configuration=caps-base-2.4 disabled=no l2mtu=2026 \ mac-address=48:8F:5A:A1:AB:30 master-interface=none name=orange.lacinet-1 \ radio-mac=48:8F:5A:A1:AB:30 radio-name=488F5AA1AB30add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\ 4A:8F:5A:A1:AB:30 master-interface=orange.lacinet-1 name=\ orange.lacinet-1-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB30add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\ 4A:8F:5A:A1:AB:31 master-interface=orange.lacinet-1 name=\ orange.lacinet-1-2 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB31add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\ 4A:8F:5A:A1:AB:32 master-interface=orange.lacinet-1 name=\ orange.lacinet-1-3 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB32add configuration=caps-cyan-2.4 disabled=no l2mtu=1600 mac-address=\ 4A:8F:5A:A1:AB:33 master-interface=orange.lacinet-1 name=\ orange.lacinet-1-4 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB33add channel.extension-channel=XXXX channel.frequency=5200 comment=ch40 \ configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\ 48:8F:5A:A1:AB:31 master-interface=none name=orange.lacinet-2 radio-mac=\ 48:8F:5A:A1:AB:31 radio-name=488F5AA1AB31add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\ 4A:8F:5A:A1:AB:34 master-interface=orange.lacinet-2 name=\ orange.lacinet-2-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB34add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\ 4A:8F:5A:A1:AB:35 master-interface=orange.lacinet-2 name=\ orange.lacinet-2-2 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB35add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\ 4A:8F:5A:A1:AB:36 master-interface=orange.lacinet-2 name=\ orange.lacinet-2-3 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB36add configuration=caps-cyan-5 disabled=no l2mtu=1600 mac-address=\ 4A:8F:5A:A1:AB:37 master-interface=orange.lacinet-2 name=\ orange.lacinet-2-4 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB37add channel=c24-6 configuration=caps-base-2.4 disabled=no l2mtu=1600 \ mac-address=B8:69:F4:09:BE:FA master-interface=none name=router.lacinet-1 \ radio-mac=B8:69:F4:09:BE:FA radio-name=B869F409BEFAadd configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\ BA:69:F4:09:BE:FA master-interface=router.lacinet-1 name=\ router.lacinet-1-1 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFAadd configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\ BA:69:F4:09:BE:FB master-interface=router.lacinet-1 name=\ router.lacinet-1-2 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFBadd configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\ BA:69:F4:09:BE:FC master-interface=router.lacinet-1 name=\ router.lacinet-1-3 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFCadd configuration=caps-cyan-2.4 disabled=no l2mtu=1600 mac-address=\ BA:69:F4:09:BE:FD master-interface=router.lacinet-1 name=\ router.lacinet-1-4 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFDadd channel=channels-5 channel.extension-channel=XXXX channel.frequency=5300 \ comment=ch40 configuration=caps-base-5 disabled=no l2mtu=1600 \ mac-address=B8:69:F4:09:BE:FB master-interface=none name=router.lacinet-2 \ radio-mac=B8:69:F4:09:BE:FB radio-name=B869F409BEFBadd configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\ BA:69:F4:09:BE:FE master-interface=router.lacinet-2 name=\ router.lacinet-2-1 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFEadd configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\ BA:69:F4:09:BE:FF master-interface=router.lacinet-2 name=\ router.lacinet-2-2 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFFadd configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\ BA:69:F4:09:BF:00 master-interface=router.lacinet-2 name=\ router.lacinet-2-3 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BF00add configuration=caps-cyan-5 disabled=no l2mtu=1600 mac-address=\ BA:69:F4:09:BF:01 master-interface=router.lacinet-2 name=\ router.lacinet-2-4 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BF01/interface listadd name=WANadd name=VLANadd name=BASE/interface wireless security-profilesset [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \ supplicant-identity=MikroTik/ip dhcp-server optionadd code=119 name=domain-search-option value="'lacinet.'"/ip ipsec policy groupadd name=group-viszfuvaradd name=group-kavicsbanyaadd name=group-officeadd name=group-magzatom/ip ipsec profileset [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 name=\ profile_l2tpadd dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \ hash-algorithm=sha256 name=profile-s2s-ros proposal-check=strict/ip ipsec peeradd comment="IKE2 default" exchange-mode=ike2 name=peer_ike2 passive=yes \ profile=profile-s2s-ros send-initial-contact=no/ip ipsec proposalset [ find default=yes ] auth-algorithms=sha256,sha1 comment=\ "For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal-s2s-ros \ pfs-group=modp2048/ip pooladd name=BLUE_POOL ranges=10.14.10.100-10.14.10.200add name=GREEN_POOL ranges=10.14.20.100-10.14.20.200add name=RED_POOL ranges=10.14.30.100-10.14.30.200add name=BASE_POOL ranges=192.168.14.100-192.168.14.200add name=CYAN_POOL ranges=10.14.40.100-10.14.40.200/ip dhcp-serveradd address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN lease-script=\ onDhcpLease name=BLUE_DHCPadd address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCPadd address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCPadd address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCPadd address-pool=CYAN_POOL disabled=no interface=CYAN_VLAN name=CYAN_DHCP/ppp profileadd dns-server=10.14.200.1,1.1.1.3 local-address=10.14.200.1 name=l2tp_vpn/caps-man managerset ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\ suggest-same-version/caps-man manager interfaceset [ find default=yes ] forbid=yesadd disabled=no interface=BASE_VLAN/caps-man provisioningadd action=create-enabled hw-supported-modes=ac master-configuration=\ caps-base-5 name-format=identity slave-configurations=\ caps-blue-5,caps-green-5,caps-red-5,caps-cyan-5add action=create-enabled master-configuration=caps-base-2.4 name-format=\ identity slave-configurations=\ caps-blue-2.4,caps-green-2.4,caps-red-2.4,caps-cyan-2.4/interface bridge portadd bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \ interface=ether1-trunkadd bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yes interface=ether2-gray