i have static ip and i want my client to access remotely thier mikrotik via my static ip even my client has no public ip
for example i have static ip
101.58.69.xx
and i give my client l2tp ip address 10.20.0.253
and port forwarding ports 3389
when i type in winbox
101.58.69.xx:3389
the error saying
dstnat: in :pppoe-out1 out:(unknown 0), proto TCP (SYN), 110.54.222.111:49667->101.58.69.xx:3389, len48
anyone could help me.
remote forwarding remote winbox issue
You do not have the required permissions to view the files attached to this post.
Last edited by runbound on Sun May 10, 2020 7:56 am, edited 1 time in total.
Re: remote forwarding remote winbox issue
You have log=yes (checked), this is the log showing a connection. This is not an error message. Was the client unable to connect to the router?dstnat: in :pppoe-out1 out:(unknown 0), proto TCP (SYN), 110.54.222.111:49667->101.58.69.xx:3389, len48
Re: remote forwarding remote winbox issue
yes sir my client was not able to connect if we enter in winbox 101.58.69.xx:3389
You have log=yes (checked), this is the log showing a connection. This is not an error message. Was the client unable to connect to the router?dstnat: in :pppoe-out1 out:(unknown 0), proto TCP (SYN), 110.54.222.111:49667->101.58.69.xx:3389, len48
Re: remote forwarding remote winbox issue
Hallo, you have to give every client his own Port on your main mikrotik like this :
Dat nat protocol tcp Port 8080 - Action dst nat to IP address of Client 1 mikrotik example 10.2.151.10 port (winboxport ) 8291 .
Second Client the same but Port and ip should change :
Dat nat Protocol tcp Port 8081 - Action dst nat to IP address of Client 2 mikrotik example 10.2.151.11 port winbox Port 8291.
So if Client 1 give ur Public addresse:8080 in winbox he will reach his mikrotik .
Second Client should give ur Public ip :8081
And so on ...
Gesendet von iPhone mit Tapatalk
Dat nat protocol tcp Port 8080 - Action dst nat to IP address of Client 1 mikrotik example 10.2.151.10 port (winboxport ) 8291 .
Second Client the same but Port and ip should change :
Dat nat Protocol tcp Port 8081 - Action dst nat to IP address of Client 2 mikrotik example 10.2.151.11 port winbox Port 8291.
So if Client 1 give ur Public addresse:8080 in winbox he will reach his mikrotik .
Second Client should give ur Public ip :8081
And so on ...
Gesendet von iPhone mit Tapatalk
Re: remote forwarding remote winbox issue
Hallo, you have to give every client his own Port on your main mikrotik like this :
Dat nat protocol tcp Port 8080 - Action dst nat to IP address of Client 1 mikrotik example 10.2.151.10 port (winboxport ) 8291 .
Second Client the same but Port and ip should change :
Dat nat Protocol tcp Port 8081 - Action dst nat to IP address of Client 2 mikrotik example 10.2.151.11 port winbox Port 8291.
So if Client 1 give ur Public addresse:8080 in winbox he will reach his mikrotik .
Second Client should give ur Public ip :8081
And so on ...
Gesendet von iPhone mit Tapatalk
yes sir thats my configuration but if i connect it to winbox
101.58.69.xx:3389
it says connecting to 101.58.69.xx:3389....
then
error: cound not conect 101.58.69:xx:3389
Re: remote forwarding remote winbox issue
Hello,
So I See now that you use L2TP Tunnel , first question why ? If you have dst nat from outside to inside you don’t need tunnel !
Can you please export your configuration without sensitive information ?
Gesendet von iPhone mit Tapatalk
So I See now that you use L2TP Tunnel , first question why ? If you have dst nat from outside to inside you don’t need tunnel !
Can you please export your configuration without sensitive information ?
Gesendet von iPhone mit Tapatalk
Re: remote forwarding remote winbox issue
this is my config for my client and for my server. sorry for my difficult englishHello,
So I See now that you use L2TP Tunnel , first question why ? If you have dst nat from outside to inside you don’t need tunnel !
Can you please export your configuration without sensitive information ?
Gesendet von iPhone mit Tapatalk
PS: i dont have any config for firewall filter both client and server
client:
/interface l2tp-client
add connect-to=101.58.69.xx disabled=no name=l2tp-out2 password=1 user=p
server:
/interface ethernet
set [ find default-name=combo1 ] comment=WAN1 mac-address=CC:2D:E0:1F:46:24 \
name=ether0-WAN1
/ppp secret
add name=l2tp-pldt password=yz3690 profile=default-encryption service=l2tp
/ip firewall nat
add action=masquerade chain=srcnat comment=WAN1 out-interface=pppoe-out1 \
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=dst-nat chain=dstnat dst-address=101.58.69.xx dst-port=3389 log=\
yes protocol=tcp to-addresses=10.20.0.255 to-ports=8291
Re: remote forwarding remote winbox issue
Can you please export complete config !
Again you don’t need a l2tp tunnel if u use dst nat from outside to inside !
Gesendet von iPhone mit Tapatalk
Again you don’t need a l2tp tunnel if u use dst nat from outside to inside !
