ping and dns problem on ipsec tunnel

nagylzs · Fri Jan 14, 2022 7:07 pm

I have two HAP AC2 devices.

* Side #1 is called "lacinet", it has address 192.168.14.254/24 on BASE (management) vlan.
* Side #2 is called "magnet", it has 192.168.19.254/24 main address on BASE (management) vlan.
* There are also other networks with different vlans on both sides (10.14.VLAN-SIDE1.X and 10.19.VLAN-SIDE2.Y )
* These routers are connected via ipsec/ike2 tunnel over the internet.

On side1, I have these policies:

/ip ipsec policy
set 0 comment="For l2tp-server"
add dst-address=192.168.19.0/24 group=group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 template=yes
add dst-address=10.19.0.0/16 group=group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 template=yes

On side2, I have these policies:

/ip ipsec policy
set 0 comment="For l2tp-server" dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.14.0/24 peer=not_telling.com proposal=proposal-s2s-ros src-address=192.168.19.0/24 tunnel=yes
add dst-address=192.168.14.0/24 peer=not_telling.com proposal=proposal-s2s-ros src-address=10.19.0.0/16 tunnel=yes

They are active and established:

[gandalf@r01.magnet] /ip ipsec policy> print 
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER           TUNNEL SRC-ADDRESS                                         DST-ADDRESS                                         PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T  * ;;; For l2tp-server
                              0.0.0.0/0                                           0.0.0.0/0                                           all       
 1   A  xyzq.abcd.co   yes    192.168.19.0/24                                     192.168.14.0/24                                     all        encrypt require         59
 2   A  xyzq.abcd.co   yes    10.19.0.0/16                                        192.168.14.0/24                                     all        encrypt require          1

On side1, I have this DNS setting:

/ip dns static
add forward-to=192.168.19.254 regexp=".*\\.magnet" type=FWD
add comment=magzatom-base forward-to=192.168.19.254 regexp=".*\\.19\\.168\\.192.\\in-addr\\.arpa" type=FWD
add comment=magzatom-vlan forward-to=192.168.19.254 regexp=".*\\.19\\.10.\\in-addr\\.arpa" type=FWD

On side2, there are many static addresses, here are some examples:

/ip dns static
add address=192.168.19.254 name=r01.magnet
add address=192.168.19.253 name=r02.magnet
add address=192.168.19.252 name=r03.magnet
add address=10.19.30.10 name=nvr.magnet
add address=10.19.10.101 comment=#DHCP name=nas.magnet. ttl=10m

(Actually, many of them are created by a dhcp lease script but that is not important.)

All right, so I connect a computer on side1 to the network, with DHCP. Let's say that computer1 has address 192.168.14.106

Then I do this

─$ ping 192.168.19.254                                                                                                                                               130 ↵
PING 192.168.19.254 (192.168.19.254) 56(84) bytes of data.
64 bytes from 192.168.19.254: icmp_seq=1 ttl=63 time=15.7 ms

In other words, I can ping from LAN1 (192.168.14.106) -> router1 (192.168.14.254) -> ipsec tunnel -> router2 (192.168.19.254)

But if try to ping from router1, then this is what happens:

[gandalf@router.lacinet] > /ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                       
    0 192.168.19.254                                          timeout                                                                                                      
    sent=1 received=0 packet-loss=100%

So this one does not work: router1 (192.168.14.254) -> ipsec tunnel -> router2 (192.168.19.254)

This problem also shows itself with DNS requests. This happens when I want to get the address of a remote machine, specifying the DNS server by hand:

$ host nas.magnet 192.168.19.254
Using domain server:
Name: 192.168.19.254
Address: 192.168.19.254#53
Aliases: 

nas.magnet has address 10.19.10.101

And this happens when I try to use the default DNS server (which is 192.168.14.254, in other words it is router1):

$ host nas.magnet
;; connection timed out; no servers could be reached

Again, this is computer on LAN1 -> router1 -> ipsec tunnel -> router2, just UDP/53 instead of ICMP ping.

This is my input chain on side2:

/ip firewall filter> print chain=input
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Allow UDP 500,4500,1701 for IKE, IPSEC/ESP and L2TP
      chain=input action=accept protocol=udp port=1701,500,4500 

 1    ;;; Allow IPSEC/ESP
      chain=input action=accept protocol=ipsec-esp 

 2    ;;; Accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 3    ;;; Drop invalid
      chain=input action=drop connection-state=invalid 

 4    ;;; Accept ICMP
      chain=input action=accept protocol=icmp 

 5    ;;; CAPsMAN and CAP
      chain=input action=accept src-address-type=local dst-address-type=local 

 6    ;;; Input from BASE mgmt
      chain=input action=accept in-interface-list=BASE 

 7    ;;; SSH input, with brute force protection
      chain=input action=jump jump-target=input_ssh protocol=tcp dst-port=22 

 8    ;;; Input from VLAN
      chain=input action=jump jump-target=input_from_vlan in-interface-list=VLAN 

 9    ;;; Input from L2TP client
      chain=input action=jump jump-target=input_from_l2tp src-address=10.19.200.0/24 

10    ;;; DNS from lacinet udp
      chain=input action=accept protocol=udp src-address=192.168.14.0/24 dst-port=53 

11    ;;; DNS from lacinet tcp
      chain=input action=accept protocol=tcp src-address=192.168.14.0/24 dst-port=53 

12    ;;; Drop
      chain=input action=drop

Rule number 4 should accept all ICMP requests including ping. Rule number 10 and 11 should accept all DNS requests from side1.

I can't find out what the problem is. How is it possible that ping does not work router1 -> router2, but it works computer1 -> router1 -> router2 ? What am I not seeing?

p.s.: can could send the whole router config but it is sooo long. Both sides have 4-5 vlans, many other firewall rules (I think most of them are not relevant, they are moved to different chains), also NAT rules, L2TP servers etc.

sindy · Fri Jan 14, 2022 7:17 pm

When the router sends an initial packet of some connection (i.e. it does not respond to an incoming packet), if first finds the route to the destination and its gateway interface, and then it sends the packet from the IP address associated to that interface, unless there is a pref-src address set for that route. So since your default route likely uses the WAN gateway, and it likely has no dedicated route to the LAN subnet of the remote IPsec peer, the DNS request is sent to the address of the DNS server but with the IP of the WAN interface as source, and hence the traffic selector of the IPsec policy cannot see it. So add a route to the remote LAN subnet with pref-src=ip.from.local.lan.subnet; the gateway of this route is not really important, it may even be the LAN bridge interface, as the packet will only be actually sent via that gateway if the IPsec tunnel is down.

xxrentnerxx · Fri Jan 14, 2022 7:31 pm

Hi

sindy's answer sounds good, but i never tried.

I solved the same situation by creating a output mangle rule and marked these packages. Then in a snat rule i src-nated these packages.

nagylzs · Sat Jan 15, 2022 4:15 pm

I already have this route added on side1:

add comment="VPN to magnet-base" distance=1 dst-address=192.168.19.0/24 gateway=ipsec pref-src=192.168.14.254
add comment="VPN to magnet-vlan" distance=1 dst-address=10.19.0.0/16 gateway=ipsec pref-src=192.168.14.254

And this one on side 2:

add comment="VPN to lacinet" distance=1 dst-address=192.168.14.0/24 gateway=ipsec pref-src=192.168.19.254

I have other IPSEC clients connected to router1 (lacinet) with different subnets. All of them work, except this one. I can't figure out why.
The route from 10.19.x.x to * is not added only because I do not need it.

The ipsec gateway is defined as:

/interface bridge
add name=ipsec protocol-mode=none

It way already this way when I did the tests.

nagylzs · Sat Jan 15, 2022 4:19 pm

BTW I have other IPSEC/IKEv2 clients connected to router1 (lacinet), with different subnets on the remote side. All of them work, except this one. I can't figure out why.

sindy · Sat Jan 15, 2022 4:24 pm

I already have this route added on side1:
...
And this one on side 2:
...

In this case, the only thing to come to my mind without seeing the complete configurations is that some NAT rule breaks it. But it would have to be a selective one that would only affect connections initiated by Router 1 itself.

When you make the command line window as your screen allows, run /tool sniffer quick ip-protocol=icmp ip-address=192.168.19.254 in it, and run /ping 192.168.19.254 in another command line window, what does the sniffer show?

nagylzs · Sat Jan 15, 2022 9:10 pm

When I ping router2 (192.168.19.254) from router1 (192.168.14.254), then this is what I see on router 2:

/tool sniffer> quick  ip-protocol=icmp ip-address=192.168.19.254
INTERFACE                            TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS
ether5-wan                          0.758      1 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.254
ether5-wan                          1.754      2 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.254
ether5-wan                          2.757      3 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.254
ether5-wan                          3.759      4 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.254

And this is what I see on router 1:

/tool sniffer> quick  ip-protocol=icmp ip-address=192.168.19.254
INTERFACE                            TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS

E.g. nothing.