pvid=99add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yes interface=ether3-gray pvid=99/ip neighbor discovery-settingsset discover-interface-list=BASE/interface bridge vlanadd bridge=BR1 comment=Base tagged=BR1,ether1-trunk untagged=\ ether2-gray,ether3-gray vlan-ids=99add bridge=BR1 comment=Cyan/IOT tagged=BR1,ether1-trunk vlan-ids=40add bridge=BR1 comment=Blue tagged=BR1,ether1-trunk vlan-ids=10add bridge=BR1 comment=Green/Guest tagged=BR1,ether1-trunk vlan-ids=20add bridge=BR1 comment=Red tagged=BR1,ether1-trunk vlan-ids=30/interface l2tp-server serverset authentication=mschap2 default-profile=l2tp_vpn enabled=yes use-ipsec=\ required/interface list memberadd interface=ether5-wan list=WANadd interface=BLUE_VLAN list=VLANadd interface=GREEN_VLAN list=VLANadd interface=RED_VLAN list=VLANadd interface=BASE_VLAN list=BASEadd interface=CYAN_VLAN list=VLANadd interface=ether4-lte list=WAN/interface wireless cap# set bridge=BR1 certificate=request discovery-interfaces=BASE_VLAN enabled=yes \ interfaces=wlan1,wlan2/ip addressadd address=192.168.14.254/24 interface=BASE_VLAN network=192.168.14.0add address=10.14.10.1/24 interface=BLUE_VLAN network=10.14.10.0add address=10.14.20.1/24 interface=GREEN_VLAN network=10.14.20.0add address=10.14.30.1/24 interface=RED_VLAN network=10.14.30.0add address=10.14.40.1/24 interface=CYAN_VLAN network=10.14.40.0add address=10.14.200.1/24 interface=HALL_VLAN network=10.14.200.0add address=10.14.100.2/24 interface=ether4-lte network=10.14.100.0/ip cloudset ddns-enabled=yes ddns-update-interval=2m/ip dhcp-clientadd disabled=no interface=ether5-wan/ip dhcp-server leaseadd address=10.14.10.105 client-id=1:80:e8:2c:e:ef:d2 mac-address=\ 80:E8:2C:0E:EF:D2 server=BLUE_DHCPadd address=10.14.10.10 client-id=1:ac:12:3:3c:c:c6 mac-address=\ AC:12:03:3C:0C:C6 server=BLUE_DHCPadd address=192.168.14.101 comment=brocade mac-address=00:27:F8:98:F7:60 \ server=BASE_DHCPadd address=192.168.14.100 client-id=1:4:d9:f5:f7:79:a7 mac-address=\ 04:D9:F5:F7:79:A7 server=BASE_DHCPadd address=192.168.14.201 client-id=\ ff:e2:34:3f:3e:0:2:0:0:ab:11:81:6e:af:75:4d:19:27:61 mac-address=\ 08:00:27:30:C8:89 server=BASE_DHCPadd address=192.168.14.202 client-id=\ ff:e2:34:3f:3e:0:2:0:0:ab:11:f9:f8:2a:df:10:8c:52:0 mac-address=\ 08:00:27:CB:B4:BE server=BASE_DHCPadd address=192.168.14.203 client-id=\ ff:e2:34:3f:3e:0:2:0:0:ab:11:4:79:e:30:c2:fc:ea:75 mac-address=\ 08:00:27:7B:36:DB server=BASE_DHCPadd address=192.168.14.205 client-id=\ ff:e2:34:3f:3e:0:2:0:0:ab:11:ea:d4:c5:c8:e3:a4:72:73 mac-address=\ 08:00:27:48:6E:15 server=BASE_DHCPadd address=192.168.14.204 client-id=\ ff:e2:34:3f:3e:0:2:0:0:ab:11:de:60:b5:f7:9c:52:91:67 mac-address=\ 08:00:27:C6:DA:2E server=BASE_DHCP/ip dhcp-server networkadd address=10.14.10.0/24 dns-server=192.168.14.254 domain=lacinet. gateway=\ 10.14.10.1add address=10.14.20.0/24 dns-server=192.168.14.254 domain=pubnet. gateway=\ 10.14.20.1add address=10.14.30.0/24 dns-server=192.168.14.254 gateway=10.14.30.1add address=10.14.40.0/24 dns-server=192.168.14.254 gateway=10.14.40.1add address=192.168.14.0/24 dns-server=192.168.14.254 gateway=192.168.14.254/ip dnsset allow-remote-requests=yes servers=1.1.1.2,1.0.0.2/ip dns staticadd address=192.168.14.254 name=router.lacinetadd address=192.168.14.253 name=poe-switch.lacinetadd address=192.168.14.252 name=orange.lacinetadd address=10.14.100.1 name=lte.lacinetadd forward-to=192.168.5.254 regexp=".*\\.visznet" type=FWDadd comment=visznet forward-to=192.168.5.254 regexp=\ ".*\\.5\\.168\\.192.\\in-addr\\.arpa" type=FWDadd forward-to=192.168.18.254 regexp=".*\\.kavicsnet" type=FWDadd comment=kavicsbanya-base forward-to=192.168.18.254 regexp=\ ".*\\.18\\.168\\.192.\\in-addr\\.arpa" type=FWDadd forward-to=192.168.13.254 regexp=".*\\.sznet" type=FWDadd comment=sznet-base forward-to=192.168.13.254 regexp=\ ".*\\.13\\.168\\.192.\\in-addr\\.arpa" type=FWDadd forward-to=192.168.19.254 regexp=".*\\.magnet" type=FWDadd comment=magzatom-base forward-to=192.168.19.254 regexp=\ ".*\\.19\\.168\\.192.\\in-addr\\.arpa" type=FWDadd comment=magzatom-vlan forward-to=192.168.19.254 regexp=\ ".*\\.19\\.10.\\in-addr\\.arpa" type=FWDadd address=10.14.200.101 name=forgach.lacinetadd address=10.14.200.102 name=erika.lacinetadd address=10.14.200.103 name=tony-i7.lacinetadd address=10.14.200.1 name=hall.lacinetadd address=10.14.10.105 name=htpc.lacinetadd address=10.14.200.105 name=kardirex.lacinetadd address=10.14.200.106 name=szek.lacinetadd address=10.14.200.107 name=stonemining.lacinetadd address=10.14.200.108 name=edit.lacinetadd address=10.14.200.109 name=szucsnorbi.lacinetadd address=10.14.200.111 name=nyergesati.lacinetadd address=10.14.200.110 name=ghbackup.lacinetadd address=192.168.14.101 name=brocade.lacinetadd address=192.168.14.100 name=laci-ryzen9.lacinetadd address=10.14.200.113 comment=bukkszenterzsebet name=backup.lacinetadd address=192.168.14.201 name=coc01.lacinetadd address=192.168.14.202 name=coc02.lacinetadd address=192.168.14.203 name=coc03.lacinetadd address=192.168.14.204 name=coc04.lacinetadd address=192.168.14.205 name=coc05.lacinetadd address=192.168.14.104 name=gw.lacinetadd address=10.14.200.112 name=silyegabi.lacinetadd address=10.14.10.105 comment=#DHCP name=htpc.lacinet. ttl=10madd address=10.14.10.124 comment=#DHCP name=M2101K6G.lacinet. ttl=10m/ip firewall filteradd action=accept chain=input comment=\ "Allow IKEv2 500, IKEv2 NAT-T 4500, L2TP 1701" port=500,4500,1701 \ protocol=udpadd action=accept chain=input comment=\ "Allow IPSEC/ESP (also used below L2TP/UDP)" protocol=ipsec-espadd action=accept chain=input comment="Accept established,related,untracked" \ connection-state=established,related,untrackedadd action=drop chain=input comment="Drop invalid" connection-state=invalidadd action=accept chain=input comment="Accept ICMP" protocol=icmpadd action=accept chain=input comment="Input from BASE mgmt" \ in-interface-list=BASEadd action=jump chain=input comment="SSH input, with brute force protection" \ dst-port=22 in-interface=!RED_VLAN jump-target=input_ssh protocol=tcpadd action=jump chain=input comment="Input from VLAN" in-interface-list=VLAN \ jump-target=input_from_vlanadd action=jump chain=input jump-target=input_from_l2tp src-address=\ 10.14.200.0/24add action=accept chain=input comment="Required by CAPsMAN" dst-address-type=\ local src-address-type=localadd action=drop chain=input comment=Dropadd action=drop