Gesendet von iPhone mit Tapatalk
Re: remote forwarding remote winbox issue
for my server sir:
# may/11/2020 16:54:21 by RouterOS 6.46.6
# software id = WCTL-6CZ3
#
# model = CCR1009-7G-1C-1S+
# serial number = 91500A71B096
/interface bridge
add fast-forward=no name=bridge-local
add fast-forward=no name=zbridge-bro
/interface ethernet
set [ find default-name=combo1 ] comment=WAN1 mac-address=CC:2D:E0:1F:46:24 \
name=ether0-WAN1
set [ find default-name=ether1 ] comment=WAN2 disabled=yes mac-address=\
CC:2D:E0:1F:46:25 name=ether1-WAN2 speed=100Mbps
set [ find default-name=ether2 ] comment=WAN3 disabled=yes mac-address=\
CC:2D:E0:1F:46:26 name=ether2-WAN3 speed=100Mbps
set [ find default-name=ether3 ] comment=LAN mac-address=CC:2D:E0:1F:46:27 \
speed=100Mbps
set [ find default-name=ether4 ] comment=LAN mac-address=CC:2D:E0:1F:46:28 \
speed=100Mbps
set [ find default-name=ether5 ] advertise=\
10M-full,100M-full,1000M-full,2500M-full arp=proxy-arp comment=BROADBAND \
mac-address=CC:2D:E0:1F:46:29 speed=100Mbps
set [ find default-name=ether6 ] comment=LAN mac-address=CC:2D:E0:1F:46:2A \
mtu=1580 speed=100Mbps
set [ find default-name=ether7 ] comment=LAN mac-address=CC:2D:E0:1F:46:2B \
speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-full,100M-full,1000M-full disabled=yes mac-address=CC:2D:E0:1F:46:23
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=\
ether0-WAN1 keepalive-timeout=disabled name=pppoe-out1 password=286364 \
use-peer-dns=yes user=YCSC08-032020
/interface ethernet switch
set 0 name=switch1
set 1 name=switch2
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=1212121212 \
wpa2-pre-shared-key=1212121212
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip \
management-protection=allowed mode=dynamic-keys name=se1233 \
supplicant-identity="" unicast-ciphers=tkip wpa-pre-shared-key=se1233 \
wpa2-pre-shared-key=se1233
add authentication-types=wpa-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=ianwifi supplicant-identity="" \
wpa-pre-shared-key=wifi123 wpa2-pre-shared-key=sec1234
/ip hotspot profile
set [ find default=yes ] login-by=""
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des name=profile_1
/ip ipsec peer
add name=peer1 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=\
none
/ip kid-control
add name=5t
/ip pool
add name=local-pool ranges=192.168.175.150-192.168.175.200
add name=guest-pool ranges=180.180.180.10-180.180.180.254
add name=vilcore-secure ranges=150.150.150.10-150.150.150.254
add name=hs-homebro1 ranges=10.20.0.0/24
add name=hs-homebro3 ranges=10.22.0.0/24
add name=hs-homebro2 ranges=10.21.0.0/24
/ip dhcp-server
add address-pool=local-pool disabled=no interface=bridge-local lease-time=1h \
name=local-dhcp
add address-pool=guest-pool bootp-support=none disabled=no lease-time=3h \
name=guest-dhcp
add address-pool=vilcore-secure authoritative=after-2sec-delay disabled=no \
lease-time=3h name=vilcore-dhcp
add add-arp=yes address-pool=hs-homebro1 bootp-support=none interface=\
zbridge-bro lease-time=3h name=bro-dhcp
/port
set 0 baud-rate=auto name=serial0
set 1 name=usb2
/ppp profile
set *FFFFFFFE use-encryption=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set read policy="local,read,test,winbox,api,romon,tikapp,!telnet,!ssh,!ftp,!re\
boot,!write,!policy,!password,!web,!sniff,!sensitive,!dude"
set write policy="reboot,read,write,policy,test,web,sniff,sensitive,api,!local\
,!telnet,!ssh,!ftp,!winbox,!password,!romon,!dude,!tikapp"
add name=admin policy="reboot,read,write,test,password,web,api,!local,!telnet,\
!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=techedit policy="telnet,reboot,read,write,test,winbox,api,!local,!ssh\
,!ftp,!policy,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminftp policy="ftp,reboot,read,write,password,api,!local,!telnet,!s\
sh,!policy,!test,!winbox,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminowner policy="reboot,read,write,test,password,web,api,!local,!te\
lnet,!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminsave policy="reboot,read,write,policy,test,web,api,!local,!telne\
t,!ssh,!ftp,!winbox,!password,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=terminal policy="local,telnet,write,password,web,!ssh,!ftp,!reboot,!r\
ead,!policy,!test,!winbox,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
add name=PPP policy="read,write,test,password,web,api,!local,!telnet,!ssh,!ftp\
,!reboot,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
/caps-man manager
set ca-certificate=auto certificate=auto
/interface bridge port
add bridge=bridge-local comment=LAN hw=no interface=ether3
add bridge=bridge-local comment=HOTSPOT hw=no interface=ether4
add bridge=zbridge-bro comment=BROADBAND interface=ether5
add bridge=bridge-local comment=LAN interface=ether7
add bridge=bridge-local comment=LAN interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set allow-fast-path=no
/interface detect-internet
set internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface l2tp-server server
set enabled=yes ipsec-secret=12345 max-mru=1400 max-mtu=1400 \
one-session-per-host=yes
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes256 \
require-client-certificate=yes
/interface pppoe-server server
add disabled=no interface=zbridge-bro keepalive-timeout=disabled max-mru=1464 \
max-mtu=1464 service-name="BROADBAND"
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes max-mru=1460 max-mtu=\
1460
/interface sstp-server server
set authentication=pap
/ip address
add address=192.168.175.1/24 interface=bridge-local network=192.168.175.0
add address=172.16.50.1/24 network=172.16.50.0
add address=172.16.60.1/24 network=172.16.60.0
add address=180.180.180.1/24 network=180.180.180.0
add address=150.150.150.1/24 network=150.150.150.0
add address=172.16.51.1/24 network=172.16.51.0
add address=172.16.61.1/24 network=172.16.61.0
add address=172.16.52.1/24 network=172.16.52.0
add address=172.16.53.1/24 network=172.16.53.0
add address=172.16.54.1/24 network=172.16.54.0
add address=172.16.55.1/24 network=172.16.55.0
add address=192.168.9.2 disabled=yes interface=ether2-WAN3 network=\
192.168.9.1
add address=192.168.176.1/24 interface=zbridge-bro network=192.168.176.0
/ip arp
add address=172.16.55.250 mac-address=90:A2:DA:45:DE:FC
/ip cloud
set update-time=no
/ip dhcp-client
add comment=WAN2 default-route-distance=2 dhcp-options=clientid,hostname \
interface=ether1-WAN2 use-peer-dns=no
add comment=WAN3 default-route-distance=3 interface=ether2-WAN3
add comment=WAN1 dhcp-options=clientid,clientid,hostname,clientid interface=\