When I ping it from 192.168.14.106 (a computer), then this is what I see on router2:

/tool sniffer> quick  ip-protocol=icmp ip-address=192.168.19.254
INTERFACE                            TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS
ether5-wan                         10.852      1 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.106
ether5-wan                         11.864      2 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.106
ether5-wan                         12.862      3 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.106
ether5-wan                         13.875      4 <- 00:01:5C:AB:A6:45 08:55:31:E7:F3:6B        192.168.14.106

And router1:

/tool sniffer> quick  ip-protocol=icmp ip-address=192.168.19.254
INTERFACE                            TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS

Nothing again, but somehow the response reaches the computer.

I'm going to post all NAT rules from router1 and router2 below, but it is a bit long.

router1

/ip firewall nat
add action=jump chain=srcnat comment="Src-Nat l2tp laci-vivobook-> any" jump-target=srcnat_laci_l2tp src-address=10.14.200.104
add action=src-nat chain=srcnat comment="Src-Nat BASE->BLUE" out-interface=BLUE_VLAN src-address=192.168.14.0/24 to-addresses=\
    10.14.10.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->RED" out-interface=RED_VLAN src-address=192.168.14.0/24 to-addresses=\
    10.14.30.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->CYAN" out-interface=CYAN_VLAN src-address=192.168.14.0/24 to-addresses=\
    10.14.40.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->HALL" dst-address=10.14.200.0/24 src-address=192.168.14.0/24 \
    to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->LTE-mgmt" out-interface=ether4-lte src-address=192.168.14.0/24 \
    to-addresses=10.14.100.2
add action=src-nat chain=srcnat_laci_l2tp comment="Src-Nat l2tp laci-vivbook->ipsec" out-interface=ipsec to-addresses=\
    192.168.14.254
add action=src-nat chain=srcnat_laci_l2tp comment="Src-Nat l2tp laci-vivobook->l2tp (inter-l2tp)" dst-address=10.14.200.0/24 \
    to-addresses=10.14.200.1
add action=dst-nat chain=dstnat comment="postgres kali-homok slave backup.not_tellig_.hu->lacinet->forgach-vpn" dst-port=54321 \
    in-interface=ether5-wan protocol=tcp src-address=164.1.2.3 to-addresses=10.14.10.105 to-ports=5432
add action=src-nat chain=srcnat comment="stonemining slave/vnc htpc->stonemining" dst-address=10.14.200.107 dst-port=5432,5900 \
    protocol=tcp src-address=10.14.10.105 to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="kalihomok slave/vnc htpc->forgach" dst-address=10.14.200.101 dst-port=5432,5900 \
    protocol=tcp src-address=10.14.10.105 to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="kavicsbanya slave htpc->borika-pc" dst-address=192.168.18.199 dst-port=5432,5900 \
    protocol=tcp src-address=10.14.10.105 to-addresses=192.168.14.254
add action=src-nat chain=srcnat comment="Src-Nat htpc->visznet all" dst-address=192.168.5.0/24 src-address=10.14.10.105 \
    to-addresses=192.168.14.254
add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat_laci_l2tp comment="Src-Nat l2tp laci-vivobook->blue" dst-address=10.14.10.0/24 to-addresses=\
    10.14.10.1

router2

/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="scr-nat lacinet->RED" out-interface=RED_VLAN src-address=192.168.14.0/24 to-addresses=\
    10.19.30.1
add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->base-magnet" out-interface=BASE_VLAN src-address=192.168.14.0/24 \
    to-addresses=192.168.19.254
add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->hall-magnet" dst-address=10.19.200.0/24 src-address=\
    192.168.14.0/24 to-addresses=10.19.200.1
add action=src-nat chain=srcnat comment="Src-Nat l2tp viktornas->nas" dst-address=10.19.10.101 src-address=10.19.200.102 \
    to-addresses=10.19.200.1

nagylzs · Sat Jan 15, 2022 9:17 pm

5 minutes later, I tried again and now it works.

[gandalf@router.lacinet] /ip firewall nat> /ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                             56  64 25ms
    1 192.168.19.254                             56  64 29ms
    2 192.168.19.254                             56  64 12ms
    3 192.168.19.254                             56  64 14ms
    4 192.168.19.254                             56  64 18ms
    sent=5 received=5 packet-loss=0% min-rtt=12ms avg-rtt=19ms max-rtt=29ms

But I did not change anything on any side. I was just trying different sniffer settings.

This seems to be an intermittent problem. Sometimes is works, sometimes not. But how it is possible?

I'm going to make more tests later, and see if it works or not.

sindy · Sat Jan 15, 2022 9:41 pm

The reason why you can see the icmp packets from 192.168.14.254 to 192.168.19.254 at the destination router but not at the source one is that payload packets decrypted from received IPsec transport ones are shown in the sniff, but the sent payload packets before getting encrypted into the IPsec transport ones are not.

If they would have been shown at the source router, it would have meant that they have evaded any IPsec policy; as you can not see them there but you can see them at router 2 means no NAT rule has modified them at Router 1 and they did match the policy.

The input filter rules at router 2 accept icmp no matter where it comes from, so it is not an issue. So either a rp-filter at router 2, or some overlapping IPsec policy may drop them for "arriving via wrong door", or the response is not routed properly, or something at router1 doesn't let them in.

What surprises me a lot and suggests a more complex problem is that when you ping 192.168.19.254 from 192.168.14.106, you cannot see the responses at Router 1. This suggests that the responses bypass Router 1 somehow, but theoretically it may be a glitch of the sniffing of the decapsulated IPsec payload. To be sure, place the following rule as the very first static one to mangle chain prerouting at router 1:
src-address=192.168.19.254 dst-address=192.168.19.254 protocol=icmp action=passthrough comment=x
Then, run /ip firewall mangle print stats interval=1s where comment=x and start pinging 192.168.19.254 from 192.168.14.106 again. If you can see the rule to count, it means the sniffing is broken; if you cannot, the ICMP responses arrive to the comupter some other way than via router 1.

nagylzs · Sun Jan 16, 2022 11:23 am

This was given on both sides:

/ip settings
set rp-filter=strict

Changed to rp-filter=no but it still doesn't work.

nagylzs · Sun Jan 16, 2022 11:28 am

I think there are no overlapping ipsec policies. Here are the policies on router 1, public IPs replaced with dummy ones:

[gandalf@router.lacinet] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #      PEER  TUN SRC-ADDRESS                                    DST-ADDRESS                                    PROTOCOL   ACTION
 0 T  * ;;; For l2tp-server
                  ::/0                                           ::/0                                           all
 1   DA  l2t.. no  17.17.17.17/32                               1.2.3.4/32                              udp        encrypt
 2   DA  l2t.. no  17.17.17.17/32                               5.6.7.8/32                               all        encrypt
 3   DA  l2t.. no  17.17.17.17/32                               9.10.11.12/32                               udp        encrypt
 4   DA  l2t.. no  17.17.17.17/32                               13.14.15.16/32                                udp        encrypt
 5 T    ;;; office.not_telling3.com
                  192.168.14.0/24                                192.168.5.0/24                                 all
 6   DA  pee.. yes 192.168.14.0/24                                192.168.5.0/24                                 all        encrypt
 7 T    ;;; office.not_telling.com
                  192.168.14.0/24                                192.168.13.0/24                                all
 8   DA  pee.. yes 192.168.14.0/24                                192.168.13.0/24                                all        encrypt
 9 T    ;;; kavicsbanya.not_telling.com
                  192.168.14.0/24                                192.168.18.0/24                                all
10   DA  pee.. yes 192.168.14.0/24                                192.168.18.0/24                                all        encrypt
11 T    ;;; office.not_telling2.com
                  192.168.14.0/24                                192.168.19.0/24                                all
12   DA  pee.. yes 192.168.14.0/24                                192.168.19.0/24                                all        encrypt
13 T    ;;; office.not_telling2.com-vlan
                  192.168.14.0/24                                10.19.0.0/16                                   all
14   DA  pee.. yes 192.168.14.0/24                                10.19.0.0/16                                   all        encrypt

These are for router2:

[gandalf@r01.magnet] /ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #      PEER  TUN SRC-ADDRESS                                    DST-ADDRESS                                    PROTOCOL   ACTION
 0 T  * ;;; For l2tp-server
                  0.0.0.0/0                                      0.0.0.0/0                                      all
 1   A  lac.. yes 192.168.19.0/24                                192.168.14.0/24                                all        encrypt
 2   A  lac.. yes 10.19.0.0/16                                   192.168.14.0/24                                all        encrypt

nagylzs · Sun Jan 16, 2022 11:42 am

I did this on router 1:

/ip firewall mangle add src-address=192.168.19.254 dst-address=192.168.19.254 protocol=icmp action=passthrough comment=x chain=prerouting place-before=1
/ip firewall mangle print stats interval=1s

Then I started to ping 192.168.19.254 from 192.168.19.106 and this happened on router one:

[gandalf@router.lacinet] /ip firewall mangle>  /ip firewall mangle print stats interval=1s where comment=x
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                ACTION                            BYTES         PACKETS
 0    ;;; x
      prerouting                                                           passthrough                           0               0

I was socked when I saw this on the computer:

Microsoft Windows [Version 10.0.19042.1466]
(c) Microsoft Corporation. Minden jog fenntartva.