chain=input_ssh comment="drop ssh brute forcers" \ src-address-list=ssh_blacklistadd action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input_ssh connection-state=new \ src-address-list=ssh_stage3add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input_ssh connection-state=new \ src-address-list=ssh_stage2add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input_ssh connection-state=new \ src-address-list=ssh_stage1add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input_ssh connection-state=newadd action=accept chain=input_from_vlan comment="Local DNS UDP" dst-port=53 \ protocol=udpadd action=accept chain=input_from_vlan comment="Local DNS TCP" dst-port=53 \ protocol=tcpadd action=accept chain=input_from_vlan comment="Local NTP UDP" dst-port=123 \ protocol=udpadd action=accept chain=input_from_vlan comment="DHCP 67 UDP" dst-port=67 \ protocol=udpadd action=accept chain=input_from_vlan comment="DHCP 68 UDP" dst-port=68 \ protocol=udpadd action=reject chain=input_from_vlan in-interface=RED_VLAN reject-with=\ icmp-admin-prohibitedadd action=drop chain=input_from_vlan comment=Dropadd action=accept chain=forward comment=\ "Accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="Drop invalid" connection-state=invalidadd action=jump chain=forward jump-target=from_htpc src-address=10.14.10.105add action=reject chain=from_htpc comment=\ "Reject HTPC->Any when we are on LTE" out-interface=ether4-lte \ reject-with=icmp-admin-prohibitedadd action=accept chain=from_htpc comment="kalihom*ok slave/vnc htpc->forgach" \ dst-address=10.14.200.101 dst-port=5432,5900 protocol=tcpadd action=accept chain=from_htpc comment=\ "kavicsbanya slave/vnc htpc->borika-pc" dst-address=192.168.18.199 \ dst-port=5432,5900 protocol=tcpadd action=accept chain=from_htpc comment="htpc->visznet full access" \ dst-address=192.168.5.0/24add action=accept chain=from_htpc comment=\ "stonemining slave/vnc htpc->stonemining" dst-address=10.14.200.107 \ dst-port=5432,5900 protocol=tcpadd action=accept chain=forward comment="l2tp laci-vivobook -> any" \ src-address=10.14.200.104add action=reject chain=forward comment="Commonly hacked ports" \ connection-state=new dst-port=21,23,25,110,135,1433 protocol=tcp \ reject-with=icmp-admin-prohibitedadd action=reject chain=forward comment="Reject RED->Internet" \ connection-state=new in-interface=RED_VLAN out-interface-list=WAN \ reject-with=icmp-admin-prohibitedadd action=accept chain=forward comment="Allow VLAN->Internet" \ connection-state=new in-interface-list=VLAN out-interface-list=WANadd action=accept chain=forward comment="Allow BASE->Internet" \ connection-state=new in-interface-list=BASE out-interface-list=WANadd action=accept chain=forward comment="BASE->VLAN src-nated" \ connection-state=new in-interface-list=BASE out-interface-list=VLANadd action=accept chain=forward comment=\ "BASE->10.14.x.x includes BASE->L2TP and BASE->LTE" connection-state=new \ dst-address=10.14.0.0/16 in-interface-list=BASEadd action=reject chain=forward comment=\ "After accept rules - net-unreach when ipsec is down" out-interface=ipsec \ reject-with=icmp-network-unreachableadd action=drop chain=forward comment="Drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new disabled=yes \ in-interface-list=WANadd action=drop chain=forward comment=Dropadd action=accept chain=input_sshadd action=accept chain=input_from_l2tp comment="DNS from l2tp client (tcp)" \ dst-port=53 protocol=tcpadd action=accept chain=input_from_l2tp comment="DNS from l2tp client (udp)" \ dst-port=53 protocol=udpadd action=accept chain=input_from_l2tp comment="NTP from l2tp client (udp)" \ dst-port=123 protocol=udpadd action=reject chain=input_from_l2tp reject-with=icmp-admin-prohibitedadd action=return chain=from_htpc/ip firewall mangleadd action=change-mss chain=forward comment=\ "IKE2: Clamp TCP MSS for in,ipsec" ipsec-policy=in,ipsec new-mss=1360 \ passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360add action=change-mss chain=forward comment=\ "IKE2: Clamp TCP MSS for out,ipsec" ipsec-policy=out,ipsec new-mss=1360 \ passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360add action=passthrough chain=prerouting comment=x dst-address=192.168.14.0/24 \ protocol=icmp src-address=192.168.19.254/ip firewall natadd action=jump chain=srcnat comment="Src-Nat l2tp laci-vivobook-> any" \ jump-target=srcnat_laci_l2tp src-address=10.14.200.104add action=src-nat chain=srcnat comment="Src-Nat BASE->BLUE" out-interface=\ BLUE_VLAN src-address=192.168.14.0/24 to-addresses=10.14.10.1add action=src-nat chain=srcnat comment="Src-Nat BASE->RED" out-interface=\ RED_VLAN src-address=192.168.14.0/24 to-addresses=10.14.30.1add action=src-nat chain=srcnat comment="Src-Nat BASE->CYAN" out-interface=\ CYAN_VLAN src-address=192.168.14.0/24 to-addresses=10.14.40.1add action=src-nat chain=srcnat comment="Src-Nat BASE->HALL" dst-address=\ 10.14.200.0/24 src-address=192.168.14.0/24 to-addresses=10.14.200.1add action=src-nat chain=srcnat comment="Src-Nat BASE->LTE-mgmt" \ out-interface=ether4-lte src-address=192.168.14.0/24 to-addresses=\ 10.14.100.2add action=src-nat chain=srcnat_laci_l2tp comment=\ "Src-Nat l2tp laci-vivbook->ipsec" out-interface=ipsec to-addresses=\ 192.168.14.254add action=src-nat chain=srcnat_laci_l2tp comment=\ "Src-Nat l2tp laci-vivobook->l2tp (inter-l2tp)" dst-address=\ 10.14.200.0/24 to-addresses=10.14.200.1add action=dst-nat chain=dstnat comment=\ "postgres kali-hom*ok slave backup.router1.test.com->lacinet->forgach-vpn" \ dst-port=54321 in-interface=ether5-wan protocol=tcp src-address=\ 1.2.3.4 to-addresses=10.14.10.105 to-ports=5432add action=src-nat chain=srcnat comment=\ "stonemining slave/vnc htpc->stonemining" dst-address=10.14.200.107 \ dst-port=5432,5900 protocol=tcp src-address=10.14.10.105 to-addresses=\ 10.14.200.1add action=src-nat chain=srcnat comment="kalihom*ok slave/vnc htpc->forgach" \ dst-address=10.14.200.101 dst-port=5432,5900 protocol=tcp src-address=\ 10.14.10.105 to-addresses=10.14.200.1add action=src-nat chain=srcnat comment="kavicsbanya slave htpc->borika-pc" \ dst-address=192.168.18.199 dst-port=5432,5900 protocol=tcp src-address=\ 10.14.10.105 to-addresses=192.168.14.254add action=src-nat chain=srcnat comment="Src-Nat htpc->visznet all" \ dst-address=192.168.5.0/24 src-address=10.14.10.105 to-addresses=\ 192.168.14.254add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=\ out,none