ether0-WAN1
/ip dhcp-server
add add-arp=yes address-pool=hs-unauthenticated bootp-support=none disabled=\
no lease-time=6h name=hotspot-dhcp
/ip dhcp-server lease
add address=172.16.55.7 always-broadcast=yes client-id=1:cc:6e:a4:d8:c4:2d \
comment="SAMSUNG SMARTV" mac-address=C0:48:E6:CC:B2:4C server=\
hotspot-dhcp
add address=192.168.175.252 client-id=1:c0:48:e6:cc:b2:4c comment=\
"SAMSUNG SMARTV" mac-address=C0:48:E6:CC:B2:4C server=local-dhcp
/ip dhcp-server network
add address=150.150.150.0/24 dns-server=150.150.150.1 gateway=150.150.150.1 \
netmask=24 ntp-server=150.150.150.1
add address=172.16.50.0/24 dns-server=172.16.50.1 gateway=172.16.50.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.51.0/24 dns-server=172.16.50.1 gateway=172.16.51.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.52.0/24 dns-server=172.16.50.1 gateway=172.16.52.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.53.0/24 dns-server=172.16.50.1 gateway=172.16.53.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.54.0/24 dns-server=172.16.50.1 gateway=172.16.54.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.55.0/24 dns-server=172.16.50.1 gateway=172.16.55.1 \
netmask=32 ntp-server=172.16.50.1
add address=180.180.180.0/24 dns-server=180.180.180.1 gateway=180.180.180.1 \
netmask=32 ntp-server=180.180.180.1
add address=192.168.175.0/24 dns-server=192.168.175.1 gateway=192.168.175.1 \
netmask=24 ntp-server=192.168.175.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.175.1 name=admin.portal
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip firewall nat
add action=masquerade chain=srcnat comment=WAN1 out-interface=pppoe-out1 \
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=dst-nat chain=dstnat dst-address=101.58.69.101 dst-port=3389 log=\
yes protocol=tcp to-addresses=10.20.0.255 to-ports=8292
/ip firewall raw
add action=drop chain=prerouting comment="BLOCK YOUTUBE" content=youtube \
disabled=yes
add action=drop chain=prerouting content=googlevideo disabled=yes
add action=drop chain=prerouting comment="BLOCK Y8" content=y8 disabled=yes
/ip hotspot user
set [ find default=yes ] limit-bytes-total=209715200
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no address-pool=hs-wifi \
keepalive-timeout=15m name=EXPIRED rate-limit=1k/1k shared-users=100 \
status-autorefresh=5m
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore secret=12345
/ip pool
add name=hs-wifi next-pool=hs-wifi ranges=\
172.16.60.10-172.16.60.254,172.16.61.10-172.16.61.254
add name=hs-unauthenticated next-pool=hs-unauthenticated ranges="172.16.55.20-\
172.16.55.254,172.16.54.10-172.16.54.254,172.16.53.10-172.16.53.254,172.16\
.52.10-172.16.52.254,172.16.51.10-172.16.51.254,172.16.50.10-172.16.50.254\
"
/ip route
add comment=WAN2 disabled=yes distance=1 gateway=2.2.2.2 routing-mark=PL2
add check-gateway=ping comment=WAN3 disabled=yes distance=1 gateway=\
192.168.8.1 routing-mark=PL3
add check-gateway=ping comment=WAN1 distance=1 gateway=pppoe-out1
add check-gateway=ping comment="NETWATCH WAN3" distance=1 dst-address=\
8.8.4.4/32 gateway=192.168.8.1
add check-gateway=ping comment="NETWATCH WAN1" distance=1 dst-address=\
8.8.8.8/32 gateway=192.168.1.1
/ip route rule
add dst-address=0.0.0.0/0 routing-mark=RT-PL1 src-address=0.0.0.0/0 table=PL1
add dst-address=0.0.0.0/0 routing-mark=RT-PL2 src-address=0.0.0.0/0 table=PL2
add dst-address=0.0.0.0/0 routing-mark=RT-PL3 src-address=0.0.0.0/0 table=PL3
add dst-address=0.0.0.0/0 routing-mark=RT-PL4 src-address=0.0.0.0/0 table=PL4
add dst-address=0.0.0.0/0 routing-mark=RT-PL5 src-address=0.0.0.0/0 table=PL5
/ip service
set telnet address="172.16.50.0/24,172.16.51.0/24,172.16.52.0/24,172.16.53.0/2\
4,172.16.54.0/24,172.16.55.0/24,192.168.175.0/24"
set ftp address=192.168.175.251/32 disabled=yes
set www port=82
set ssh disabled=yes
set www-ssl certificate=ca-certificate
set winbox port=8291
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set show-dummy-rule=no
/lcd
set backlight-timeout=never color-scheme=dark default-screen=interfaces \
read-only-mode=yes
/lcd interface
set *1 disabled=yes
set *2 disabled=yes
set *3 disabled=yes
set *4 disabled=yes
set *5 disabled=yes
set *6 disabled=yes
set *7 disabled=yes
set *8 disabled=yes
set *9 disabled=yes
set *A disabled=yes
set *B disabled=yes
set *C disabled=yes
set *16 disabled=yes
set sfp-sfpplus1 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
/lcd screen
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/ppp aaa
set accounting=no
/ppp profile
set *0 dns-server=192.168.175.1 local-address=hs-unauthenticated \
remote-address=local-pool
/ppp secret
add name=p password=1 profile=default-encryption service=l2tp
/radius incoming
set accept=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Manila
/system clock manual
set time-zone=+08:00
/system identity
set name=ION
/system leds
set 0 interface=ether0-WAN1 leds=user-led type=interface-status
/system logging
add disabled=yes topics=e-mail
/system ntp client
set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=162.159.200.123
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool e-mail
set address=74.125.68.109 from="" start-tls=yes
/tool graphing
set store-every=hour
/tool romon
set secrets=bki
/tool romon port
# may/11/2020 16:54:21 by RouterOS 6.46.6
# software id = WCTL-6CZ3
#
# model = CCR1009-7G-1C-1S+
# serial number = 91500A71B096
/interface bridge
add fast-forward=no name=bridge-local
add fast-forward=no name=zbridge-bro
/interface ethernet
set [ find default-name=combo1 ] comment=WAN1 mac-address=CC:2D:E0:1F:46:24 \
name=ether0-WAN1
set [ find default-name=ether1 ] comment=WAN2 disabled=yes mac-address=\
CC:2D:E0:1F:46:25 name=ether1-WAN2 speed=100Mbps
set [ find default-name=ether2 ] comment=WAN3 disabled=yes mac-address=\
CC:2D:E0:1F:46:26 name=ether2-WAN3 speed=100Mbps
set [ find default-name=ether3 ] comment=LAN mac-address=CC:2D:E0:1F:46:27 \
speed=100Mbps
set [ find default-name=ether4 ] comment=LAN mac-address=CC:2D:E0:1F:46:28 \
speed=100Mbps
set [ find default-name=ether5 ] advertise=\
10M-full,100M-full,1000M-full,2500M-full arp=proxy-arp comment=BROADBAND \
mac-address=CC:2D:E0:1F:46:29 speed=100Mbps
set [ find default-name=ether6 ] comment=LAN mac-address=CC:2D:E0:1F:46:2A \
mtu=1580 speed=100Mbps
set [ find default-name=ether7 ] comment=LAN mac-address=CC:2D:E0:1F:46:2B \
speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-full,100M-full,1000M-full disabled=yes mac-address=CC:2D:E0:1F:46:23
