Internet / VPN Problem

DavidGB · Mon Feb 15, 2021 2:03 pm

Hi,

I have 2 questions about my mikrotik

Occasionally my mikrotik lost internet connection and it comes back in a few minutes. I try doing ping from mikrotik terminal to 8.8.8.8 and doesn´t response.
But today I´ve seen something strange, i´ve connected my office mikrotik router to mine to access some devices from my home and in the moment I lost internet connection "ping 8.8.8.8" doesn´t response but ping to my office devices response correctly, so I have an internet connection.

In other way, i have a question about VPN connection. My home milkrotik is the server and my office mikrotik is client and I have an L2TP tunnel.
I can doing ping to office router and this routers devices from my home router terminal but I can´t doing that from my home "Administrator devices". My firewall allows administrator fordward and input. Why can´t I do it?

Here my sensitive configuration:

# model = RB4011iGS+

/interface bridge
add comment=LAN_Ppal name=LAN_Ppal
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=PC
set [ find default-name=ether5 ] comment=AP
set [ find default-name=ether6 ] comment=LM
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether1 name=MasMovil vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=deconf name=LAN
/ip pool
add name=DHCP_LAN_Ppal ranges=192.168.2.20-192.168.2.150
/ip dhcp-server
add address-pool=DHCP_LAN_Ppal disabled=no interface=LAN_Ppal name=DHCP_LAN_Ppal
/interface bridge port
add bridge=LAN_Ppal interface=ether2
add bridge=LAN_Ppal interface=ether3
add bridge=LAN_Ppal interface=ether4
add bridge=LAN_Ppal interface=ether5
add bridge=LAN_Ppal interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=loose
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add interface=MasMovil list=WAN
add interface=LAN_Ppal list=LAN
/ip address
add address=192.168.2.1/24 comment=LAN_Ppal interface=LAN_Ppal network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=MasMovil
/ip dhcp-server lease
add address=192.168.2.225 client-id=1:cc:9e:a2:62:f2:cc comment="Alexa Yoga" mac-address=CC:9E:A2:62:F2:CC server=DHCP_LAN_Ppal
add address=192.168.2.222 comment="Alexa Estudio" mac-address=14:91:38:F3:DF:F0 server=DHCP_LAN_Ppal
add address=192.168.2.221 client-id=1:44:0:49:4d:e4:ab comment="Alexa Salon" mac-address=44:00:49:4D:E4:AB server=DHCP_LAN_Ppal
add address=192.168.2.224 client-id=1:5c:41:5a:93:bd:85 comment="Alexa Cocina" mac-address=5C:41:5A:93:BD:85 server=DHCP_LAN_Ppal
add address=192.168.2.13 client-id=1:44:85:0:30:1e:61 comment="PC Curro" mac-address=44:85:00:30:1E:61 server=DHCP_LAN_Ppal
add address=192.168.2.12 client-id=1:a8:9c:ed:cd:f8:12 comment="Movil David" mac-address=A8:9C:ED:CD:F8:12 server=DHCP_LAN_Ppal
add address=192.168.2.231 comment="Xiaomi Vacuum" mac-address=40:31:3C:A2:E3:3B server=DHCP_LAN_Ppal
add address=192.168.2.145 client-id=1:7c:d5:66:b8:e7:90 comment=Despertador mac-address=7C:D5:66:B8:E7:90 server=DHCP_LAN_Ppal
add address=192.168.2.232 client-id=1:e8:f2:e2:ab:ea:39 comment="TV Salon" mac-address=E8:F2:E2:AB:EA:39 server=DHCP_LAN_Ppal
add address=192.168.2.11 client-id=1:b8:ac:6f:9d:62:d6 comment="PC Estudio" mac-address=B8:AC:6F:9D:62:D6 server=DHCP_LAN_Ppal
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=100.64.0.0/10 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=192.0.0.0/24 list=Bogon
add address=192.0.2.0/24 list=Bogon
add address=192.168.0.0/16 list=Bogon
add address=198.18.0.0/15 list=Bogon
add address=198.51.100.0/24 list=Bogon
add address=203.0.113.0/24 list=Bogon
add address=240.0.0.0/4 list=Bogon
add address=192.168.2.10-192.168.2.20 list=Src_Administradores
add address=192.168.2.205 list=Src_Administradores
add address=192.168.2.20-192.168.2.255 list=Src_Red_LAN
add address=192.168.2.201 list=Dst_Servidores_Usuarios
add address=192.168.2.204 list=Dst_Servidores_Usuarios
add address=192.168.2.205 list=Dst_Servidores_Usuarios
add address=192.168.2.10-192.168.2.255 list=Dst_Red_LAN
add address=192.168.2.201 list=Src_Administradores
add address=192.168.2.202 list=Src_Administradores
add address=192.168.2.3 list=Src_Administradores
add address=10.10.1.201 list=Src_Administradores
/ip firewall filter
add action=add-src-to-address-list address-list=Src_TocToc_Temporal address-list-timeout=1m chain=input comment=TocToc dst-port=5000 protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_LM address-list-timeout=5d chain=input comment=AccesoLM dst-port=7000 protocol=tcp src-address-list=Src_TocToc_Temporal