out-interface-list=WANadd action=src-nat chain=srcnat_laci_l2tp comment=\ "Src-Nat l2tp laci-vivobook->blue" dst-address=10.14.10.0/24 \ to-addresses=10.14.10.1/ip ipsec identityadd auth-method=digital-signature certificate=laci.router1.test.com comment=\ office.partner1.test.com generate-policy=port-strict match-by=certificate \ my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\ group-viszfuvar remote-certificate=office.partner1.test.com remote-id=\ fqdn:office.partner1.test.comadd auth-method=digital-signature certificate=laci.router1.test.com comment=\ office.router1.test.com generate-policy=port-strict match-by=certificate my-id=\ fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=group-office \ remote-certificate=office.router1.test.com remote-id=fqdn:office.router1.test.comadd auth-method=digital-signature certificate=laci.router1.test.com comment=\ kavicsbanya.partner2.test.com generate-policy=port-strict match-by=certificate \ my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\ group-kavicsbanya remote-certificate=kavicsbanya.partner2.test.com remote-id=\ fqdn:kavicsbanya.partner2.test.comadd auth-method=digital-signature certificate=laci.router1.test.com comment=\ office.partner3.magnet.com generate-policy=port-strict match-by=certificate \ my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\ group-magzatom remote-certificate=office.partner3.magnet.com remote-id=\ fqdn:office.partner3.magnet.com/ip ipsec policyset 0 comment="For l2tp-server"add comment=office.partner1.test.com dst-address=192.168.5.0/24 group=\ group-viszfuvar proposal=proposal-s2s-ros src-address=192.168.14.0/24 \ template=yesadd comment=office.router1.test.com dst-address=192.168.13.0/24 group=group-office \ proposal=proposal-s2s-ros src-address=192.168.14.0/24 template=yesadd comment=kavicsbanya.router1.test.com dst-address=192.168.18.0/24 group=\ group-kavicsbanya proposal=proposal-s2s-ros src-address=192.168.14.0/24 \ template=yesadd comment=office.partner3.magnet.com dst-address=192.168.19.0/24 group=\ group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 \ template=yesadd comment=office.partner3.magnet.com-vlan dst-address=10.19.0.0/16 group=\ group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 \ template=yes/ip routeadd comment="EKKE Telekom Mobil/LTE" disabled=yes distance=2 gateway=\ 10.14.100.1add comment="Prevent package leak RFC1918 class A" distance=1 dst-address=\ 10.0.0.0/8 type=unreachableadd comment="VPN to magnet-vlan" distance=1 dst-address=10.19.0.0/16 gateway=\ ipsec pref-src=192.168.14.254add comment="Prevent package leak RFC1918 class B" distance=1 dst-address=\ 172.16.0.0/12 type=unreachableadd comment="Prevent package leak RFC1918 class C" distance=1 dst-address=\ 192.168.0.0/16 type=unreachableadd comment="VPN to visznet" distance=1 dst-address=192.168.5.0/24 gateway=\ ipsec pref-src=192.168.14.254add comment="VPN to sznet" distance=1 dst-address=192.168.13.0/24 gateway=\ ipsec pref-src=192.168.14.254add comment="VPN to kavicsnet" distance=1 dst-address=192.168.18.0/24 \ gateway=ipsec pref-src=192.168.14.254add comment="VPN to magnet-base" distance=1 dst-address=192.168.19.0/24 \ gateway=ipsec pref-src=192.168.14.254/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset api disabled=yesset winbox address=192.168.14.0/24set api-ssl disabled=yes/ip sshset host-key-size=4096 strong-crypto=yes/ppp secretadd name=forgach profile=l2tp_vpn remote-address=10.14.200.101 service=l2tpadd name=erika profile=l2tp_vpn remote-address=10.14.200.102 service=l2tpadd name=tony_i7 profile=l2tp_vpn remote-address=10.14.200.103 service=l2tpadd name=laci-vivobook profile=l2tp_vpn remote-address=10.14.200.104 service=\ l2tpadd name=kardirex profile=l2tp_vpn remote-address=10.14.200.105 service=l2tpadd name=szek profile=l2tp_vpn remote-address=10.14.200.106 service=l2tpadd name=stonemining profile=l2tp_vpn remote-address=10.14.200.107 service=\ l2tpadd name=edit profile=l2tp_vpn remote-address=10.14.200.108 service=l2tpadd name=szucsnorbi profile=l2tp_vpn remote-address=10.14.200.109 service=\ l2tpadd name=ghbackup profile=l2tp_vpn remote-address=10.14.200.110add name=nyergesati profile=l2tp_vpn remote-address=10.14.200.111add name=silyegabi profile=l2tp_vpn remote-address=10.14.200.112add name=backupmesshu profile=l2tp_vpn remote-address=10.14.200.113/routing filteradd chain=dynamic-in set-check-gateway=ping/system clockset time-zone-name=Europe/Budapest/system identityset name=router.lacinet/system loggingadd topics=wireless/system ntp clientset enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org/system package updateset channel=long-term/system scheduleradd interval=1d name=e-mail-backup on-event=e-mail-backup policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=jan/01/1970 start-time=20:00:00/system scriptadd dont-require-permissions=no name=onDhcpLease owner=gandalf policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\ \n\ \n\ \n:local DHCPtag\ \n:set DHCPtag \"#DHCP\"\ \n\ \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\ \n\ \n:if ( \$leaseBound = 1 ) do=\\\ \n{\ \n :local ttl\ \n :local domain\ \n :local hostname\ \n :local fqdn\ \n :local leaseId\ \n :local comment\ \n\ \n /ip dhcp-server\ \n :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\ \n network \ \n :set domain [ get [ find \$leaseActIP in address ] domain ]\ \n \ \n .. lease\ \n :set leaseId [ find address=\$leaseActIP ]\ \n\ \n# Check for multiple active leases for the same IP address. It's weird a\ nd it shouldn't be, but just in case.\ \n\ \n :if ( [ :len \$leaseId ] != 1) do=\\\ \n {\ \n :log info \"DHCP2DNS: not registering domain name for address \$lease\ ActIP because of multiple active leases for \$leaseActIP\"\ \n :error \"multiple active leases for \$leaseActIP\"\ \n } \ \n\ \n :set hostname [ get \$leaseId host-name ]\ \n :set comment [ get \$leaseId comment ]\ \n /\ \n\ \n :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\ \n\ \n :if ( [ :len \$hostname ] <= 0 ) do=\\\ \n {\ \n :log error \"DHCP2DNS: not registering domain name for address \$lea\ seActIP because of empty lease host-name or comment\"\ \n :error \"empty lease host-name or comment\"\ \n }\ \n :if ( [ :len \$domain ] <= 0 ) do=\\\ \n {\ \n :log error \"DHCP2DNS: not registering domain name for address \$lea\ seActIP because of empty network domain name\"\ \n :error \"empty network domain name\"\ \n }\ \n\ \n :set fqdn \"\$hostname.