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=\
ether0-WAN1 keepalive-timeout=disabled name=pppoe-out1 password=286364 \
use-peer-dns=yes user=YCSC08-032020
/interface ethernet switch
set 0 name=switch1
set 1 name=switch2
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=1212121212 \
wpa2-pre-shared-key=1212121212
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip \
management-protection=allowed mode=dynamic-keys name=se1233 \
supplicant-identity="" unicast-ciphers=tkip wpa-pre-shared-key=se1233 \
wpa2-pre-shared-key=se1233
add authentication-types=wpa-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=ianwifi supplicant-identity="" \
wpa-pre-shared-key=wifi123 wpa2-pre-shared-key=sec1234
/ip hotspot profile
set [ find default=yes ] login-by=""
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des name=profile_1
/ip ipsec peer
add name=peer1 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=\
none
/ip kid-control
add name=5t
/ip pool
add name=local-pool ranges=192.168.175.150-192.168.175.200
add name=guest-pool ranges=180.180.180.10-180.180.180.254
add name=vilcore-secure ranges=150.150.150.10-150.150.150.254
add name=hs-homebro1 ranges=10.20.0.0/24
add name=hs-homebro3 ranges=10.22.0.0/24
add name=hs-homebro2 ranges=10.21.0.0/24
/ip dhcp-server
add address-pool=local-pool disabled=no interface=bridge-local lease-time=1h \
name=local-dhcp
add address-pool=guest-pool bootp-support=none disabled=no lease-time=3h \
name=guest-dhcp
add address-pool=vilcore-secure authoritative=after-2sec-delay disabled=no \
lease-time=3h name=vilcore-dhcp
add add-arp=yes address-pool=hs-homebro1 bootp-support=none interface=\
zbridge-bro lease-time=3h name=bro-dhcp
/port
set 0 baud-rate=auto name=serial0
set 1 name=usb2
/ppp profile
set *FFFFFFFE use-encryption=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set read policy="local,read,test,winbox,api,romon,tikapp,!telnet,!ssh,!ftp,!re\
boot,!write,!policy,!password,!web,!sniff,!sensitive,!dude"
set write policy="reboot,read,write,policy,test,web,sniff,sensitive,api,!local\
,!telnet,!ssh,!ftp,!winbox,!password,!romon,!dude,!tikapp"
add name=admin policy="reboot,read,write,test,password,web,api,!local,!telnet,\
!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=techedit policy="telnet,reboot,read,write,test,winbox,api,!local,!ssh\
,!ftp,!policy,!password,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminftp policy="ftp,reboot,read,write,password,api,!local,!telnet,!s\
sh,!policy,!test,!winbox,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminowner policy="reboot,read,write,test,password,web,api,!local,!te\
lnet,!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminsave policy="reboot,read,write,policy,test,web,api,!local,!telne\
t,!ssh,!ftp,!winbox,!password,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=terminal policy="local,telnet,write,password,web,!ssh,!ftp,!reboot,!r\
ead,!policy,!test,!winbox,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
add name=PPP policy="read,write,test,password,web,api,!local,!telnet,!ssh,!ftp\
,!reboot,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
/caps-man manager
set ca-certificate=auto certificate=auto
/interface bridge port
add bridge=bridge-local comment=LAN hw=no interface=ether3
add bridge=bridge-local comment=HOTSPOT hw=no interface=ether4
add bridge=zbridge-bro comment=BROADBAND interface=ether5
add bridge=bridge-local comment=LAN interface=ether7
add bridge=bridge-local comment=LAN interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set allow-fast-path=no
/interface detect-internet
set internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface l2tp-server server
set enabled=yes ipsec-secret=12345 max-mru=1400 max-mtu=1400 \
one-session-per-host=yes
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes256 \
require-client-certificate=yes
/interface pppoe-server server
add disabled=no interface=zbridge-bro keepalive-timeout=disabled max-mru=1464 \
max-mtu=1464 service-name="BROADBAND"
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes max-mru=1460 max-mtu=\
1460
/interface sstp-server server
set authentication=pap
/ip address
add address=192.168.175.1/24 interface=bridge-local network=192.168.175.0
add address=172.16.50.1/24 network=172.16.50.0
add address=172.16.60.1/24 network=172.16.60.0
add address=180.180.180.1/24 network=180.180.180.0
add address=150.150.150.1/24 network=150.150.150.0
add address=172.16.51.1/24 network=172.16.51.0
add address=172.16.61.1/24 network=172.16.61.0
add address=172.16.52.1/24 network=172.16.52.0
add address=172.16.53.1/24 network=172.16.53.0
add address=172.16.54.1/24 network=172.16.54.0
add address=172.16.55.1/24 network=172.16.55.0
add address=192.168.9.2 disabled=yes interface=ether2-WAN3 network=\
192.168.9.1
add address=192.168.176.1/24 interface=zbridge-bro network=192.168.176.0
/ip arp
add address=172.16.55.250 mac-address=90:A2:DA:45:DE:FC
/ip cloud
set update-time=no
/ip dhcp-client
add comment=WAN2 default-route-distance=2 dhcp-options=clientid,hostname \
interface=ether1-WAN2 use-peer-dns=no
add comment=WAN3 default-route-distance=3 interface=ether2-WAN3
add comment=WAN1 dhcp-options=clientid,clientid,hostname,clientid interface=\
ether0-WAN1
/ip dhcp-server
add add-arp=yes address-pool=hs-unauthenticated bootp-support=none disabled=\
no lease-time=6h name=hotspot-dhcp
/ip dhcp-server lease
add address=172.16.55.7 always-broadcast=yes client-id=1:cc:6e:a4:d8:c4:2d \
comment="SAMSUNG SMARTV" mac-address=C0:48:E6:CC:B2:4C server=\
hotspot-dhcp
add address=192.168.175.252 client-id=1:c0:48:e6:cc:b2:4c comment=\
"SAMSUNG SMARTV" mac-address=C0:48:E6:CC:B2:4C server=local-dhcp
/ip dhcp-server network
add address=150.150.150.0/24 dns-server=150.150.150.1 gateway=150.150.150.1 \
netmask=24 ntp-server=150.150.150.1
add address=172.16.50.0/24 dns-server=172.16.50.1 gateway=172.16.50.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.51.0/24 dns-server=172.16.50.1 gateway=172.16.51.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.52.0/24 dns-server=172.16.50.1 gateway=172.16.52.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.53.0/24 dns-server=172.16.50.1 gateway=172.16.53.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.54.0/24 dns-server=172.16.50.1 gateway=172.16.54.1 \
netmask=32 ntp-server=172.16.50.1
add address=172.16.55.0/24 dns-server=172.16.50.1 gateway=172.16.55.1 \
netmask=32 ntp-server=172.16.50.1
add address=180.180.180.0/24 dns-server=180.180.180.1 gateway=180.180.180.1 \