C:\Users\nagyl>ping 192.168.19.254

Pinging 192.168.19.254 with 32 bytes of data:
Reply from 192.168.19.254: bytes=32 time=25ms TTL=63
Request timed out.
Reply from 192.168.19.254: bytes=32 time=143ms TTL=63
Reply from 192.168.19.254: bytes=32 time=28ms TTL=63

Ping statistics for 192.168.19.254:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 143ms, Average = 65ms

It was the first time I could catch that this is an intermittent problem. Usually it either works for an hour, then doesn't work for half a day.

> If you can see the rule to count, it means the sniffing is broken; if you cannot, the ICMP responses arrive to the comupter some other way than via router 1.

Now that it totally impossible. Both routers connect to a local ISP. They have the whole internet between them. Even if a packet could leak out to the ISP's router, it would be impossible to route it. Moreover, I have some guardians to prevent leaking:

/ip route
add comment="EKKE Telekom Mobil/LTE" distance=2 gateway=10.14.100.1
add comment="Prevent package leak RFC1918 class A" distance=1 dst-address=10.0.0.0/8 type=unreachable
add comment="VPN to magnet-vlan" distance=1 dst-address=10.19.0.0/16 gateway=ipsec pref-src=192.168.14.254
add comment="Prevent package leak RFC1918 class B" distance=1 dst-address=172.16.0.0/12 type=unreachable
add comment="Prevent package leak RFC1918 class C" distance=1 dst-address=192.168.0.0/16 type=unreachable
add comment="VPN to visznet" distance=1 dst-address=192.168.5.0/24 gateway=ipsec pref-src=192.168.14.254
add comment="VPN to sznet" distance=1 dst-address=192.168.13.0/24 gateway=ipsec pref-src=192.168.14.254
add comment="VPN to kavicsnet" distance=1 dst-address=192.168.18.0/24 gateway=ipsec pref-src=192.168.14.254
add comment="VPN to magnet-base" distance=1 dst-address=192.168.19.0/24 gateway=ipsec pref-src=192.168.14.254

The very first rule belongs to an alternate ISP connection, but it is not used. (The default route is added by dhcp-client with distance=1.) There are rules called "Prevent package leak...". Just to be sure, I have disabled that rule and here is the full actual list, with public IPs changed:

 /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          17.17.255.254            1
 1 X S  ;;; EKKE Telekom Mobil/LTE
        0.0.0.0/0                          10.14.100.1               2
 2 A SU ;;; Prevent package leak RFC1918 class A
        10.0.0.0/8                                                   1
 3 ADC  10.14.10.0/24      10.14.10.1      BLUE_VLAN                 0
 4 ADC  10.14.20.0/24      10.14.20.1      GREEN_VLAN                0
 5 ADC  10.14.30.0/24      10.14.30.1      RED_VLAN                  0
 6 ADC  10.14.40.0/24      10.14.40.1      CYAN_VLAN                 0
 7 ADC  10.14.100.0/24     10.14.100.2     ether4-lte                0
 8 ADC  10.14.200.0/24     10.14.200.1     HALL_VLAN                 0
 9 ADC  10.14.200.105/32   10.14.200.1     <l2tp-kardirex>           0
10 ADC  10.14.200.106/32   10.14.200.1     <l2tp-szek>               0
11 ADC  10.14.200.113/32   10.14.200.1     <l2tp-backupmes...        0
12 A S  ;;; VPN to magnet-vlan
        10.19.0.0/16       192.168.14.254  ipsec                     1
13 ADC  17.17.240.0/20    17.17.249.35   ether5-wan                0
14 A SU ;;; Prevent package leak RFC1918 class B
        172.16.0.0/12                                                1
15 A SU ;;; Prevent package leak RFC1918 class C
        192.168.0.0/16                                               1
16 A S  ;;; VPN to visznet
        192.168.5.0/24     192.168.14.254  ipsec                     1
17 A S  ;;; VPN to sznet
        192.168.13.0/24    192.168.14.254  ipsec                     1
18 ADC  192.168.14.0/24    192.168.14.254  BASE_VLAN                 0
19 A S  ;;; VPN to kavicsnet
        192.168.18.0/24    192.168.14.254  ipsec                     1
20 A S  ;;; VPN to magnet-base
        192.168.19.0/24    192.168.14.254  ipsec                     1

sindy · Sun Jan 16, 2022 11:52 am

Any rules in /ip firewall raw? Use print, not export.

nagylzs · Sun Jan 16, 2022 11:55 am

Also tried traceroute from the computer:

C:\Users\nagyl>tracert 192.168.19.254

Tracing route to r01.magnet [192.168.19.254]
over a maximum of 30 hops:

  1     3 ms    <1 ms    <1 ms  router.lacinet [192.168.14.254]
  2    30 ms    34 ms    20 ms  r01.magnet [192.168.19.254]

Trace complete.

I think it is next to impossible that this went through on anything but the ipsec tunnel.

It also works for the remote VLAN 10.19.10.0/24

C:\Users\nagyl>tracert 10.19.10.101

Tracing route to 10.19.10.101 over a maximum of 30 hops

  1     2 ms     4 ms    <1 ms  router.lacinet [192.168.14.254]
  2    15 ms    14 ms    20 ms  r01.magnet [192.168.19.254]
  3    16 ms    15 ms    29 ms  10.19.10.101

Trace complete.

Notice how the hostname was found for r01.magnet in the above trace, but not for 10.19.10.101 (nas.magnet). It also shows the intermittency of this problem. Some DNS requests go through, but some don't.

If I try to ping the same IPs from router1, then I see this:


[gandalf@router.lacinet] /ip settings> /ping 10.19.10.101
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 10.19.10.101                               56  63 19ms
    1 10.19.10.101                               56  63 17ms
    sent=2 received=2 packet-loss=0% min-rtt=17ms avg-rtt=18ms max-rtt=19ms

[gandalf@router.lacinet] /ip settings> /ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                                          timeout
    1 192.168.19.254                                          timeout
    2 192.168.19.254                                          timeout
    sent=3 received=0 packet-loss=100%

But again, SOMETIMES both work correctly.

nagylzs · Sun Jan 16, 2022 12:00 pm

I think your mangle rule was mistype, if I use this:

chain=prerouting action=passthrough protocol=icmp src-address=192.168.19.254 dst-address=192.168.14.0/24

then I see counters increasing. They are also increasing when I try to ping router2 from router1. First I reset counters, then I do this:

[gandalf@router.lacinet] /ip route> /ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                                          timeout
    1 192.168.19.254                                          timeout
    2 192.168.19.254                                          timeout
    3 192.168.19.254                                          timeout
    4 192.168.19.254                                          timeout
    5 192.168.19.254                                          timeout
    6 192.168.19.254                                          timeout
    7 192.168.19.254                                          timeout

And the counters changed to:

[gandalf@router.lacinet] /ip firewall mangle> /ip firewall mangle print stats interval=1s where comment=x
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                ACTION                            BYTES         PACKETS
 0    ;;; x
      prerouting                                                           passthrough                         448               8

All ICMP responses arrived back (sent=8, received=8). But then they are lost somehow. (?)

nagylzs · Sun Jan 16, 2022 12:02 pm

/ip firewall raw is totally empty on both sides.

sindy · Sun Jan 16, 2022 12:22 pm

Yes, same src-address and dst-address in the passthrough rule were a copy-paste error.

Another reason why sniffing doesn't show the responses may be that you have hw=yes on the /interface bridge port row for the port to which the PC is connected, or maybe even the WAN port is a member port of a bridge? It makes no logical sense as the packets in question are sent to the port from the CPU so hardware-assisted L2 forwarding is not involved, but that's how it behaves.

Again, all these questions and assumptions would be unnecessary if you posted the complete configurations.

When packets are dropped by rp-filter or IPsec policy matching, I hazily remember they are dropped between prerouting and the filter chains (because that's where routing takes place). So keep the passthrough rule in mangle/prerouting, remove dst-address from it, add the same rule as the first static one to chain input of filter, and try pinging from Router 1 itself again, watching for the rules to count.

nagylzs · Sun Jan 16, 2022 1:59 pm

Again, all these questions and assumptions would be unnecessary if you posted the complete configurations.