\$domain\"\ \n \ \n /ip dns static\ \n :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\ no ] ] = 0 ) do=\\\ \n {\ \n :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\ ess \$leaseActIP with ttl \$ttl\"\ \n add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\ abled=no\ \n } else=\\\ \n {\ \n :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\ s \$leaseActIP because of existing active static DNS entry with this name \ or address\" \ \n }\ \n /\ \n} \\\ \nelse=\\\ \n{\ \n /ip dns static\ \n :local dnsDhcpId \ \n :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\ \n\ \n :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\ \n {\ \n :log info \"DHCP2DNS: removing static domain name(s) for address \$l\ easeActIP\"\ \n remove \$dnsDhcpId\ \n }\ \n /\ \n}\ \n\ \n"add dont-require-permissions=no name=e-mail-backup owner=gandalf policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\ system backup save encryption=aes-sha256 name=\"email.backup\" password=\"\ ********\";/tool e-mail send to=\"gandalf@router1.test.com\" subject=([/system id\ entity get name].\" (system=\".[/system package get system value-name=vers\ ion].\") backup\") file=email.backup;:log info \"Backup e-mail sent.\"; "/tool bandwidth-serverset enabled=no/tool e-mailset address=mail.router1.test.com from=\ "MikroTik Hontalan router.lacinet <mikrotik@router1.test.com>" port=465 start-tls=\ tls-only user=mikrotik@router1.test.com/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=BASE/tool mac-server pingset enabled=no/tool snifferset filter-ip-protocol=icmp

router 2:

Code: Select all

# jan/16/2022 12:47:40 by RouterOS 6.48.5# software id = BGJQ-V2CF## model = RBD52G-5HacD2HnD# serial number = *************/caps-man channeladd band=2ghz-onlyn extension-channel=XX frequency="" name=channels-2.4 \ secondary-frequency="" tx-power=-10add band=5ghz-onlyac extension-channel=XXXX frequency="" name=channels-5 \ secondary-frequency="" skip-dfs-channels=yes/caps-man datapathadd local-forwarding=yes name=datapath-blue vlan-id=10 vlan-mode=use-tagadd local-forwarding=yes name=datapath-green vlan-id=20 vlan-mode=use-tagadd local-forwarding=yes name=datapath-red vlan-id=30 vlan-mode=use-tagadd local-forwarding=yes name=datapath-base vlan-id=99 vlan-mode=use-tag/interface bridgeadd frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BR1 \ vlan-filtering=yesadd name=ipsec protocol-mode=none/interface ethernetset [ find default-name=ether1 ] name=ether1-sw01set [ find default-name=ether2 ] name=ether2-lteset [ find default-name=ether3 ] name=ether3-blueset [ find default-name=ether4 ] name=ether4-blueset [ find default-name=ether5 ] name=ether5-wan/interface wireless# managed by CAPsMAN# channel: 2412/20-Ce/gn(-13dBm), SSID: magzatom_base, local forwardingset [ find default-name=wlan1 ] disabled=no ssid=MikroTik# managed by CAPsMAN# channel: 5180/20-Ceee/ac/P(20dBm), SSID: magzatom_base, local forwardingset [ find default-name=wlan2 ] disabled=no ssid=MikroTik/interface vlanadd interface=BR1 name=BASE_VLAN vlan-id=99add interface=BR1 name=BLUE_VLAN vlan-id=10add interface=BR1 name=GREEN_VLAN vlan-id=20add interface=BR1 name=HALL_VLAN vlan-id=200add interface=BR1 name=RED_VLAN vlan-id=30/caps-man ratesadd basic=12Mbps name=rates-2.4 supported=\ 12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbpsadd basic=12Mbps name=rates-5 supported=\ 12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps/caps-man securityadd authentication-types=wpa2-psk encryption=aes-ccm name=security-blueadd authentication-types=wpa2-psk encryption=aes-ccm name=security-greenadd authentication-types=wpa2-psk encryption=aes-ccm name=security-redadd authentication-types=wpa2-psk encryption=aes-ccm name=security-base/caps-man configurationadd channel=channels-5 country=hungary datapath=datapath-blue installation=\ any name=caps-blue-5 rates=rates-5 security=security-blue ssid=\ magzatom-privatadd channel=channels-2.4 country=hungary datapath=datapath-blue installation=\ any name=caps-blue-2.4 rates=rates-2.4 security=security-blue ssid=\ magzatom-privatadd channel=channels-2.4 country=hungary datapath=datapath-green \ installation=any name=caps-green-2.4 rates=rates-2.4 security=\ security-green ssid=magzatom-vendegadd channel=channels-5 country=hungary datapath=datapath-green installation=\ any name=caps-green-5 rates=rates-5 security=security-green ssid=\ magzatom-vendegadd channel=channels-2.4 country=hungary datapath=datapath-base hide-ssid=yes \ installation=any name=caps-base-2.4 rates=rates-2.4 security=\ security-base ssid=magzatom_baseadd channel=channels-5 country=hungary datapath=datapath-base hide-ssid=yes \ installation=any name=caps-base-5 rates=rates-5 security=security-base \ ssid=magzatom_baseadd channel=channels-2.4 country=hungary datapath=datapath-red hide-ssid=yes \ installation=any name=caps-red-2.4 rates=rates-2.4 security=security-red \ ssid=magzatom_redadd channel=channels-5 country=hungary datapath=datapath-red hide-ssid=yes \ installation=any name=caps-red-5 rates=rates-5 security=security-red \ ssid=magzatom_red/caps-man interfaceadd configuration=caps-base-2.4 disabled=no l2mtu=1600 mac-address=\ 08:55:31:E7:F3:6C master-interface=none name=r01.magnet-1 radio-mac=\ 08:55:31:E7:F3:6C radio-name=085531E7F36Cadd configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:F3:6C master-interface=r01.magnet-1 name=r01.magnet-1-1 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36Cadd configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:F3:6D master-interface=r01.magnet-1 name=r01.magnet-1-2 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36Dadd configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:F3:6E master-interface=r01.magnet-1 name=r01.magnet-1-3 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36Eadd configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\ 08:55:31:E7:F3:6D master-interface=none name=r01.magnet-2 radio-mac=\ 08:55:31:E7:F3:6D radio-name=085531E7F36Dadd configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:F3:6F master-interface=r01.magnet-2 name=r01.magnet-2-1 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36Fadd configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:F3:70 master-interface=r01.magnet-2 name=r01.magnet-2-2 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F370add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:F3:71 