add action=add-src-to-address-list address-list=Src_TocToc_LM_NAS address-list-timeout=5d chain=input comment=AccesoLM_NAS dst-port=8000 protocol=tcp src-address-list=Src_TocToc_Temporal
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=L2TP dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment=L2TP protocol=ipsec-esp
add action=accept chain=input comment=L2TP protocol=ipsec-ah
add action=accept chain=input comment="defconf: accepr input from Src_Admin" src-address-list=Src_Administradores
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow services to lan users" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="Allow services to lan users" in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input comment="drop all else" log=yes log-prefix="Prohibido input resto"
add action=accept chain=forward log=yes log-prefix=Forward src-address-list=Src_Red_LAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward src-address-list=Src_Administradores
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="Prohibido forward invalido"
add action=accept chain=forward comment="allow internet from LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Prohibido forward resto"
/ip firewall nat
add action=dst-nat chain=dstnat comment=DMZ disabled=yes in-interface=ether1 to-addresses=192.168.2.202
add action=dst-nat chain=dstnat comment="CONTROL TOUCH" dst-port=2199 in-interface=MasMovil log=yes log-prefix="Conexion CT" protocol=tcp to-addresses=192.168.2.204 to-ports=2199
add action=dst-nat chain=dstnat comment="xxx Conexion Web (IMP. Dst type adress local para que funcionen las paginas con puerto 80)" dst-address-type=local dst-port=80 log=yes log-prefix=Conexion_Web protocol=tcp to-addresses=192.168.2.202 to-ports=\
    80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 log=yes log-prefix="Conexion Web" protocol=tcp to-addresses=192.168.2.202 to-ports=443
add action=dst-nat chain=dstnat comment=MQTT_ext dst-port=41883 log=yes log-prefix="Conexion MQTT" protocol=tcp to-addresses=192.168.2.205 to-ports=1883
add action=dst-nat chain=dstnat comment=NAS dst-port=52151 log=yes log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS to-addresses=192.168.2.201 to-ports=52151
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 log=yes log-prefix="Conexion Plex" protocol=tcp to-addresses=192.168.2.201 to-ports=32400
add action=dst-nat chain=dstnat comment=LM dst-port=52200 log=yes log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS to-addresses=192.168.2.205 to-ports=80
add action=masquerade chain=srcnat comment="Para hacer LoopBack y que no se rompa la consxion si accedemos desde dentro" dst-address=192.168.2.201 dst-port=52151 out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=80 out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=443 out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.205 dst-port=80 out-interface=LAN_Ppal protocol=tcp src-address=192.168.2.12
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 dst-address=10.10.2.0/24 gateway=10.10.1.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add local-address=10.10.1.1 name=David profile=default-encryption remote-address=10.10.1.201
add local-address=10.10.1.1 name=Cliente_2 profile=default-encryption remote-address=10.10.1.2 service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system logging
add disabled=yes topics=firewall
/system ntp client
set primary-ntp=216.239.35.0 secondary-ntp=129.250.35.250
/system scheduler
add interval=15s name="Mikrotik Despierto" on-event="{\r\
    \n/tool fetch url=\"http://remote:AAaa1111@192.168.2.205/scada-remote\" http-data=\"m=json&r=grp&fn=write&alias=34/3/51&value=1\" http-method=post as-value output=user; \t \r\
    \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/16/2019 start-time=13:44:56
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Thanks so much!

tdw · Mon Feb 15, 2021 5:17 pm

But today I´ve seen something strange, i´ve connected my office mikrotik router to mine to access some devices from my home and in the moment I lost internet connection "ping 8.8.8.8" doesn´t response but ping to my office devices response correctly, so I have an internet connection.

Google provides DNS on 8.8.8.8, but AFAIK it is not guaranteed to respond to pings. I have seen cases where it stops responding to ping for several hours whilst still responding to DNS queries.