Here goes the complete configuration. I was recultant to send it all, because it is quite long, and I'm not sure if I could replace all sensitive information.

router 1:

# jan/16/2022 12:46:02 by RouterOS 6.48.5
# software id = R847-LG5N
#
# model = RBD52G-5HacD2HnD
# serial number = *************
/caps-man channel
add band=2ghz-onlyn extension-channel=XX frequency="" name=channels-2.4 \
    secondary-frequency="" tx-power=-10
add band=5ghz-onlyac extension-channel=XXXX frequency="" name=channels-5 \
    secondary-frequency="" skip-dfs-channels=yes tx-power=15
add band=2ghz-onlyn extension-channel=XX frequency=2412 name=c24-1 tx-power=\
    -10
add band=2ghz-onlyn extension-channel=XX frequency=2437 name=c24-6 tx-power=\
    -10
add band=2ghz-onlyn extension-channel=XX frequency=2462 name=c24-11 tx-power=\
    -10
/caps-man datapath
add local-forwarding=yes name=datapath-blue vlan-id=10 vlan-mode=use-tag
add local-forwarding=yes name=datapath-green vlan-id=20 vlan-mode=use-tag
add local-forwarding=yes name=datapath-red vlan-id=30 vlan-mode=use-tag
add local-forwarding=yes name=datapath-cyan vlan-id=40 vlan-mode=use-tag
add local-forwarding=yes name=datapath-base vlan-id=99 vlan-mode=use-tag
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BR1 \
    vlan-filtering=yes
add name=ipsec protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether2 ] name=ether2-gray
set [ find default-name=ether3 ] name=ether3-gray
set [ find default-name=ether4 ] name=ether4-lte
set [ find default-name=ether5 ] name=ether5-wan
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-Ce/gn(-13dBm), SSID: base, local forwarding
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    amsdu-limit=4096 band=2ghz-onlyn basic-rates-a/g=12Mbps basic-rates-b="" \
    country=hungary disabled=no distance=indoors frequency=2437 mode=\
    ap-bridge rate-set=configured ssid=lacinet_24 station-roaming=enabled \
    supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    supported-rates-b="" tx-power-mode=all-rates-fixed wireless-protocol=\
    802.11 wps-mode=disabled
# managed by CAPsMAN
# channel: 5300/20-eeCe/ac/DP(12dBm), SSID: base, local forwarding
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    amsdu-limit=4096 band=5ghz-onlyac basic-rates-a/g=12Mbps,36Mbps,48Mbps \
    channel-width=20/40mhz-Ce country=hungary disabled=no distance=indoors \
    mode=ap-bridge ssid=lacinet_5 station-roaming=enabled \
    supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11 wps-mode=disabled
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=CYAN_VLAN vlan-id=40
add interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=HALL_VLAN vlan-id=200
add interface=BR1 name=RED_VLAN vlan-id=30
/caps-man rates
add basic=12Mbps name=rates-2.4 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic=12Mbps name=rates-5 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-blue
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-green
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-cyan
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-red
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-base
/caps-man configuration
add channel=channels-5 country=hungary datapath=datapath-blue installation=\
    any name=caps-blue-5 rates=rates-5 security=security-blue ssid=blue
add channel=channels-2.4 country=hungary datapath=datapath-blue installation=\
    any name=caps-blue-2.4 rates=rates-2.4 security=security-blue ssid=blue
add channel=channels-2.4 country=hungary datapath=datapath-green \
    installation=any name=caps-green-2.4 rates=rates-2.4 security=\
    security-green ssid=green
add channel=channels-5 country=hungary datapath=datapath-green installation=\
    any name=caps-green-5 rates=rates-5 security=security-green ssid=green
add channel=channels-5 country=hungary datapath=datapath-red installation=any \
    name=caps-red-5 rates=rates-5 security=security-red ssid=red
add channel=channels-2.4 country=hungary datapath=datapath-red installation=\
    any name=caps-red-2.4 rates=rates-2.4 security=security-red ssid=red
add channel=channels-2.4 country=hungary datapath=datapath-cyan installation=\
    any name=caps-cyan-2.4 rates=rates-2.4 security=security-cyan ssid=cyan
add channel=channels-5 country=hungary datapath=datapath-cyan installation=\
    any name=caps-cyan-5 rates=rates-5 security=security-cyan ssid=cyan
add channel=channels-2.4 country=hungary datapath=datapath-base hide-ssid=yes \
    installation=any name=caps-base-2.4 rates=rates-2.4 security=\
    security-base ssid=base
add channel=channels-5 country=hungary datapath=datapath-base hide-ssid=yes \
    installation=any name=caps-base-5 rates=rates-5 security=security-base \
    ssid=base
/caps-man interface
add channel=c24-11 configuration=caps-base-2.4 disabled=no l2mtu=2026 \
    mac-address=48:8F:5A:A1:AB:30 master-interface=none name=orange.lacinet-1 \
    radio-mac=48:8F:5A:A1:AB:30 radio-name=488F5AA1AB30
add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:30 master-interface=orange.lacinet-1 name=\
    orange.lacinet-1-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB30
add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:31 master-interface=orange.lacinet-1 name=\
    orange.lacinet-1-2 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB31
add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:32 master-interface=orange.lacinet-1 name=\
    orange.lacinet-1-3 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB32
add configuration=caps-cyan-2.4 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:33 master-interface=orange.lacinet-1 name=\
    orange.lacinet-1-4 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB33
add channel.extension-channel=XXXX channel.frequency=5200 comment=ch40 \
    configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\
    48:8F:5A:A1:AB:31 master-interface=none name=orange.lacinet-2 radio-mac=\
    48:8F:5A:A1:AB:31 radio-name=488F5AA1AB31
add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:34 master-interface=orange.lacinet-2 name=\
    orange.lacinet-2-1 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB34
add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:35 master-interface=orange.lacinet-2 name=\
    orange.lacinet-2-2 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB35
add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:36 master-interface=orange.lacinet-2 name=\
    orange.lacinet-2-3 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB36
add configuration=caps-cyan-5 disabled=no l2mtu=1600 mac-address=\
    4A:8F:5A:A1:AB:37 master-interface=orange.lacinet-2 name=\
    orange.lacinet-2-4 radio-mac=00:00:00:00:00:00 radio-name=4A8F5AA1AB37
add channel=c24-6 configuration=caps-base-2.4 disabled=no l2mtu=1600 \
    mac-address=B8:69:F4:09:BE:FA master-interface=none name=router.lacinet-1 \
    radio-mac=B8:69:F4:09:BE:FA radio-name=B869F409BEFA
add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FA master-interface=router.lacinet-1 name=\
    router.lacinet-1-1 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFA
add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FB master-interface=router.lacinet-1 name=\
    router.lacinet-1-2 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFB
add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FC master-interface=router.lacinet-1 name=\
    router.lacinet-1-3 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFC
add configuration=caps-cyan-2.4 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FD master-interface=router.lacinet-1 name=\
    router.lacinet-1-4 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFD
add channel=channels-5 channel.extension-channel=XXXX channel.frequency=5300 \
    comment=ch40 configuration=caps-base-5 disabled=no l2mtu=1600 \
    mac-address=B8:69:F4:09:BE:FB master-interface=none name=router.lacinet-2 \
    radio-mac=B8:69:F4:09:BE:FB radio-name=B869F409BEFB
add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FE master-interface=router.lacinet-2 name=\
    router.lacinet-2-1 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFE
add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BE:FF master-interface=router.lacinet-2 name=\
    router.lacinet-2-2 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BEFF
add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BF:00 master-interface=router.lacinet-2 name=\
    router.lacinet-2-3 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BF00
add configuration=caps-cyan-5 disabled=no l2mtu=1600 mac-address=\
    BA:69:F4:09:BF:01 master-interface=router.lacinet-2 name=\
    router.lacinet-2-4 radio-mac=00:00:00:00:00:00 radio-name=BA69F409BF01
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip dhcp-server option
add code=119 name=domain-search-option value="'lacinet.'"
/ip ipsec policy group
add name=group-viszfuvar
add name=group-kavicsbanya
add name=group-office
add name=group-magzatom
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 name=\
    profile_l2tp
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name=profile-s2s-ros proposal-check=strict
/ip ipsec peer
add comment="IKE2 default" exchange-mode=ike2 name=peer_ike2 passive=yes \
    profile=profile-s2s-ros send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 comment=\
    "For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal-s2s-ros \
    pfs-group=modp2048
/ip pool
add name=BLUE_POOL ranges=10.14.10.100-10.14.10.200
add name=GREEN_POOL ranges=10.14.20.100-10.14.20.200
add name=RED_POOL ranges=10.14.30.100-10.14.30.200
add name=BASE_POOL ranges=192.168.14.100-192.168.14.200
add name=CYAN_POOL ranges=10.14.40.100-10.14.40.200
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN lease-script=\
    onDhcpLease name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=CYAN_POOL disabled=no interface=CYAN_VLAN name=CYAN_DHCP
/ppp profile
add dns-server=10.14.200.1,1.1.1.3 local-address=10.14.200.1 name=l2tp_vpn