master-interface=r01.magnet-2 name=r01.magnet-2-3 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F371add configuration=caps-base-2.4 disabled=no l2mtu=1600 mac-address=\ 08:55:31:E7:E1:93 master-interface=none name=r02.magnet-1 radio-mac=\ 08:55:31:E7:E1:93 radio-name=085531E7E193add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:E1:93 master-interface=r02.magnet-1 name=r02.magnet-1-1 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E193add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:E1:94 master-interface=r02.magnet-1 name=r02.magnet-1-2 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E194add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:E1:95 master-interface=r02.magnet-1 name=r02.magnet-1-3 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E195add configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\ 08:55:31:E7:E1:94 master-interface=none name=r02.magnet-2 radio-mac=\ 08:55:31:E7:E1:94 radio-name=085531E7E194add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:E1:96 master-interface=r02.magnet-2 name=r02.magnet-2-1 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E196add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:E1:97 master-interface=r02.magnet-2 name=r02.magnet-2-2 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E197add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\ 0A:55:31:E7:E1:98 master-interface=r02.magnet-2 name=r02.magnet-2-3 \ radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E198/interface listadd name=WANadd name=VLANadd name=BASE/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip dhcp-server optionadd code=119 name=domain-search-option value="'magnet.'"/ip ipsec policy groupadd name=group-lacinet/ip ipsec profileset [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 name=\ profile_l2tpadd dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\ profile-s2s-ros proposal-check=strict/ip ipsec peeradd address=92f20943ba88.sn.mynetname.net exchange-mode=ike2 name=\ laci.router1.test.com profile=profile-s2s-ros/ip ipsec proposalset [ find default=yes ] auth-algorithms=sha256,sha1 comment=\ "For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=4h name=\ proposal-s2s-ros pfs-group=modp2048/ip pooladd name=BLUE_POOL ranges=10.19.10.100-10.19.10.200add name=GREEN_POOL ranges=10.19.20.100-10.19.20.200add name=RED_POOL ranges=10.19.30.100-10.19.30.200add name=BASE_POOL ranges=192.168.19.100-192.168.19.200/ip dhcp-serveradd address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN lease-script=\ onDhcpLease name=BLUE_DHCPadd address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCPadd address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCPadd address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP/ppp profileadd dns-server=10.19.200.1,1.1.1.3 local-address=10.19.200.1 name=l2tp_vpn/caps-man managerset ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\ suggest-same-version/caps-man manager interfaceset [ find default=yes ] forbid=yesadd disabled=no interface=BASE_VLAN/caps-man provisioningadd action=create-enabled hw-supported-modes=ac master-configuration=\ caps-base-5 name-format=identity slave-configurations=\ caps-blue-5,caps-green-5,caps-red-5add action=create-enabled master-configuration=caps-base-2.4 name-format=\ identity slave-configurations=caps-blue-2.4,caps-green-2.4,caps-red-2.4/interface bridge portadd bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \ interface=ether1-sw01add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yes interface=ether3-blue pvid=10add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yes interface=ether4-blue pvid=10/ip neighbor discovery-settingsset discover-interface-list=BASE/interface bridge vlanadd bridge=BR1 tagged=BR1,ether1-sw01 untagged=ether3-blue,ether4-blue \ vlan-ids=10add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=20add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=30add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=99/interface l2tp-server serverset authentication=mschap2 default-profile=l2tp_vpn enabled=yes use-ipsec=\ required/interface list memberadd interface=ether5-wan list=WANadd interface=BASE_VLAN list=VLANadd interface=BLUE_VLAN list=VLANadd interface=GREEN_VLAN list=VLANadd interface=RED_VLAN list=VLANadd interface=BASE_VLAN list=BASEadd interface=ether2-lte list=WAN/interface wireless cap# set bridge=BR1 certificate=request discovery-interfaces=BASE_VLAN enabled=yes \ interfaces=wlan1,wlan2/ip addressadd address=192.168.19.254/24 interface=BASE_VLAN network=192.168.19.0add address=10.19.10.1/24 interface=BLUE_VLAN network=10.19.10.0add address=10.19.20.1/24 interface=GREEN_VLAN network=10.19.20.0add address=10.19.30.1/24 interface=RED_VLAN network=10.19.30.0add address=10.19.200.1/24 interface=HALL_VLAN network=10.19.200.0/ip cloudset ddns-enabled=yes ddns-update-interval=2m/ip dhcp-clientadd disabled=no interface=ether5-wan use-peer-dns=noadd default-route-distance=2 disabled=no interface=ether2-lte use-peer-dns=no/ip dhcp-server leaseadd address=10.19.10.198 client-id=1:74:fe:48:57:68:ae comment=\ "Nyugati Samsung Ultrahang, +smb share" mac-address=74:FE:48:57:68:AE \ server=BLUE_DHCPadd address=10.19.10.194 client-id=1:40:b0:76:5b:be:f8 comment=\ "Keleti vizsgalo desktop gep" mac-address=40:B0:76:5B:BE:F8 server=\ BLUE_DHCPadd address=10.19.30.10 client-id=1:ec:c8:9c:b9:9c:e5 comment="HkVision NVR" \ mac-address=EC:C8:9C:B9:9C:E5 server=RED_DHCPadd address=10.19.10.192 client-id=1:dc:a6:32:c8:1c:e6 comment=Babyscreen \ mac-address=DC:A6:32:C8:1C:E6 server=BLUE_DHCPadd address=10.19.10.190 client-id=1:0:17:c8:a6:90:55 comment=\ "KyoceraP6230CDN lezer" mac-address=00:17:C8:A6:90:55 server=BLUE_DHCPadd address=10.19.10.101 client-id=\ ff:b6:22:f:eb:0:2:0:0:ab:11:13:66:88:18:da:5e:fe:33 mac-address=\ 98:90:96:CE:6F:92 server=BLUE_DHCPadd address=10.19.30.101 client-id=1:2c:a5:9c:fa:c4:5c mac-address=\ 2C:A5:9C:FA:C4:5C server=RED_DHCPadd address=10.19.30.102 client-id=1:4c:f5:dc:5e:ff:37 mac-address=\ 4C:F5:DC:5E:FF:37 server=RED_DHCP/ip dhcp-server networkadd address=10.19.10.0/24 dns-server=192.168.19.254 domain=magnet. gateway=\ 10.19.10.1add address=10.19.20.0/24 dns-server=192.168.19.254 gateway=10.19.20.1add address=10.19.30.0/24 dns-server=192.168.19.254 gateway=10.19.30.1add address=192.168.19.0/24 dns-server=192.168.19.254 gateway=192.168.19.254/ip dnsset