My home milkrotik is the server and my office mikrotik is client and I have an L2TP tunnel.
I can doing ping to office router and this routers devices from my home router terminal but I can´t doing that from my home "Administrator devices". My firewall allows administrator fordward and input. Why can´t I do it?

You have a static route on this Mikrotik to 10.10.2.0/24 via 10.10.1.2 which is the remote address in one of the VPN secrets, do you have an equivalent static route at the remote end back to 192.168.2.0/24?

DavidGB · Fri Feb 19, 2021 5:56 pm

Thanks!! It was ip route (wrong IP).

In the other way, mikrotik not only doesnt response to 8.8.8.8. I havent internet conection in lan when this happen (Mani times a day)

Enviado desde mi MI 9 mediante Tapatalk

Andrik · Sat Feb 20, 2021 11:51 am

Glad you found the solution.
I have the same problem I have the fixed my issue from this guide easily. Hope this work for you.

DavidGB · Tue Feb 23, 2021 9:53 pm

Hi! I think i´ve found internet problem in my mikrotik...

I don't know why all these IPs exist in my lan network...

IP ARP.JPG

Can anyone help me?

Cablenut9 · Tue Feb 23, 2021 9:56 pm

I have the same IP problem, do you have a device that connects and disconnects often?

DavidGB · Tue Feb 23, 2021 11:07 pm

Yes, a few devices, not one only. I think all muy Network. However i have connection with my work mikrotik and internal Network.

Enviado desde mi MI 9 mediante Tapatalk

nichky · Wed Feb 24, 2021 6:24 am

DavidGB

/export file=conf hide-sensitive

DavidGB · Wed Feb 24, 2021 9:03 am

DavidGB

/export file=conf hide-sensitive

Hi, here my configuration:

conf.rsc

Thanks Nichky!

nichky · Wed Feb 24, 2021 10:10 am

about your experiencing drops out need to be monitored on real time, could be layer one issues, dont know.
i will disable the followinf roule:
/ip firewall filter
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Prohibido forward resto"

about your vpn i will disable fasttrack, and make sure you have rebooted the device
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

cdiedrich · Wed Feb 24, 2021 2:17 pm

Looks like a device with the private MAC address 00:00:5e:00:01:6F (this belongs to a VRRP interface) is doing proxy-arp.
The reply from that MAC address with IP 192.168.2.3 points to a D-Link AP. I'd check its settings.
-Chris

DavidGB · Fri Feb 26, 2021 9:45 pm

Looks like a device with the private MAC address 00:00:5e:00:01:6F (this belongs to a VRRP interface) is doing proxy-arp.
The reply from that MAC address with IP 192.168.2.3 points to a D-Link AP. I'd check its settings.
-Chris

This mac is ISP router. The next week i´m going to change to vodafone. I think that is the problem.

I have another question about VPN.
I can acces to "Cliente_2" VPN client from my Lan Network (192.168.2.0/24) but i can´t acces from my VPN network (conected to "David" profile "10.10.1.201"). How can I access from this conection? it is necessary to do /ip route?

Thanks

DavidGB · Tue Mar 09, 2021 1:35 pm

Hi,

I think internet the problem was from the isp provider. Now with vodafone internet work fine.

I have 3 questions about my configuration.

I can´t access to "Cliente_2" VPN secret devices if I´m connected to my microtic with VPN to David secret but I can access from my internal LAN

When I connect to "David" secret with VPN connection, i don´t have Internet

I´ve configured Vodafone IPTV and internet and if I remove drop firewall input and forward work perfectly, but if I keep my firewall IPTV doesn´t work. I don´t know firewall accept rule for this situation

Here my code:

# mar/03/2021 12:31:57 by RouterOS 6.48.1
# software id = E82L-C64C
#
# model = RB4011iGS+
# serial number = B8F60A38C7A4
/interface bridge
add igmp-snooping=yes name=LAN-Bridge
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=PC
set [ find default-name=ether5 ] comment=AP
set [ find default-name=ether6 ] comment=LM
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether1 name=INTERNET vlan-id=100
add interface=LAN-Bridge name=LAN vlan-id=20
add interface=ether1 name=TIVO vlan-id=105
/interface pppoe-client
add add-default-route=yes disabled=no interface=INTERNET name=PPPoE-out1 user=USER@vodafone
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/ip dhcp-server option
add code=12 name=TIVO value="'TIVO'"
/ip pool
add name=LAN-Pool ranges=192.168.2.21-192.168.2.150
add name=TIVO-Pool ranges=192.168.2.251-192.168.2.253
/ip dhcp-server
add address-pool=LAN-Pool disabled=no interface=LAN-Bridge name=DHCP-LAN
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 wins-server=8.8.4.4
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=LAN-Bridge interface=ether2
add bridge=LAN-Bridge interface=ether3
add bridge=LAN-Bridge interface=ether4
add bridge=LAN-Bridge interface=ether5
add bridge=LAN-Bridge interface=ether6
add bridge=LAN-Bridge interface=ether7
add bridge=LAN-Bridge interface=ether8
add bridge=LAN-Bridge interface=ether9
add bridge=LAN-Bridge interface=ether10
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/ip address
add address=192.168.2.1/24 interface=LAN-Bridge network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no disabled=no interface=TIVO use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.2.225 client-id=1:cc:9e:a2:62:f2:cc comment="Alexa Yoga" mac-address=CC:9E:A2:62:F2:CC server=DHCP-LAN
add address=192.168.2.222 comment="Alexa Estudio" mac-address=14:91:38:F3:DF:F0 server=DHCP-LAN
add address=192.168.2.221 client-id=1:44:0:49:4d:e4:ab comment="Alexa Salon" mac-address=44:00:49:4D:E4:AB server=DHCP-LAN
add address=192.168.2.224 client-id=1:5c:41:5a:93:bd:85 comment="Alexa Cocina" mac-address=5C:41:5A:93:BD:85 server=DHCP-LAN
add address=192.168.2.13 client-id=1:44:85:0:30:1e:61 comment="PC Curro" mac-address=44:85:00:30:1E:61 server=DHCP-LAN
add address=192.168.2.231 comment="Xiaomi Vacuum" mac-address=40:31:3C:A2:E3:3B server=DHCP-LAN
add address=192.168.2.145 client-id=1:7c:d5:66:b8:e7:90 comment=Despertador mac-address=7C:D5:66:B8:E7:90 server=DHCP-LAN
add address=192.168.2.232 client-id=1:e8:f2:e2:ab:ea:39 comment="TV Salon" mac-address=E8:F2:E2:AB:EA:39 server=DHCP-LAN
add address=192.168.2.11 client-id=1:b8:ac:6f:9d:62:d6 comment="PC Estudio" mac-address=B8:AC:6F:9D:62:D6 server=DHCP-LAN
add address=192.168.2.12 client-id=1:ea:f2:30:ce:22:b6 comment="Movil David" mac-address=EA:F2:30:CE:22:B6 server=DHCP-LAN
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.2.251/32 dhcp-option=TIVO gateway=192.168.2.1 netmask=29
/ip firewall address-list
add address=0.0.0.0/8 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=100.64.0.0/10 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=192.0.0.0/24 list=Bogon
add address=192.0.2.0/24 list=Bogon
add address=192.168.0.0/16 list=Bogon
add address=198.18.0.0/15 list=Bogon
add address=198.51.100.0/24 list=Bogon
add address=203.0.113.0/24 list=Bogon
add address=240.0.0.0/4 list=Bogon
add address=192.168.2.10-192.168.2.20 list=Src_Administradores
add address=192.168.2.205 list=Src_Administradores
add address=192.168.2.20-192.168.2.255 list=Src_Red_LAN
add address=192.168.2.201 list=Dst_Servidores_Usuarios
add address=192.168.2.204 list=Dst_Servidores_Usuarios
add address=192.168.2.205 list=Dst_Servidores_Usuarios
add address=192.168.2.10-192.168.2.255 list=Dst_Red_LAN
add address=192.168.2.201 list=Src_Administradores
add address=192.168.2.202 list=Src_Administradores
add address=192.168.2.3 list=Src_Administradores
add address=10.10.1.201 list=Src_Administradores
/ip firewall filter
add action=add-src-to-address-list address-list=Src_TocToc_Temporal address-list-timeout=1m chain=input comment=TocToc dst-port=5000 protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_LM address-list-timeout=5d chain=input comment=AccesoLM dst-port=7000 protocol=tcp src-address-list=Src_TocToc_Temporal
add action=add-src-to-address-list address-list=Src_TocToc_LM_NAS address-list-timeout=5d chain=input comment=AccesoLM_NAS dst-port=8000 protocol=tcp src-address-list=Src_TocToc_Temporal
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=L2TP dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment=L2TP protocol=ipsec-esp
add action=accept chain=input comment=L2TP protocol=ipsec-ah
add action=accept chain=input comment="defconf: accepr input from Src_Admin" src-address-list=Src_Administradores