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=BASE_VLAN
/caps-man provisioning
add action=create-enabled hw-supported-modes=ac master-configuration=\
    caps-base-5 name-format=identity slave-configurations=\
    caps-blue-5,caps-green-5,caps-red-5,caps-cyan-5
add action=create-enabled master-configuration=caps-base-2.4 name-format=\
    identity slave-configurations=\
    caps-blue-2.4,caps-green-2.4,caps-red-2.4,caps-cyan-2.4
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1-trunk
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2-gray pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3-gray pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 comment=Base tagged=BR1,ether1-trunk untagged=\
    ether2-gray,ether3-gray vlan-ids=99
add bridge=BR1 comment=Cyan/IOT tagged=BR1,ether1-trunk vlan-ids=40
add bridge=BR1 comment=Blue tagged=BR1,ether1-trunk vlan-ids=10
add bridge=BR1 comment=Green/Guest tagged=BR1,ether1-trunk vlan-ids=20
add bridge=BR1 comment=Red tagged=BR1,ether1-trunk vlan-ids=30
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_vpn enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether5-wan list=WAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=CYAN_VLAN list=VLAN
add interface=ether4-lte list=WAN
/interface wireless cap
# 
set bridge=BR1 certificate=request discovery-interfaces=BASE_VLAN enabled=yes \
    interfaces=wlan1,wlan2
/ip address
add address=192.168.14.254/24 interface=BASE_VLAN network=192.168.14.0
add address=10.14.10.1/24 interface=BLUE_VLAN network=10.14.10.0
add address=10.14.20.1/24 interface=GREEN_VLAN network=10.14.20.0
add address=10.14.30.1/24 interface=RED_VLAN network=10.14.30.0
add address=10.14.40.1/24 interface=CYAN_VLAN network=10.14.40.0
add address=10.14.200.1/24 interface=HALL_VLAN network=10.14.200.0
add address=10.14.100.2/24 interface=ether4-lte network=10.14.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip dhcp-client
add disabled=no interface=ether5-wan
/ip dhcp-server lease
add address=10.14.10.105 client-id=1:80:e8:2c:e:ef:d2 mac-address=\
    80:E8:2C:0E:EF:D2 server=BLUE_DHCP
add address=10.14.10.10 client-id=1:ac:12:3:3c:c:c6 mac-address=\
    AC:12:03:3C:0C:C6 server=BLUE_DHCP
add address=192.168.14.101 comment=brocade mac-address=00:27:F8:98:F7:60 \
    server=BASE_DHCP
add address=192.168.14.100 client-id=1:4:d9:f5:f7:79:a7 mac-address=\
    04:D9:F5:F7:79:A7 server=BASE_DHCP
add address=192.168.14.201 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:81:6e:af:75:4d:19:27:61 mac-address=\
    08:00:27:30:C8:89 server=BASE_DHCP
add address=192.168.14.202 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:f9:f8:2a:df:10:8c:52:0 mac-address=\
    08:00:27:CB:B4:BE server=BASE_DHCP
add address=192.168.14.203 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:4:79:e:30:c2:fc:ea:75 mac-address=\
    08:00:27:7B:36:DB server=BASE_DHCP
add address=192.168.14.205 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:ea:d4:c5:c8:e3:a4:72:73 mac-address=\
    08:00:27:48:6E:15 server=BASE_DHCP
add address=192.168.14.204 client-id=\
    ff:e2:34:3f:3e:0:2:0:0:ab:11:de:60:b5:f7:9c:52:91:67 mac-address=\
    08:00:27:C6:DA:2E server=BASE_DHCP
/ip dhcp-server network
add address=10.14.10.0/24 dns-server=192.168.14.254 domain=lacinet. gateway=\
    10.14.10.1
add address=10.14.20.0/24 dns-server=192.168.14.254 domain=pubnet. gateway=\
    10.14.20.1
add address=10.14.30.0/24 dns-server=192.168.14.254 gateway=10.14.30.1
add address=10.14.40.0/24 dns-server=192.168.14.254 gateway=10.14.40.1
add address=192.168.14.0/24 dns-server=192.168.14.254 gateway=192.168.14.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2
/ip dns static
add address=192.168.14.254 name=router.lacinet
add address=192.168.14.253 name=poe-switch.lacinet
add address=192.168.14.252 name=orange.lacinet
add address=10.14.100.1 name=lte.lacinet
add forward-to=192.168.5.254 regexp=".*\\.visznet" type=FWD
add comment=visznet forward-to=192.168.5.254 regexp=\
    ".*\\.5\\.168\\.192.\\in-addr\\.arpa" type=FWD
add forward-to=192.168.18.254 regexp=".*\\.kavicsnet" type=FWD
add comment=kavicsbanya-base forward-to=192.168.18.254 regexp=\
    ".*\\.18\\.168\\.192.\\in-addr\\.arpa" type=FWD
add forward-to=192.168.13.254 regexp=".*\\.sznet" type=FWD
add comment=sznet-base forward-to=192.168.13.254 regexp=\
    ".*\\.13\\.168\\.192.\\in-addr\\.arpa" type=FWD
add forward-to=192.168.19.254 regexp=".*\\.magnet" type=FWD
add comment=magzatom-base forward-to=192.168.19.254 regexp=\
    ".*\\.19\\.168\\.192.\\in-addr\\.arpa" type=FWD
add comment=magzatom-vlan forward-to=192.168.19.254 regexp=\
    ".*\\.19\\.10.\\in-addr\\.arpa" type=FWD
add address=10.14.200.101 name=forgach.lacinet
add address=10.14.200.102 name=erika.lacinet
add address=10.14.200.103 name=tony-i7.lacinet
add address=10.14.200.1 name=hall.lacinet
add address=10.14.10.105 name=htpc.lacinet
add address=10.14.200.105 name=kardirex.lacinet
add address=10.14.200.106 name=szek.lacinet
add address=10.14.200.107 name=stonemining.lacinet
add address=10.14.200.108 name=edit.lacinet
add address=10.14.200.109 name=szucsnorbi.lacinet
add address=10.14.200.111 name=nyergesati.lacinet
add address=10.14.200.110 name=ghbackup.lacinet
add address=192.168.14.101 name=brocade.lacinet
add address=192.168.14.100 name=laci-ryzen9.lacinet
add address=10.14.200.113 comment=bukkszenterzsebet name=backup.lacinet
add address=192.168.14.201 name=coc01.lacinet
add address=192.168.14.202 name=coc02.lacinet
add address=192.168.14.203 name=coc03.lacinet
add address=192.168.14.204 name=coc04.lacinet
add address=192.168.14.205 name=coc05.lacinet
add address=192.168.14.104 name=gw.lacinet
add address=10.14.200.112 name=silyegabi.lacinet
add address=10.14.10.105 comment=#DHCP name=htpc.lacinet. ttl=10m
add address=10.14.10.124 comment=#DHCP name=M2101K6G.lacinet. ttl=10m
/ip firewall filter
add action=accept chain=input comment=\
    "Allow IKEv2 500, IKEv2 NAT-T 4500, L2TP 1701" port=500,4500,1701 \
    protocol=udp
add action=accept chain=input comment=\
    "Allow IPSEC/ESP (also used below L2TP/UDP)" protocol=ipsec-esp
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Input from BASE mgmt" \
    in-interface-list=BASE
add action=jump chain=input comment="SSH input, with brute force protection" \
    dst-port=22 in-interface=!RED_VLAN jump-target=input_ssh protocol=tcp
add action=jump chain=input comment="Input from VLAN" in-interface-list=VLAN \
    jump-target=input_from_vlan
add action=jump chain=input jump-target=input_from_l2tp src-address=\
    10.14.200.0/24
add action=accept chain=input comment="Required by CAPsMAN" dst-address-type=\
    local src-address-type=local
add action=drop chain=input comment=Drop
add action=drop chain=input_ssh comment="drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input_ssh connection-state=new \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input_ssh connection-state=new
add action=accept chain=input_from_vlan comment="Local DNS UDP" dst-port=53 \
    protocol=udp
add action=accept chain=input_from_vlan comment="Local DNS TCP" dst-port=53 \
    protocol=tcp
add action=accept chain=input_from_vlan comment="Local NTP UDP" dst-port=123 \
    protocol=udp
add action=accept chain=input_from_vlan comment="DHCP 67 UDP" dst-port=67 \
    protocol=udp
add action=accept chain=input_from_vlan comment="DHCP 68 UDP" dst-port=68 \
    protocol=udp
add action=reject chain=input_from_vlan in-interface=RED_VLAN reject-with=\
    icmp-admin-prohibited
add action=drop chain=input_from_vlan comment=Drop
add action=accept chain=forward comment=\
    "Accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=jump chain=forward jump-target=from_htpc src-address=10.14.10.105
add action=reject chain=from_htpc comment=\
    "Reject HTPC->Any when we are on LTE" out-interface=ether4-lte \
    reject-with=icmp-admin-prohibited
add action=accept chain=from_htpc comment="kalihomok slave/vnc htpc->forgach" \
    dst-address=10.14.200.101 dst-port=5432,5900 protocol=tcp
add action=accept chain=from_htpc comment=\
    "kavicsbanya slave/vnc htpc->borika-pc" dst-address=192.168.18.199 \
    dst-port=5432,5900 protocol=tcp
add action=accept chain=from_htpc comment="htpc->visznet full access" \
    dst-address=192.168.5.0/24
add action=accept chain=from_htpc comment=\
    "stonemining slave/vnc htpc->stonemining" dst-address=10.14.200.107 \
    dst-port=5432,5900 protocol=tcp
add action=accept chain=forward comment="l2tp laci-vivobook -> any" \
    src-address=10.14.200.104
add action=reject chain=forward comment="Commonly hacked ports" \
    connection-state=new dst-port=21,23,25,110,135,1433 protocol=tcp \
    reject-with=icmp-admin-prohibited
add action=reject chain=forward comment="Reject RED->Internet" \
    connection-state=new in-interface=RED_VLAN out-interface-list=WAN \
    reject-with=icmp-admin-prohibited
add action=accept chain=forward comment="Allow VLAN->Internet" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE->Internet" \
    connection-state=new in-interface-list=BASE out-interface-list=WAN
add action=accept chain=forward comment="BASE->VLAN src-nated" \
    connection-state=new in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment=\
    "BASE->10.14.x.x includes BASE->L2TP and BASE->LTE" connection-state=new \
    dst-address=10.14.0.0/16 in-interface-list=BASE
add action=reject chain=forward comment=\
    "After accept rules - net-unreach when ipsec is down" out-interface=ipsec \
    reject-with=icmp-network-unreachable
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=accept chain=input_ssh
add action=accept chain=input_from_l2tp comment="DNS from l2tp client (tcp)" \
    dst-port=53 protocol=tcp
add action=accept chain=input_from_l2tp comment="DNS from l2tp client (udp)" \
    dst-port=53 protocol=udp
add action=accept chain=input_from_l2tp comment="NTP from l2tp client (udp)" \
    dst-port=123 protocol=udp
add action=reject chain=input_from_l2tp reject-with=icmp-admin-prohibited