netmask=32 ntp-server=180.180.180.1
add address=192.168.175.0/24 dns-server=192.168.175.1 gateway=192.168.175.1 \
netmask=24 ntp-server=192.168.175.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.175.1 name=admin.portal
add address=8.8.8.8 name=dns.google
add address=8.8.4.4 name=dns.google
/ip firewall nat
add action=masquerade chain=srcnat comment=WAN1 out-interface=pppoe-out1 \
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=dst-nat chain=dstnat dst-address=101.58.69.101 dst-port=3389 log=\
yes protocol=tcp to-addresses=10.20.0.255 to-ports=8292
/ip firewall raw
add action=drop chain=prerouting comment="BLOCK YOUTUBE" content=youtube \
disabled=yes
add action=drop chain=prerouting content=googlevideo disabled=yes
add action=drop chain=prerouting comment="BLOCK Y8" content=y8 disabled=yes
/ip hotspot user
set [ find default=yes ] limit-bytes-total=209715200
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no address-pool=hs-wifi \
keepalive-timeout=15m name=EXPIRED rate-limit=1k/1k shared-users=100 \
status-autorefresh=5m
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore secret=12345
/ip pool
add name=hs-wifi next-pool=hs-wifi ranges=\
172.16.60.10-172.16.60.254,172.16.61.10-172.16.61.254
add name=hs-unauthenticated next-pool=hs-unauthenticated ranges="172.16.55.20-\
172.16.55.254,172.16.54.10-172.16.54.254,172.16.53.10-172.16.53.254,172.16\
.52.10-172.16.52.254,172.16.51.10-172.16.51.254,172.16.50.10-172.16.50.254\
"
/ip route
add comment=WAN2 disabled=yes distance=1 gateway=2.2.2.2 routing-mark=PL2
add check-gateway=ping comment=WAN3 disabled=yes distance=1 gateway=\
192.168.8.1 routing-mark=PL3
add check-gateway=ping comment=WAN1 distance=1 gateway=pppoe-out1
add check-gateway=ping comment="NETWATCH WAN3" distance=1 dst-address=\
8.8.4.4/32 gateway=192.168.8.1
add check-gateway=ping comment="NETWATCH WAN1" distance=1 dst-address=\
8.8.8.8/32 gateway=192.168.1.1
/ip route rule
add dst-address=0.0.0.0/0 routing-mark=RT-PL1 src-address=0.0.0.0/0 table=PL1
add dst-address=0.0.0.0/0 routing-mark=RT-PL2 src-address=0.0.0.0/0 table=PL2
add dst-address=0.0.0.0/0 routing-mark=RT-PL3 src-address=0.0.0.0/0 table=PL3
add dst-address=0.0.0.0/0 routing-mark=RT-PL4 src-address=0.0.0.0/0 table=PL4
add dst-address=0.0.0.0/0 routing-mark=RT-PL5 src-address=0.0.0.0/0 table=PL5
/ip service
set telnet address="172.16.50.0/24,172.16.51.0/24,172.16.52.0/24,172.16.53.0/2\
4,172.16.54.0/24,172.16.55.0/24,192.168.175.0/24"
set ftp address=192.168.175.251/32 disabled=yes
set www port=82
set ssh disabled=yes
set www-ssl certificate=ca-certificate
set winbox port=8291
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set show-dummy-rule=no
/lcd
set backlight-timeout=never color-scheme=dark default-screen=interfaces \
read-only-mode=yes
/lcd interface
set *1 disabled=yes
set *2 disabled=yes
set *3 disabled=yes
set *4 disabled=yes
set *5 disabled=yes
set *6 disabled=yes
set *7 disabled=yes
set *8 disabled=yes
set *9 disabled=yes
set *A disabled=yes
set *B disabled=yes
set *C disabled=yes
set *16 disabled=yes
set sfp-sfpplus1 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
/lcd screen
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/ppp aaa
set accounting=no
/ppp profile
set *0 dns-server=192.168.175.1 local-address=hs-unauthenticated \
remote-address=local-pool
/ppp secret
add name=p password=1 profile=default-encryption service=l2tp
/radius incoming
set accept=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Manila
/system clock manual
set time-zone=+08:00
/system identity
set name=ION
/system leds
set 0 interface=ether0-WAN1 leds=user-led type=interface-status
/system logging
add disabled=yes topics=e-mail
/system ntp client
set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=162.159.200.123
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool e-mail
set address=74.125.68.109 from="" start-tls=yes
/tool graphing
set store-every=hour
/tool romon
set secrets=bki
/tool romon port
Re: remote forwarding remote winbox issue
to my client customer
# may/11/2020 17:07:57 by RouterOS 6.46.6
# software id = MUPF-1Y7J
#
# model = RB941-2nD
# serial number = D0560B2A1012
/interface bridge
add name=bridge-hotspot
add name=bridge-local
add name=bridge-wifi
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 l2mtu=1480 mtu=1480 name=\
ether1-WAN1
set [ find default-name=ether4 ] mac-address=E4:8D:8C:E7:52:F8
/interface l2tp-client
add connect-to=101.58.69.106 disabled=no name=l2tp-out1 password=1 user=p
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=wifi1024 \
wpa2-pre-shared-key=wifi1024
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip \
management-protection=allowed mode=dynamic-keys name=station \
supplicant-identity="" unicast-ciphers=tkip wpa-pre-shared-key=se1234 \
wpa2-pre-shared-key=se1234
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=wifi \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
se1233 wpa2-pre-shared-key=se1233
add authentication-types=wpa-psk,wpa2-psk eap-methods="" name=hotspot \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
philippines disabled=no keepalive-frames=disabled mode=ap-bridge \
multicast-buffering=disabled multicast-helper=disabled name=wlan-hs \
security-profile=hotspot ssid="BM Hotspot"
add arp=reply-only default-forwarding=no mac-address=E6:8D:8C:45:6F:3D \
master-interface=wlan-hs name=wlan-private security-profile=wifi ssid=\
PRIVATE-WiFi wds-cost-range=0 wds-default-cost=0
add hide-ssid=yes keepalive-frames=disabled mac-address=C6:AD:34:99:B2:D3 \
master-interface=wlan-hs multicast-buffering=disabled name=wlan-TV \
security-profile=wifi ssid=WiFi-TV wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.portal hotspot-address=172.16.50.1 \
html-directory=hs login-by=http-chap,http-pap,trial name=hs-profile \
trial-uptime-limit=2h
/ip hotspot user profile
set [ find default=yes ] address-list=local-addressdns name=ADMIN rate-limit=\
5m/5m
/ip ipsec peer
add disabled=yes name=peer1 passive=yes
/ip pool
add name=default-dhcp ranges=192.168.88.2-192.168.88.254
add name=wifi-secure ranges=150.150.150.2-150.150.150.254
add name=hs-unauthenticated ranges=172.16.50.10-172.16.50.254
add name=VPN ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
interface=bridge-local name=local-dhcp
add address-pool=wifi-secure authoritative=after-2sec-delay disabled=no \
interface=bridge-wifi lease-time=3h name=wifi-dhcp
add add-arp=yes address-pool=hs-unauthenticated disabled=no interface=\
bridge-hotspot lease-time=1h name=hotspot-dhcp
/ip hotspot