allow-remote-requests=yes servers=1.1.1.3,1.0.0.3/ip dns staticadd address=192.168.19.254 name=r01.magnetadd address=192.168.19.253 name=r02.magnetadd address=192.168.19.252 name=r03.magnetadd address=192.168.19.244 name=sw01.magnetadd address=192.168.19.243 name=sw02.magnetadd address=192.168.19.242 name=sw03.magnetadd address=192.168.19.241 name=sw04.magnetadd address=10.19.30.10 name=nvr.magnetadd address=10.19.100.254 name=lte.magnetadd address=10.19.200.101 comment="L2TP Brigi Laptop" name=brigi.magnetadd address=10.19.200.103 comment="L2TP Brigi-oled laptop" name=\ brigi-oled.magnetadd address=10.19.200.102 comment="L2TP ViktorNAS" name=viktornas.magnetadd address=10.19.200.1 comment="L2TP hall" name=hall.magnetadd address=10.19.30.101 name=cam-folyoso.magnetadd address=10.19.30.102 name=cam-varo.magnetadd address=10.19.10.194 comment=#DHCP name=keleti-vizsgalo.magnet. ttl=10madd address=10.19.10.106 comment=#DHCP name=DESKTOP-V210M8R.magnet. ttl=10madd address=10.19.10.101 comment=#DHCP name=nas.magnet. ttl=10m/ip firewall filteradd action=accept chain=input comment=\ "Allow UDP 500,4500,1701 for IKE, IPSEC/ESP and L2TP" port=1701,500,4500 \ protocol=udpadd action=accept chain=input comment="Allow IPSEC/ESP" protocol=ipsec-espadd action=accept chain=input comment="Accept established,related,untracked" \ connection-state=established,related,untrackedadd action=drop chain=input comment="Drop invalid" connection-state=invalidadd action=accept chain=input comment="Accept ICMP" protocol=icmpadd action=accept chain=input comment="CAPsMAN and CAP" dst-address-type=\ local src-address-type=localadd action=accept chain=input comment="Input from BASE mgmt" \ in-interface-list=BASEadd action=jump chain=input comment="SSH input, with brute force protection" \ dst-port=22 jump-target=input_ssh protocol=tcpadd action=jump chain=input comment="Input from VLAN" in-interface-list=VLAN \ jump-target=input_from_vlanadd action=jump chain=input comment="Input from L2TP client" jump-target=\ input_from_l2tp src-address=10.19.200.0/24add action=accept chain=input comment="DNS from lacinet udp" dst-port=53 \ protocol=udp src-address=192.168.14.0/24add action=accept chain=input comment="DNS from lacinet tcp" dst-port=53 \ protocol=tcp src-address=192.168.14.0/24add action=drop chain=input comment=Dropadd action=drop chain=input_ssh comment="drop ssh brute forcers" \ src-address-list=ssh_blacklistadd action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input_ssh connection-state=new \ src-address-list=ssh_stage3add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input_ssh connection-state=new \ src-address-list=ssh_stage2add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input_ssh connection-state=new \ src-address-list=ssh_stage1add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input_ssh connection-state=newadd action=accept chain=input_ssh comment="allow ssh from anywhere"add action=drop chain=input_ssh comment=Dropadd action=accept chain=input_from_vlan comment="Local DNS UDP" dst-port=53 \ protocol=udpadd action=accept chain=input_from_vlan comment="Local DNS TCP" dst-port=53 \ protocol=tcpadd action=accept chain=input_from_vlan comment="Local NTP UDP" dst-port=123 \ protocol=udpadd action=accept chain=input_from_vlan comment="DHCP 67 UDP" dst-port=67 \ protocol=udpadd action=accept chain=input_from_vlan comment="DHCP 68 UDP" dst-port=68 \ protocol=udpadd action=drop chain=input_from_vlan comment=Dropadd action=accept chain=forward comment="Accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment=\ "Accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="Drop invalid" connection-state=invalidadd action=reject chain=forward comment=\ "Reply with network-unreachable when IPSEC tunnel is down" out-interface=\ ipsec reject-with=icmp-network-unreachableadd action=accept chain=forward comment="Allow VLAN->Internet" \ connection-state=new in-interface-list=VLAN out-interface-list=WANadd action=accept chain=forward comment="Allow BASE->Internet" \ connection-state=new in-interface-list=BASE out-interface-list=WANadd action=accept chain=forward comment="Allow BASE->VLAN" connection-state=\ new in-interface-list=BASE out-interface-list=VLANadd action=accept chain=forward comment="l2tp brigi-laptop->any" src-address=\ 10.19.200.101add action=accept chain=forward comment="l2tp brigi-oled->any" src-address=\ 10.19.200.103add action=accept chain=forward comment=\ "l2tp viktornas.magnet->nas.magnet syncthing" dst-address=10.19.10.101 \ dst-port=22000,22 protocol=tcp src-address=10.19.200.102add action=accept chain=forward comment=\ "l2tp nas.magnet->viktornas.magnet syncthing" dst-address=10.19.200.102 \ dst-port=22000,22 protocol=tcp src-address=10.19.10.101add action=accept chain=forward comment="ICMP between VLANs and HALL" \ disabled=yes dst-address=10.19.0.0/16 protocol=icmp src-address=\ 10.19.0.0/16add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface-list=WANadd action=drop chain=forward comment=Dropadd action=drop chain=input_ssh comment="drop ssh brute forcers" \ src-address-list=ssh_blacklistadd action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input_ssh connection-state=new \ src-address-list=ssh_stage3add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input_ssh connection-state=new \ src-address-list=ssh_stage2add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input_ssh connection-state=new \ src-address-list=ssh_stage1add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input_ssh connection-state=newadd action=accept chain=input_ssh comment="allow ssh from anywhere"add action=drop chain=input_ssh comment=Dropadd action=accept chain=input_from_l2tp comment="DNS from l2tp client (tcp)" \ dst-port=53 protocol=tcpadd action=accept chain=input_from_l2tp comment="DNS from l2tp client (udp)" \ dst-port=53 protocol=udpadd action=accept chain=input_from_l2tp comment="NTP from l2tp client (udp)" \ dst-port=123 protocol=udpadd action=reject chain=input_from_l2tp reject-with=icmp-admin-prohibited/ip firewall mangleadd action=change-mss chain=forward comment=\ "IKE2: Clamp TCP MSS for in,ipsec" ipsec-policy=in,ipsec new-mss=1360 \ passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360add action=change-mss chain=forward comment=\ "IKE2: Clamp TCP MSS for out,ipsec" ipsec-policy=out,ipsec new-mss=1360 \ passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360/ip firewall