add action=return chain=from_htpc
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS for in,ipsec" ipsec-policy=in,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS for out,ipsec" ipsec-policy=out,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=passthrough chain=prerouting comment=x dst-address=192.168.14.0/24 \
    protocol=icmp src-address=192.168.19.254
/ip firewall nat
add action=jump chain=srcnat comment="Src-Nat l2tp laci-vivobook-> any" \
    jump-target=srcnat_laci_l2tp src-address=10.14.200.104
add action=src-nat chain=srcnat comment="Src-Nat BASE->BLUE" out-interface=\
    BLUE_VLAN src-address=192.168.14.0/24 to-addresses=10.14.10.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->RED" out-interface=\
    RED_VLAN src-address=192.168.14.0/24 to-addresses=10.14.30.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->CYAN" out-interface=\
    CYAN_VLAN src-address=192.168.14.0/24 to-addresses=10.14.40.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->HALL" dst-address=\
    10.14.200.0/24 src-address=192.168.14.0/24 to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="Src-Nat BASE->LTE-mgmt" \
    out-interface=ether4-lte src-address=192.168.14.0/24 to-addresses=\
    10.14.100.2
add action=src-nat chain=srcnat_laci_l2tp comment=\
    "Src-Nat l2tp laci-vivbook->ipsec" out-interface=ipsec to-addresses=\
    192.168.14.254
add action=src-nat chain=srcnat_laci_l2tp comment=\
    "Src-Nat l2tp laci-vivobook->l2tp (inter-l2tp)" dst-address=\
    10.14.200.0/24 to-addresses=10.14.200.1
add action=dst-nat chain=dstnat comment=\
    "postgres kali-homok slave backup.router1.test.com->lacinet->forgach-vpn" \
    dst-port=54321 in-interface=ether5-wan protocol=tcp src-address=\
    1.2.3.4 to-addresses=10.14.10.105 to-ports=5432
add action=src-nat chain=srcnat comment=\
    "stonemining slave/vnc htpc->stonemining" dst-address=10.14.200.107 \
    dst-port=5432,5900 protocol=tcp src-address=10.14.10.105 to-addresses=\
    10.14.200.1
add action=src-nat chain=srcnat comment="kalihomok slave/vnc htpc->forgach" \
    dst-address=10.14.200.101 dst-port=5432,5900 protocol=tcp src-address=\
    10.14.10.105 to-addresses=10.14.200.1
add action=src-nat chain=srcnat comment="kavicsbanya slave htpc->borika-pc" \
    dst-address=192.168.18.199 dst-port=5432,5900 protocol=tcp src-address=\
    10.14.10.105 to-addresses=192.168.14.254
add action=src-nat chain=srcnat comment="Src-Nat htpc->visznet all" \
    dst-address=192.168.5.0/24 src-address=10.14.10.105 to-addresses=\
    192.168.14.254
add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=src-nat chain=srcnat_laci_l2tp comment=\
    "Src-Nat l2tp laci-vivobook->blue" dst-address=10.14.10.0/24 \
    to-addresses=10.14.10.1
/ip ipsec identity
add auth-method=digital-signature certificate=laci.router1.test.com comment=\
    office.partner1.test.com generate-policy=port-strict match-by=certificate \
    my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\
    group-viszfuvar remote-certificate=office.partner1.test.com remote-id=\
    fqdn:office.partner1.test.com
add auth-method=digital-signature certificate=laci.router1.test.com comment=\
    office.router1.test.com generate-policy=port-strict match-by=certificate my-id=\
    fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=group-office \
    remote-certificate=office.router1.test.com remote-id=fqdn:office.router1.test.com
add auth-method=digital-signature certificate=laci.router1.test.com comment=\
    kavicsbanya.partner2.test.com generate-policy=port-strict match-by=certificate \
    my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\
    group-kavicsbanya remote-certificate=kavicsbanya.partner2.test.com remote-id=\
    fqdn:kavicsbanya.partner2.test.com
add auth-method=digital-signature certificate=laci.router1.test.com comment=\
    office.partner3.magnet.com generate-policy=port-strict match-by=certificate \
    my-id=fqdn:laci.router1.test.com peer=peer_ike2 policy-template-group=\
    group-magzatom remote-certificate=office.partner3.magnet.com remote-id=\
    fqdn:office.partner3.magnet.com
/ip ipsec policy
set 0 comment="For l2tp-server"
add comment=office.partner1.test.com dst-address=192.168.5.0/24 group=\
    group-viszfuvar proposal=proposal-s2s-ros src-address=192.168.14.0/24 \
    template=yes
add comment=office.router1.test.com dst-address=192.168.13.0/24 group=group-office \
    proposal=proposal-s2s-ros src-address=192.168.14.0/24 template=yes
add comment=kavicsbanya.router1.test.com dst-address=192.168.18.0/24 group=\
    group-kavicsbanya proposal=proposal-s2s-ros src-address=192.168.14.0/24 \
    template=yes
add comment=office.partner3.magnet.com dst-address=192.168.19.0/24 group=\
    group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 \
    template=yes
add comment=office.partner3.magnet.com-vlan dst-address=10.19.0.0/16 group=\
    group-magzatom proposal=proposal-s2s-ros src-address=192.168.14.0/24 \
    template=yes
/ip route
add comment="EKKE Telekom Mobil/LTE" disabled=yes distance=2 gateway=\
    10.14.100.1
add comment="Prevent package leak RFC1918 class A" distance=1 dst-address=\
    10.0.0.0/8 type=unreachable
add comment="VPN to magnet-vlan" distance=1 dst-address=10.19.0.0/16 gateway=\
    ipsec pref-src=192.168.14.254
add comment="Prevent package leak RFC1918 class B" distance=1 dst-address=\
    172.16.0.0/12 type=unreachable
add comment="Prevent package leak RFC1918 class C" distance=1 dst-address=\
    192.168.0.0/16 type=unreachable
add comment="VPN to visznet" distance=1 dst-address=192.168.5.0/24 gateway=\
    ipsec pref-src=192.168.14.254
add comment="VPN to sznet" distance=1 dst-address=192.168.13.0/24 gateway=\
    ipsec pref-src=192.168.14.254
add comment="VPN to kavicsnet" distance=1 dst-address=192.168.18.0/24 \
    gateway=ipsec pref-src=192.168.14.254
add comment="VPN to magnet-base" distance=1 dst-address=192.168.19.0/24 \
    gateway=ipsec pref-src=192.168.14.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.14.0/24
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ppp secret
add name=forgach profile=l2tp_vpn remote-address=10.14.200.101 service=l2tp
add name=erika profile=l2tp_vpn remote-address=10.14.200.102 service=l2tp
add name=tony_i7 profile=l2tp_vpn remote-address=10.14.200.103 service=l2tp
add name=laci-vivobook profile=l2tp_vpn remote-address=10.14.200.104 service=\
    l2tp
add name=kardirex profile=l2tp_vpn remote-address=10.14.200.105 service=l2tp
add name=szek profile=l2tp_vpn remote-address=10.14.200.106 service=l2tp
add name=stonemining profile=l2tp_vpn remote-address=10.14.200.107 service=\
    l2tp
add name=edit profile=l2tp_vpn remote-address=10.14.200.108 service=l2tp
add name=szucsnorbi profile=l2tp_vpn remote-address=10.14.200.109 service=\
    l2tp
add name=ghbackup profile=l2tp_vpn remote-address=10.14.200.110
add name=nyergesati profile=l2tp_vpn remote-address=10.14.200.111
add name=silyegabi profile=l2tp_vpn remote-address=10.14.200.112
add name=backupmesshu profile=l2tp_vpn remote-address=10.14.200.113
/routing filter
add chain=dynamic-in set-check-gateway=ping
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=router.lacinet
/system logging
add topics=wireless
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add interval=1d name=e-mail-backup on-event=e-mail-backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=20:00:00
/system script
add dont-require-permissions=no name=onDhcpLease owner=gandalf policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n\
    \n\
    \n:local DHCPtag\
    \n:set DHCPtag \"#DHCP\"\
    \n\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \n\
    \n:if ( \$leaseBound = 1 ) do=\\\
    \n{\
    \n  :local ttl\
    \n  :local domain\
    \n  :local hostname\
    \n  :local fqdn\
    \n  :local leaseId\
    \n  :local comment\
    \n\
    \n  /ip dhcp-server\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\
    \n  network \
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\
    \n  \
    \n  .. lease\
    \n  :set leaseId [ find address=\$leaseActIP ]\
    \n\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\
    \n\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\
    \n  {\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\
    \n   :error \"multiple active leases for \$leaseActIP\"\
    \n  }  \
    \n\
    \n  :set hostname [ get \$leaseId host-name ]\
    \n  :set comment [ get \$leaseId comment ]\
    \n  /\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\
    \n    :error \"empty lease host-name or comment\"\
    \n  }\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\
    \n    :error \"empty network domain name\"\
    \n  }\
    \n\
    \n  :set fqdn \"\$hostname.\$domain\"\
    \n  \
    \n  /ip dns static\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\
    \n  } else=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \
    \n  }\
    \n  /\
    \n} \\\
    \nelse=\\\
    \n{\
    \n  /ip dns static\
    \n  :local dnsDhcpId \
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\
    \n\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\
    \n    remove \$dnsDhcpId\
    \n  }\
    \n  /\
    \n}\
    \n\
    \n"
add dont-require-permissions=no name=e-mail-backup owner=gandalf policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system backup save encryption=aes-sha256 name=\"email.backup\" password=\"\
    ********\";/tool e-mail send to=\"gandalf@router1.test.com\" subject=([/system id\
    entity get name].\" (system=\".[/system package get system value-name=vers\
    ion].\") backup\") file=email.backup;:log info \"Backup e-mail sent.\";  "
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=mail.router1.test.com from=\
    "MikroTik Hontalan router.lacinet <mikrotik@router1.test.com>" port=465 start-tls=\
    tls-only user=mikrotik@router1.test.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-ip-protocol=icmp