add address-pool=hs-unauthenticated disabled=no idle-timeout=15m interface=\
bridge-hotspot keepalive-timeout=15m name=hs-server
/queue simple
add max-limit=4M/2M name=WIFI target=bridge-wifi
add max-limit=4M/2M name=TV target=172.16.50.4/32,172.16.50.5/32
add comment=rose name=rose target=172.16.50.3/32
/queue type
add kind=pcq name=gaming-pcq-download pcq-classifier=dst-address,dst-port \
pcq-limit=40KiB
add kind=pcq name=gaming-pcq-upload pcq-classifier=src-address,src-port \
pcq-limit=40KiB
add kind=pcq name="limit dl" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=main-pcq-download pcq-classifier=dst-address pcq-limit=\
40KiB
add kind=pcq name=main-pcq-upload pcq-classifier=src-address pcq-limit=40KiB
add kind=pfifo name=main-queue pfifo-limit=100
add kind=pcq name="UPLOAD Gaming" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Games" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Browsing" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="UPLOAD Browsing" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=256k pcq-src-address6-mask=64
/queue simple
add disabled=yes name=BROWSING packet-marks=http-pm,https-pm queue=\
"UPLOAD Browsing/DOWNLOAD Browsing" target=192.168.88.0/24
add name=GAMERS packet-marks=05pm,06pm,07pm,08pm queue=\
"UPLOAD Gaming/DOWNLOAD Games" target=192.168.88.0/24
/queue tree
add disabled=yes max-limit=100M name=1-upload parent=ether1-WAN1 queue=\
main-queue
add comment="A. WAN1 UPLOAD" disabled=yes max-limit=1M name=1-browsing \
parent=1-upload queue=main-queue
add disabled=yes limit-at=200k max-limit=1M name=1-http packet-mark=http-pm \
parent=1-browsing queue=main-pcq-upload
add disabled=yes limit-at=200k max-limit=1M name=1-https packet-mark=https-pm \
parent=1-browsing queue=main-pcq-upload
add disabled=yes max-limit=100M name="1-online gaming" parent=1-upload queue=\
gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=1-Games01 packet-mark=05pm \
parent="1-online gaming" queue=gaming-pcq-upload
add disabled=yes limit-at=256k max-limit=99M name=1-Games02 packet-mark=06pm \
parent="1-online gaming" queue=gaming-pcq-upload
add disabled=yes limit-at=256k max-limit=99M name=1-Games03 packet-mark=07pm \
parent="1-online gaming" queue=gaming-pcq-upload
add disabled=yes limit-at=256k max-limit=99M name=1-Games04 packet-mark=08pm \
parent="1-online gaming" queue=gaming-pcq-upload
add disabled=yes name=Download parent=bridge-local queue=default
add disabled=yes max-limit=100M name=dsl-download parent=Download queue=\
main-queue
add comment="B. WAN1 DOWNLOAD" disabled=yes max-limit=10M name=\
browsing-streaming parent=dsl-download queue=main-pcq-download
add disabled=yes max-limit=10M name=Browsing parent=browsing-streaming queue=\
main-pcq-download
add disabled=yes limit-at=512k max-limit=10M name=http packet-mark=http-pm \
parent=Browsing queue=main-pcq-download
add disabled=yes limit-at=512k max-limit=10M name=https packet-mark=https-pm \
parent=Browsing queue=main-pcq-download
add comment="C. VIDEO STREAMING LIMIT" disabled=yes max-limit=8M name=\
Streaming parent=browsing-streaming queue=main-pcq-download
add disabled=yes limit-at=384k max-limit=8M name=video-streaming packet-mark=\
videostreaming-pm parent=Streaming queue=main-pcq-download
add disabled=yes max-limit=100M name=online-gaming parent=dsl-download queue=\
gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=game01 packet-mark=05pm \
parent=online-gaming queue=gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=game02 packet-mark=06pm \
parent=online-gaming queue=gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=game03 packet-mark=07pm \
parent=online-gaming queue=gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=game04 packet-mark=08pm \
parent=online-gaming queue=gaming-pcq-download
add comment="TOTAL EXCLUDED" disabled=yes max-limit=100M name=server-exluded \
parent=dsl-download queue=main-pcq-upload
add disabled=yes limit-at=768k max-limit=100M name=server packet-mark=\
server-excluded-pm parent=server-exluded queue=main-pcq-download
add comment="D. DOWNLOAD LIMIT (Default: disabled)" disabled=yes max-limit=\
512k name="Limit Download" packet-mark=download-limit parent=global \
queue="limit dl"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=admin policy="reboot,read,write,test,password,web,api,!local,!telnet,\
!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminftp policy="ftp,reboot,read,write,password,api,!local,!telnet,!s\
sh,!policy,!test,!winbox,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminlast policy="reboot,read,write,test,password,web,api,!local,!tel\
net,!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=techedit policy="ftp,reboot,read,write,test,winbox,password,web,api,!\
local,!telnet,!ssh,!policy,!sniff,!sensitive,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-hotspot interface=wlan-hs
add bridge=bridge-local interface=wlan-private
add bridge=bridge-wifi interface=wlan-TV
/interface detect-internet
set detect-interface-list=all
/interface wireless access-list
add comment=rrr mac-address=6E:5A:88:C7:0C:2A
add comment=roo mac-address=8C:F5:A3:F4:A4:7A
add comment=rrr interface=wlan-private mac-address=90:97:F3:88:EA:C0
/ip address
add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0
add address=150.150.150.1/24 interface=bridge-wifi network=150.150.150.0
add address=172.16.50.1/24 interface=bridge-hotspot network=172.16.50.0
/ip dhcp-client
add add-default-route=no comment=WAN1 disabled=no interface=ether1-WAN1
/ip dhcp-server lease
add address=172.16.50.3 client-id=1:8c:f5:a3:f4:a4:7a comment=rooo \
mac-address=8C:F5:A3:F4:A4:7A server=hotspot-dhcp
add address=172.16.50.5 client-id=1:cc:6e:a4:d8:c4:2d comment=samsung \
mac-address=CC:6E:A4:D8:C4:2D server=hotspot-dhcp
add address=172.16.50.4 client-id=1:34:f1:50:74:58:be comment=tcl \
mac-address=34:F1:50:74:58:BE server=hotspot-dhcp
add address=172.16.50.2 client-id=1:c6:33:7e:8b:13:18 comment=rrr disabled=\
yes mac-address=C6:33:7E:8B:13:18 server=hotspot-dhcp
/ip dhcp-server network
add address=150.150.150.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=150.150.150.1 \
netmask=24 ntp-server=150.150.150.1
add address=172.16.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.50.1 \
netmask=32 ntp-server=172.16.50.1
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.88.10 disabled=yes list=server-excluded
add address=172.16.50.0/24 list=local-address
add address=192.168.88.0/24 disabled=yes list=local-addressdns
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-WAN1