natadd action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=\ out,none out-interface-list=WANadd action=src-nat chain=srcnat comment="scr-nat lacinet->RED" out-interface=\ RED_VLAN src-address=192.168.14.0/24 to-addresses=10.19.30.1add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->base-magnet" \ out-interface=BASE_VLAN src-address=192.168.14.0/24 to-addresses=\ 192.168.19.254add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->hall-magnet" \ dst-address=10.19.200.0/24 src-address=192.168.14.0/24 to-addresses=\ 10.19.200.1add action=src-nat chain=srcnat comment="l2tp brigi-oled->magnet-blue" \ dst-address=10.19.10.0/24 src-address=10.19.200.103 to-addresses=\ 10.19.10.1add action=src-nat chain=srcnat comment="Src-Nat l2tp viktornas->nas" \ dst-address=10.19.10.101 src-address=10.19.200.102 to-addresses=\ 10.19.200.1/ip ipsec identityadd auth-method=digital-signature certificate=office.partner3.magnet.com my-id=\ fqdn:office.partner3.magnet.com peer=laci.router1.test.com policy-template-group=\ group-lacinet remote-id=fqdn:laci.router1.test.com/ip ipsec policyset 0 comment="For l2tp-server" dst-address=0.0.0.0/0 src-address=0.0.0.0/0add dst-address=192.168.14.0/24 peer=laci.router1.test.com proposal=proposal-s2s-ros \ src-address=192.168.19.0/24 tunnel=yesadd dst-address=192.168.14.0/24 peer=laci.router1.test.com proposal=proposal-s2s-ros \ src-address=10.19.0.0/16 tunnel=yes/ip routeadd comment="Prevent package leak RFC1918 class A" distance=1 dst-address=\ 10.0.0.0/8 type=unreachableadd comment="Prevent package leak RFC1918 class B" distance=1 dst-address=\ 172.16.0.0/12 type=unreachableadd comment="Prevent package leak RFC1918 class C" distance=1 dst-address=\ 192.168.0.0/16 type=unreachableadd comment="VPN to lacinet" distance=1 dst-address=192.168.14.0/24 gateway=\ ipsec pref-src=192.168.19.254/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset api disabled=yesset winbox address=192.168.19.0/24set api-ssl disabled=yes/ip sshset strong-crypto=yes/ppp secretadd name=brigi profile=l2tp_vpn remote-address=10.19.200.101 service=l2tpadd name=viktornas profile=l2tp_vpn remote-address=10.19.200.102 service=l2tpadd name=brigi-oled profile=l2tp_vpn remote-address=10.19.200.103 service=\ l2tp/routing filteradd chain=dynamic-in set-check-gateway=ping/system clockset time-zone-name=Europe/Budapest/system identityset name=r01.magnet/system loggingadd topics=l2tpadd topics=ipsec/system ntp clientset enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org/system package updateset channel=long-term/system scheduleradd interval=1d name=e-mail-backup on-event=e-mail-backup policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=jan/01/1970 start-time=20:00:00/system scriptadd dont-require-permissions=no name=onDhcpLease owner=gandalf policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\ \n\ \n\ \n:local DHCPtag\ \n:set DHCPtag \"#DHCP\"\ \n\ \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\ \n\ \n:if ( \$leaseBound = 1 ) do=\\\ \n{\ \n :local ttl\ \n :local domain\ \n :local hostname\ \n :local fqdn\ \n :local leaseId\ \n :local comment\ \n\ \n /ip dhcp-server\ \n :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\ \n network \ \n :set domain [ get [ find \$leaseActIP in address ] domain ]\ \n \ \n .. lease\ \n :set leaseId [ find address=\$leaseActIP ]\ \n\ \n# Check for multiple active leases for the same IP address. It's weird a\ nd it shouldn't be, but just in case.\ \n\ \n :if ( [ :len \$leaseId ] != 1) do=\\\ \n {\ \n :log info \"DHCP2DNS: not registering domain name for address \$lease\ ActIP because of multiple active leases for \$leaseActIP\"\ \n :error \"multiple active leases for \$leaseActIP\"\ \n } \ \n\ \n :set hostname [ get \$leaseId host-name ]\ \n :set comment [ get \$leaseId comment ]\ \n /\ \n\ \n :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\ \n\ \n :if ( [ :len \$hostname ] <= 0 ) do=\\\ \n {\ \n :log error \"DHCP2DNS: not registering domain name for address \$lea\ seActIP because of empty lease host-name or comment\"\ \n :error \"empty lease host-name or comment\"\ \n }\ \n :if ( [ :len \$domain ] <= 0 ) do=\\\ \n {\ \n :log error \"DHCP2DNS: not registering domain name for address \$lea\ seActIP because of empty network domain name\"\ \n :error \"empty network domain name\"\ \n }\ \n\ \n :set fqdn \"\$hostname.\$domain\"\ \n \ \n /ip dns static\ \n :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\ no ] ] = 0 ) do=\\\ \n {\ \n :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\ ess \$leaseActIP with ttl \$ttl\"\ \n add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\ abled=no\ \n } else=\\\ \n {\ \n :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\ s \$leaseActIP because of existing active static DNS entry with this name \ or address\" \ \n }\ \n /\ \n} \\\ \nelse=\\\ \n{\ \n /ip dns static\ \n :local dnsDhcpId \ \n :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\ \n\ \n :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\ \n {\ \n :log info \"DHCP2DNS: removing static domain name(s) for address \$l\ easeActIP\"\ \n remove \$dnsDhcpId\ \n }\ \n /\ \n}\ \n\ \n"add dont-require-permissions=no name=e-mail-backup owner=gandalf policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\ system backup save encryption=aes-sha256 name=\"email.backup\" password=\"\ ***********\";/tool e-mail send to=\"gandalf@router1.test.com\" subject=([/system id\ entity get name].\" (system=\".[/system package get system value-name=vers\ ion].\") backup\") file=email.backup;:log info \"Backup e-mail sent.\"; "/tool bandwidth-serverset enabled=no/tool e-mailset address=mail.router1.test.com from="Mikrotik r01.magnet <mikrotik@router1.test.com>" port=\ 465 start-tls=tls-only user=mikrotik@router1.test.com/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=BASE/tool mac-server pingset enabled=no/tool snifferset filter-ip-protocol=udp filter-port=dns
ping and dns problem on ipsec tunnel (2024)
Top Articles
Latest Posts
Article information

Author: Sen. Emmett Berge

Last Updated:

Views: 6064

Rating: 5 / 5 (60 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Sen. Emmett Berge

Birthday: 1993-06-17

Address: 787 Elvis Divide, Port Brice, OH 24507-6802

Phone: +9779049645255

Job: Senior Healthcare Specialist

Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball

Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.