router 2:

# jan/16/2022 12:47:40 by RouterOS 6.48.5
# software id = BGJQ-V2CF
#
# model = RBD52G-5HacD2HnD
# serial number = *************
/caps-man channel
add band=2ghz-onlyn extension-channel=XX frequency="" name=channels-2.4 \
    secondary-frequency="" tx-power=-10
add band=5ghz-onlyac extension-channel=XXXX frequency="" name=channels-5 \
    secondary-frequency="" skip-dfs-channels=yes
/caps-man datapath
add local-forwarding=yes name=datapath-blue vlan-id=10 vlan-mode=use-tag
add local-forwarding=yes name=datapath-green vlan-id=20 vlan-mode=use-tag
add local-forwarding=yes name=datapath-red vlan-id=30 vlan-mode=use-tag
add local-forwarding=yes name=datapath-base vlan-id=99 vlan-mode=use-tag
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=BR1 \
    vlan-filtering=yes
add name=ipsec protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-sw01
set [ find default-name=ether2 ] name=ether2-lte
set [ find default-name=ether3 ] name=ether3-blue
set [ find default-name=ether4 ] name=ether4-blue
set [ find default-name=ether5 ] name=ether5-wan
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(-13dBm), SSID: magzatom_base, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: magzatom_base, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=HALL_VLAN vlan-id=200
add interface=BR1 name=RED_VLAN vlan-id=30
/caps-man rates
add basic=12Mbps name=rates-2.4 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic=12Mbps name=rates-5 supported=\
    12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-blue
add authentication-types=wpa2-psk encryption=aes-ccm name=security-green
add authentication-types=wpa2-psk encryption=aes-ccm name=security-red
add authentication-types=wpa2-psk encryption=aes-ccm name=security-base
/caps-man configuration
add channel=channels-5 country=hungary datapath=datapath-blue installation=\
    any name=caps-blue-5 rates=rates-5 security=security-blue ssid=\
    magzatom-privat
add channel=channels-2.4 country=hungary datapath=datapath-blue installation=\
    any name=caps-blue-2.4 rates=rates-2.4 security=security-blue ssid=\
    magzatom-privat
add channel=channels-2.4 country=hungary datapath=datapath-green \
    installation=any name=caps-green-2.4 rates=rates-2.4 security=\
    security-green ssid=magzatom-vendeg
add channel=channels-5 country=hungary datapath=datapath-green installation=\
    any name=caps-green-5 rates=rates-5 security=security-green ssid=\
    magzatom-vendeg
add channel=channels-2.4 country=hungary datapath=datapath-base hide-ssid=yes \
    installation=any name=caps-base-2.4 rates=rates-2.4 security=\
    security-base ssid=magzatom_base
add channel=channels-5 country=hungary datapath=datapath-base hide-ssid=yes \
    installation=any name=caps-base-5 rates=rates-5 security=security-base \
    ssid=magzatom_base
add channel=channels-2.4 country=hungary datapath=datapath-red hide-ssid=yes \
    installation=any name=caps-red-2.4 rates=rates-2.4 security=security-red \
    ssid=magzatom_red
add channel=channels-5 country=hungary datapath=datapath-red hide-ssid=yes \
    installation=any name=caps-red-5 rates=rates-5 security=security-red \
    ssid=magzatom_red
/caps-man interface
add configuration=caps-base-2.4 disabled=no l2mtu=1600 mac-address=\
    08:55:31:E7:F3:6C master-interface=none name=r01.magnet-1 radio-mac=\
    08:55:31:E7:F3:6C radio-name=085531E7F36C
add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:6C master-interface=r01.magnet-1 name=r01.magnet-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36C
add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:6D master-interface=r01.magnet-1 name=r01.magnet-1-2 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36D
add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:6E master-interface=r01.magnet-1 name=r01.magnet-1-3 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36E
add configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\
    08:55:31:E7:F3:6D master-interface=none name=r01.magnet-2 radio-mac=\
    08:55:31:E7:F3:6D radio-name=085531E7F36D
add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:6F master-interface=r01.magnet-2 name=r01.magnet-2-1 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F36F
add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:70 master-interface=r01.magnet-2 name=r01.magnet-2-2 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F370
add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:F3:71 master-interface=r01.magnet-2 name=r01.magnet-2-3 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7F371
add configuration=caps-base-2.4 disabled=no l2mtu=1600 mac-address=\
    08:55:31:E7:E1:93 master-interface=none name=r02.magnet-1 radio-mac=\
    08:55:31:E7:E1:93 radio-name=085531E7E193
add configuration=caps-blue-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:93 master-interface=r02.magnet-1 name=r02.magnet-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E193
add configuration=caps-green-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:94 master-interface=r02.magnet-1 name=r02.magnet-1-2 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E194
add configuration=caps-red-2.4 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:95 master-interface=r02.magnet-1 name=r02.magnet-1-3 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E195
add configuration=caps-base-5 disabled=no l2mtu=1600 mac-address=\
    08:55:31:E7:E1:94 master-interface=none name=r02.magnet-2 radio-mac=\
    08:55:31:E7:E1:94 radio-name=085531E7E194
add configuration=caps-blue-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:96 master-interface=r02.magnet-2 name=r02.magnet-2-1 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E196
add configuration=caps-green-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:97 master-interface=r02.magnet-2 name=r02.magnet-2-2 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E197
add configuration=caps-red-5 disabled=no l2mtu=1600 mac-address=\
    0A:55:31:E7:E1:98 master-interface=r02.magnet-2 name=r02.magnet-2-3 \
    radio-mac=00:00:00:00:00:00 radio-name=0A5531E7E198
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=119 name=domain-search-option value="'magnet.'"
/ip ipsec policy group
add name=group-lacinet
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 name=\
    profile_l2tp
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    profile-s2s-ros proposal-check=strict
/ip ipsec peer
add address=92f20943ba88.sn.mynetname.net exchange-mode=ike2 name=\
    laci.router1.test.com profile=profile-s2s-ros
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 comment=\
    "For l2tp-server" enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=4h name=\
    proposal-s2s-ros pfs-group=modp2048
/ip pool
add name=BLUE_POOL ranges=10.19.10.100-10.19.10.200
add name=GREEN_POOL ranges=10.19.20.100-10.19.20.200
add name=RED_POOL ranges=10.19.30.100-10.19.30.200
add name=BASE_POOL ranges=192.168.19.100-192.168.19.200
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN lease-script=\
    onDhcpLease name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/ppp profile
add dns-server=10.19.200.1,1.1.1.3 local-address=10.19.200.1 name=l2tp_vpn
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=BASE_VLAN
/caps-man provisioning
add action=create-enabled hw-supported-modes=ac master-configuration=\
    caps-base-5 name-format=identity slave-configurations=\
    caps-blue-5,caps-green-5,caps-red-5
add action=create-enabled master-configuration=caps-base-2.4 name-format=\
    identity slave-configurations=caps-blue-2.4,caps-green-2.4,caps-red-2.4
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1-sw01
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3-blue pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4-blue pvid=10
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1-sw01 untagged=ether3-blue,ether4-blue \
    vlan-ids=10
add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=20
add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=30
add bridge=BR1 tagged=BR1,ether1-sw01 vlan-ids=99
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_vpn enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether5-wan list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=ether2-lte list=WAN
/interface wireless cap
# 
set bridge=BR1 certificate=request discovery-interfaces=BASE_VLAN enabled=yes \
    interfaces=wlan1,wlan2
/ip address