/ip hotspot user
set [ find default=yes ] limit-bytes-total=5000000
/ip route
add comment=WAN3 disabled=yes distance=1 gateway=192.168.1.1 routing-mark=PL3
add comment=WAN1 distance=1 gateway=192.168.8.1
add check-gateway=ping comment=WAN1 distance=1 dst-address=0.0.0.0/24 \
gateway=*10
add comment=BWTEST distance=1 dst-address=38.104.52.18/32 gateway=192.168.8.1
/ip route rule
add dst-address=0.0.0.0/0 routing-mark=RT-PL1 src-address=0.0.0.0/0 table=PL1
add dst-address=0.0.0.0/0 routing-mark=RT-PL2 src-address=0.0.0.0/0 table=PL2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox port=8291
set api-ssl disabled=yes
/queue simple
add disabled=yes name=HOTSPOT queue=*11/*10 target=172.16.50.0/24
#interrupted
# may/11/2020 17:07:57 by RouterOS 6.46.6
# software id = MUPF-1Y7J
#
# model = RB941-2nD
# serial number = D0560B2A1012
/interface bridge
add name=bridge-hotspot
add name=bridge-local
add name=bridge-wifi
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1 l2mtu=1480 mtu=1480 name=\
ether1-WAN1
set [ find default-name=ether4 ] mac-address=E4:8D:8C:E7:52:F8
/interface l2tp-client
add connect-to=101.58.69.106 disabled=no name=l2tp-out1 password=1 user=p
/interface pwr-line
set [ find default-name=pwr-line1 ] disabled=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=wifi1024 \
wpa2-pre-shared-key=wifi1024
add authentication-types=wpa-psk eap-methods="" group-ciphers=tkip \
management-protection=allowed mode=dynamic-keys name=station \
supplicant-identity="" unicast-ciphers=tkip wpa-pre-shared-key=se1234 \
wpa2-pre-shared-key=se1234
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=wifi \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
se1233 wpa2-pre-shared-key=se1233
add authentication-types=wpa-psk,wpa2-psk eap-methods="" name=hotspot \
supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
philippines disabled=no keepalive-frames=disabled mode=ap-bridge \
multicast-buffering=disabled multicast-helper=disabled name=wlan-hs \
security-profile=hotspot ssid="BM Hotspot"
add arp=reply-only default-forwarding=no mac-address=E6:8D:8C:45:6F:3D \
master-interface=wlan-hs name=wlan-private security-profile=wifi ssid=\
PRIVATE-WiFi wds-cost-range=0 wds-default-cost=0
add hide-ssid=yes keepalive-frames=disabled mac-address=C6:AD:34:99:B2:D3 \
master-interface=wlan-hs multicast-buffering=disabled name=wlan-TV \
security-profile=wifi ssid=WiFi-TV wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.portal hotspot-address=172.16.50.1 \
html-directory=hs login-by=http-chap,http-pap,trial name=hs-profile \
trial-uptime-limit=2h
/ip hotspot user profile
set [ find default=yes ] address-list=local-addressdns name=ADMIN rate-limit=\
5m/5m
/ip ipsec peer
add disabled=yes name=peer1 passive=yes
/ip pool
add name=default-dhcp ranges=192.168.88.2-192.168.88.254
add name=wifi-secure ranges=150.150.150.2-150.150.150.254
add name=hs-unauthenticated ranges=172.16.50.10-172.16.50.254
add name=VPN ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
interface=bridge-local name=local-dhcp
add address-pool=wifi-secure authoritative=after-2sec-delay disabled=no \
interface=bridge-wifi lease-time=3h name=wifi-dhcp
add add-arp=yes address-pool=hs-unauthenticated disabled=no interface=\
bridge-hotspot lease-time=1h name=hotspot-dhcp
/ip hotspot
add address-pool=hs-unauthenticated disabled=no idle-timeout=15m interface=\
bridge-hotspot keepalive-timeout=15m name=hs-server
/queue simple
add max-limit=4M/2M name=WIFI target=bridge-wifi
add max-limit=4M/2M name=TV target=172.16.50.4/32,172.16.50.5/32
add comment=rose name=rose target=172.16.50.3/32
/queue type
add kind=pcq name=gaming-pcq-download pcq-classifier=dst-address,dst-port \
pcq-limit=40KiB
add kind=pcq name=gaming-pcq-upload pcq-classifier=src-address,src-port \
pcq-limit=40KiB
add kind=pcq name="limit dl" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name=main-pcq-download pcq-classifier=dst-address pcq-limit=\
40KiB
add kind=pcq name=main-pcq-upload pcq-classifier=src-address pcq-limit=40KiB
add kind=pfifo name=main-queue pfifo-limit=100
add kind=pcq name="UPLOAD Gaming" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Games" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="DOWNLOAD Browsing" pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-rate=1M pcq-src-address6-mask=64
add kind=pcq name="UPLOAD Browsing" pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-rate=256k pcq-src-address6-mask=64
/queue simple
add disabled=yes name=BROWSING packet-marks=http-pm,https-pm queue=\
"UPLOAD Browsing/DOWNLOAD Browsing" target=192.168.88.0/24
add name=GAMERS packet-marks=05pm,06pm,07pm,08pm queue=\
"UPLOAD Gaming/DOWNLOAD Games" target=192.168.88.0/24
/queue tree
add disabled=yes max-limit=100M name=1-upload parent=ether1-WAN1 queue=\
main-queue
add comment="A. WAN1 UPLOAD" disabled=yes max-limit=1M name=1-browsing \
parent=1-upload queue=main-queue
add disabled=yes limit-at=200k max-limit=1M name=1-http packet-mark=http-pm \
parent=1-browsing queue=main-pcq-upload
add disabled=yes limit-at=200k max-limit=1M name=1-https packet-mark=https-pm \
parent=1-browsing queue=main-pcq-upload
add disabled=yes max-limit=100M name="1-online gaming" parent=1-upload queue=\
gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=1-Games01 packet-mark=05pm \
parent="1-online gaming" queue=gaming-pcq-upload
add disabled=yes limit-at=256k max-limit=99M name=1-Games02 packet-mark=06pm \
parent="1-online gaming" queue=gaming-pcq-upload
add disabled=yes limit-at=256k max-limit=99M name=1-Games03 packet-mark=07pm \
parent="1-online gaming" queue=gaming-pcq-upload
add disabled=yes limit-at=256k max-limit=99M name=1-Games04 packet-mark=08pm \
parent="1-online gaming" queue=gaming-pcq-upload
add disabled=yes name=Download parent=bridge-local queue=default
add disabled=yes max-limit=100M name=dsl-download parent=Download queue=\
main-queue
add comment="B. WAN1 DOWNLOAD" disabled=yes max-limit=10M name=\
browsing-streaming parent=dsl-download queue=main-pcq-download
add disabled=yes max-limit=10M name=Browsing parent=browsing-streaming queue=\
main-pcq-download
add disabled=yes limit-at=512k max-limit=10M name=http packet-mark=http-pm \
parent=Browsing queue=main-pcq-download
add disabled=yes limit-at=512k max-limit=10M name=https packet-mark=https-pm \
parent=Browsing queue=main-pcq-download
add comment="C. VIDEO STREAMING LIMIT" disabled=yes max-limit=8M name=\
Streaming parent=browsing-streaming queue=main-pcq-download