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow services to lan users" in-interface=LAN-Bridge port=53 protocol=tcp
add action=accept chain=input comment="Allow services to lan users" in-interface=LAN-Bridge port=53 protocol=udp
add action=accept chain=input comment="Allow services to lan users" in-interface=TIVO protocol=udp
add action=drop chain=input comment="drop all else" log=yes log-prefix="Prohibido input resto"
add action=accept chain=forward log-prefix=Forward src-address-list=Src_Red_LAN
add action=accept chain=forward src-address-list=Src_Administradores
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="Prohibido forward invalido"
add action=accept chain=forward comment="CAMBIAR SOLO HACIA EL DISPOSITIVO" in-interface=LAN-Bridge out-interface=PPPoE-out1
add action=accept chain=forward comment="allow internet from LAN-Bridge to WAN" in-interface=TIVO out-interface=LAN-Bridge
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=PPPoE-out1
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Prohibido forward resto"
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=TIVO
add action=set-priority chain=postrouting new-priority=4 out-interface=TIVO
add action=set-priority chain=postrouting new-priority=0 out-interface=PPPoE-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=TIVO
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 log=yes out-interface=PPPoE-out1 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface=TIVO
add action=dst-nat chain=dstnat dst-address-type=local in-interface=TIVO to-addresses=192.168.2.251
add action=dst-nat chain=dstnat comment=DMZ disabled=yes in-interface=PPPoE-out1 to-addresses=192.168.2.202
add action=dst-nat chain=dstnat comment="CONTROL TOUCH" dst-port=2199 in-interface=PPPoE-out1 log=yes log-prefix="Conexion CT" protocol=tcp to-addresses=192.168.2.204 to-ports=2199
add action=dst-nat chain=dstnat comment="xxx Conexion Web (IMP. Dst type adress local para que funcionen las paginas con puerto 80)" dst-address-type=local dst-port=80 log=yes log-prefix=Conexion_Web protocol=tcp to-addresses=192.168.2.202 to-ports=\
    80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 log=yes log-prefix="Conexion Web" protocol=tcp to-addresses=192.168.2.202 to-ports=443
add action=dst-nat chain=dstnat comment=MQTT_ext dst-port=41883 log=yes log-prefix="Conexion MQTT" protocol=tcp to-addresses=192.168.2.205 to-ports=1883
add action=dst-nat chain=dstnat comment=NAS dst-port=52151 log=yes log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS to-addresses=192.168.2.201 to-ports=52151
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 log=yes log-prefix="Conexion Plex" protocol=tcp to-addresses=192.168.2.201 to-ports=32400
add action=dst-nat chain=dstnat comment=LM dst-port=52200 log=yes log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS to-addresses=192.168.2.205 to-ports=80
add action=masquerade chain=srcnat comment="Para hacer LoopBack y que no se rompa la consxion si accedemos desde dentro" dst-address=192.168.2.201 dst-port=52151 out-interface=LAN-Bridge protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=80 out-interface=LAN-Bridge protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=443 out-interface=LAN-Bridge protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.205 dst-port=80 out-interface=LAN-Bridge protocol=tcp src-address=192.168.2.12
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 dst-address=10.8.57.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.8.58.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.8.59.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.10.2.0/24 gateway=10.10.1.2
add distance=1 dst-address=10.15.220.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.179.32.0/23 gateway=TIVO pref-src=10.214.13.28
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add local-address=10.10.1.1 name=David profile=default-encryption remote-address=10.10.1.201
add local-address=10.10.1.1 name=Cliente_2 profile=default-encryption remote-address=10.10.1.2 service=l2tp
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=TIVO upstream=yes
add interface=LAN-Bridge
/system clock
set time-zone-name=Europe/Madrid
/system logging
add disabled=yes topics=firewall
/system ntp client
set primary-ntp=216.239.35.0 secondary-ntp=129.250.35.250
/system scheduler
add interval=15s name="Mikrotik Despierto" on-event="{\r\
    \n/tool fetch url=\"http://remote:AAaa1111@192.168.2.205/scada-remote\" http-data=\"m=json&r=grp&fn=write&alias=34/3/51&value=1\" http-method=post as-value output=user; \t \r\
    \n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/16/2019 start-time=13:44:56
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Thanks for all!!!

Internet / VPN Problem

Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem

Re: Internet / VPN Problem