add disabled=yes limit-at=384k max-limit=8M name=video-streaming packet-mark=\
videostreaming-pm parent=Streaming queue=main-pcq-download
add disabled=yes max-limit=100M name=online-gaming parent=dsl-download queue=\
gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=game01 packet-mark=05pm \
parent=online-gaming queue=gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=game02 packet-mark=06pm \
parent=online-gaming queue=gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=game03 packet-mark=07pm \
parent=online-gaming queue=gaming-pcq-download
add disabled=yes limit-at=256k max-limit=99M name=game04 packet-mark=08pm \
parent=online-gaming queue=gaming-pcq-download
add comment="TOTAL EXCLUDED" disabled=yes max-limit=100M name=server-exluded \
parent=dsl-download queue=main-pcq-upload
add disabled=yes limit-at=768k max-limit=100M name=server packet-mark=\
server-excluded-pm parent=server-exluded queue=main-pcq-download
add comment="D. DOWNLOAD LIMIT (Default: disabled)" disabled=yes max-limit=\
512k name="Limit Download" packet-mark=download-limit parent=global \
queue="limit dl"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=admin policy="reboot,read,write,test,password,web,api,!local,!telnet,\
!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminftp policy="ftp,reboot,read,write,password,api,!local,!telnet,!s\
sh,!policy,!test,!winbox,!web,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=adminlast policy="reboot,read,write,test,password,web,api,!local,!tel\
net,!ssh,!ftp,!policy,!winbox,!sniff,!sensitive,!romon,!dude,!tikapp"
add name=techedit policy="ftp,reboot,read,write,test,winbox,password,web,api,!\
local,!telnet,!ssh,!policy,!sniff,!sensitive,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-hotspot interface=wlan-hs
add bridge=bridge-local interface=wlan-private
add bridge=bridge-wifi interface=wlan-TV
/interface detect-internet
set detect-interface-list=all
/interface wireless access-list
add comment=rrr mac-address=6E:5A:88:C7:0C:2A
add comment=roo mac-address=8C:F5:A3:F4:A4:7A
add comment=rrr interface=wlan-private mac-address=90:97:F3:88:EA:C0
/ip address
add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0
add address=150.150.150.1/24 interface=bridge-wifi network=150.150.150.0
add address=172.16.50.1/24 interface=bridge-hotspot network=172.16.50.0
/ip dhcp-client
add add-default-route=no comment=WAN1 disabled=no interface=ether1-WAN1
/ip dhcp-server lease
add address=172.16.50.3 client-id=1:8c:f5:a3:f4:a4:7a comment=rooo \
mac-address=8C:F5:A3:F4:A4:7A server=hotspot-dhcp
add address=172.16.50.5 client-id=1:cc:6e:a4:d8:c4:2d comment=samsung \
mac-address=CC:6E:A4:D8:C4:2D server=hotspot-dhcp
add address=172.16.50.4 client-id=1:34:f1:50:74:58:be comment=tcl \
mac-address=34:F1:50:74:58:BE server=hotspot-dhcp
add address=172.16.50.2 client-id=1:c6:33:7e:8b:13:18 comment=rrr disabled=\
yes mac-address=C6:33:7E:8B:13:18 server=hotspot-dhcp
/ip dhcp-server network
add address=150.150.150.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=150.150.150.1 \
netmask=24 ntp-server=150.150.150.1
add address=172.16.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.50.1 \
netmask=32 ntp-server=172.16.50.1
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.88.10 disabled=yes list=server-excluded
add address=172.16.50.0/24 list=local-address
add address=192.168.88.0/24 disabled=yes list=local-addressdns
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-WAN1
/ip hotspot user
set [ find default=yes ] limit-bytes-total=5000000
/ip route
add comment=WAN3 disabled=yes distance=1 gateway=192.168.1.1 routing-mark=PL3
add comment=WAN1 distance=1 gateway=192.168.8.1
add check-gateway=ping comment=WAN1 distance=1 dst-address=0.0.0.0/24 \
gateway=*10
add comment=BWTEST distance=1 dst-address=38.104.52.18/32 gateway=192.168.8.1
/ip route rule
add dst-address=0.0.0.0/0 routing-mark=RT-PL1 src-address=0.0.0.0/0 table=PL1
add dst-address=0.0.0.0/0 routing-mark=RT-PL2 src-address=0.0.0.0/0 table=PL2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox port=8291
set api-ssl disabled=yes
/queue simple
add disabled=yes name=HOTSPOT queue=*11/*10 target=172.16.50.0/24
#interrupted
Re: remote forwarding remote winbox issue
Hello Friend ,
Well I can’t see l2tp Server profile and route address on server .
What you need is following :
Create a bridge for your client on the server Mikrotik, set IP address for the bridge the same as your client network 10.20.0.254/24,
PPP profile for client users src Adresse 10.20.0.254 , set in bridge (created client bridge). In this way connected client tunnel will be in same bridge .
Client User l2tp remote ip 10.20.0.xx
Set the client bridge auf proxy-arp.
And then do the dstnat in firewall .
If you need more help we can start a teamviewer session
Best regard
Gesendet von iPhone mit Tapatalk
Well I can’t see l2tp Server profile and route address on server .
What you need is following :
Create a bridge for your client on the server Mikrotik, set IP address for the bridge the same as your client network 10.20.0.254/24,
PPP profile for client users src Adresse 10.20.0.254 , set in bridge (created client bridge). In this way connected client tunnel will be in same bridge .
Client User l2tp remote ip 10.20.0.xx
Set the client bridge auf proxy-arp.
And then do the dstnat in firewall .
If you need more help we can start a teamviewer session
Best regard
Gesendet von iPhone mit Tapatalk
Re: remote forwarding remote winbox issue
yes sir, i message you. please check your inbox. thanks sir
Last edited by runbound on Tue May 12, 2020 3:30 pm, edited 1 time in total.
Re: remote forwarding remote winbox issue
Can we start now?
Gesendet von iPhone mit Tapatalk
Gesendet von iPhone mit Tapatalk
Re: remote forwarding remote winbox issue
hi i dont know why i cant send you a private message it seems that forum have problem message stuck on outbox,
so should we start!
so should we start!
Re: remote forwarding remote winbox issue [SOLVED]
hi i dont know why i cant send you a private message it seems that forum have problem message stuck on outbox,
so should we start!
thank you sir Discmandj also known as kollman. you are very helpful to me. my trouble in mt is now end. all i need to say is thank you very much.
very appreciated and accomodating. a big big check for you this solve my problem.
even you have a job you can still help me. you have time for me. once again. thank you very much sir.
Who is online
Users browsing this forum: gechcode, GoogleOther [Bot] and 38 guests