add address=192.168.19.254/24 interface=BASE_VLAN network=192.168.19.0
add address=10.19.10.1/24 interface=BLUE_VLAN network=10.19.10.0
add address=10.19.20.1/24 interface=GREEN_VLAN network=10.19.20.0
add address=10.19.30.1/24 interface=RED_VLAN network=10.19.30.0
add address=10.19.200.1/24 interface=HALL_VLAN network=10.19.200.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip dhcp-client
add disabled=no interface=ether5-wan use-peer-dns=no
add default-route-distance=2 disabled=no interface=ether2-lte use-peer-dns=no
/ip dhcp-server lease
add address=10.19.10.198 client-id=1:74:fe:48:57:68:ae comment=\
    "Nyugati Samsung Ultrahang, +smb share" mac-address=74:FE:48:57:68:AE \
    server=BLUE_DHCP
add address=10.19.10.194 client-id=1:40:b0:76:5b:be:f8 comment=\
    "Keleti vizsgalo desktop gep" mac-address=40:B0:76:5B:BE:F8 server=\
    BLUE_DHCP
add address=10.19.30.10 client-id=1:ec:c8:9c:b9:9c:e5 comment="HkVision NVR" \
    mac-address=EC:C8:9C:B9:9C:E5 server=RED_DHCP
add address=10.19.10.192 client-id=1:dc:a6:32:c8:1c:e6 comment=Babyscreen \
    mac-address=DC:A6:32:C8:1C:E6 server=BLUE_DHCP
add address=10.19.10.190 client-id=1:0:17:c8:a6:90:55 comment=\
    "KyoceraP6230CDN lezer" mac-address=00:17:C8:A6:90:55 server=BLUE_DHCP
add address=10.19.10.101 client-id=\
    ff:b6:22:f:eb:0:2:0:0:ab:11:13:66:88:18:da:5e:fe:33 mac-address=\
    98:90:96:CE:6F:92 server=BLUE_DHCP
add address=10.19.30.101 client-id=1:2c:a5:9c:fa:c4:5c mac-address=\
    2C:A5:9C:FA:C4:5C server=RED_DHCP
add address=10.19.30.102 client-id=1:4c:f5:dc:5e:ff:37 mac-address=\
    4C:F5:DC:5E:FF:37 server=RED_DHCP
/ip dhcp-server network
add address=10.19.10.0/24 dns-server=192.168.19.254 domain=magnet. gateway=\
    10.19.10.1
add address=10.19.20.0/24 dns-server=192.168.19.254 gateway=10.19.20.1
add address=10.19.30.0/24 dns-server=192.168.19.254 gateway=10.19.30.1
add address=192.168.19.0/24 dns-server=192.168.19.254 gateway=192.168.19.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3
/ip dns static
add address=192.168.19.254 name=r01.magnet
add address=192.168.19.253 name=r02.magnet
add address=192.168.19.252 name=r03.magnet
add address=192.168.19.244 name=sw01.magnet
add address=192.168.19.243 name=sw02.magnet
add address=192.168.19.242 name=sw03.magnet
add address=192.168.19.241 name=sw04.magnet
add address=10.19.30.10 name=nvr.magnet
add address=10.19.100.254 name=lte.magnet
add address=10.19.200.101 comment="L2TP Brigi Laptop" name=brigi.magnet
add address=10.19.200.103 comment="L2TP Brigi-oled laptop" name=\
    brigi-oled.magnet
add address=10.19.200.102 comment="L2TP ViktorNAS" name=viktornas.magnet
add address=10.19.200.1 comment="L2TP hall" name=hall.magnet
add address=10.19.30.101 name=cam-folyoso.magnet
add address=10.19.30.102 name=cam-varo.magnet
add address=10.19.10.194 comment=#DHCP name=keleti-vizsgalo.magnet. ttl=10m
add address=10.19.10.106 comment=#DHCP name=DESKTOP-V210M8R.magnet. ttl=10m
add address=10.19.10.101 comment=#DHCP name=nas.magnet. ttl=10m
/ip firewall filter
add action=accept chain=input comment=\
    "Allow UDP 500,4500,1701 for IKE, IPSEC/ESP and L2TP" port=1701,500,4500 \
    protocol=udp
add action=accept chain=input comment="Allow IPSEC/ESP" protocol=ipsec-esp
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN and CAP" dst-address-type=\
    local src-address-type=local
add action=accept chain=input comment="Input from BASE mgmt" \
    in-interface-list=BASE
add action=jump chain=input comment="SSH input, with brute force protection" \
    dst-port=22 jump-target=input_ssh protocol=tcp
add action=jump chain=input comment="Input from VLAN" in-interface-list=VLAN \
    jump-target=input_from_vlan
add action=jump chain=input comment="Input from L2TP client" jump-target=\
    input_from_l2tp src-address=10.19.200.0/24
add action=accept chain=input comment="DNS from lacinet udp" dst-port=53 \
    protocol=udp src-address=192.168.14.0/24
add action=accept chain=input comment="DNS from lacinet tcp" dst-port=53 \
    protocol=tcp src-address=192.168.14.0/24
add action=drop chain=input comment=Drop
add action=drop chain=input_ssh comment="drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input_ssh connection-state=new \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input_ssh connection-state=new
add action=accept chain=input_ssh comment="allow ssh from anywhere"
add action=drop chain=input_ssh comment=Drop
add action=accept chain=input_from_vlan comment="Local DNS UDP" dst-port=53 \
    protocol=udp
add action=accept chain=input_from_vlan comment="Local DNS TCP" dst-port=53 \
    protocol=tcp
add action=accept chain=input_from_vlan comment="Local NTP UDP" dst-port=123 \
    protocol=udp
add action=accept chain=input_from_vlan comment="DHCP 67 UDP" dst-port=67 \
    protocol=udp
add action=accept chain=input_from_vlan comment="DHCP 68 UDP" dst-port=68 \
    protocol=udp
add action=drop chain=input_from_vlan comment=Drop
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "Accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=reject chain=forward comment=\
    "Reply with network-unreachable when IPSEC tunnel is down" out-interface=\
    ipsec reject-with=icmp-network-unreachable
add action=accept chain=forward comment="Allow VLAN->Internet" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE->Internet" \
    connection-state=new in-interface-list=BASE out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE->VLAN" connection-state=\
    new in-interface-list=BASE out-interface-list=VLAN
add action=accept chain=forward comment="l2tp brigi-laptop->any" src-address=\
    10.19.200.101
add action=accept chain=forward comment="l2tp brigi-oled->any" src-address=\
    10.19.200.103
add action=accept chain=forward comment=\
    "l2tp viktornas.magnet->nas.magnet syncthing" dst-address=10.19.10.101 \
    dst-port=22000,22 protocol=tcp src-address=10.19.200.102
add action=accept chain=forward comment=\
    "l2tp nas.magnet->viktornas.magnet syncthing" dst-address=10.19.200.102 \
    dst-port=22000,22 protocol=tcp src-address=10.19.10.101
add action=accept chain=forward comment="ICMP between VLANs and HALL" \
    disabled=yes dst-address=10.19.0.0/16 protocol=icmp src-address=\
    10.19.0.0/16
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=drop chain=input_ssh comment="drop ssh brute forcers" \
    src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input_ssh connection-state=new \
    src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input_ssh connection-state=new \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input_ssh connection-state=new
add action=accept chain=input_ssh comment="allow ssh from anywhere"
add action=drop chain=input_ssh comment=Drop
add action=accept chain=input_from_l2tp comment="DNS from l2tp client (tcp)" \
    dst-port=53 protocol=tcp
add action=accept chain=input_from_l2tp comment="DNS from l2tp client (udp)" \
    dst-port=53 protocol=udp
add action=accept chain=input_from_l2tp comment="NTP from l2tp client (udp)" \
    dst-port=123 protocol=udp
add action=reject chain=input_from_l2tp reject-with=icmp-admin-prohibited
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS for in,ipsec" ipsec-policy=in,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS for out,ipsec" ipsec-policy=out,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="scr-nat lacinet->RED" out-interface=\
    RED_VLAN src-address=192.168.14.0/24 to-addresses=10.19.30.1
add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->base-magnet" \
    out-interface=BASE_VLAN src-address=192.168.14.0/24 to-addresses=\
    192.168.19.254
add action=src-nat chain=srcnat comment="Src-Nat base-lacinet->hall-magnet" \
    dst-address=10.19.200.0/24 src-address=192.168.14.0/24 to-addresses=\
    10.19.200.1
add action=src-nat chain=srcnat comment="l2tp brigi-oled->magnet-blue" \
    dst-address=10.19.10.0/24 src-address=10.19.200.103 to-addresses=\
    10.19.10.1
add action=src-nat chain=srcnat comment="Src-Nat l2tp viktornas->nas" \
    dst-address=10.19.10.101 src-address=10.19.200.102 to-addresses=\
    10.19.200.1
/ip ipsec identity
add auth-method=digital-signature certificate=office.partner3.magnet.com my-id=\
    fqdn:office.partner3.magnet.com peer=laci.router1.test.com policy-template-group=\
    group-lacinet remote-id=fqdn:laci.router1.test.com
/ip ipsec policy
set 0 comment="For l2tp-server" dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.14.0/24 peer=laci.router1.test.com proposal=proposal-s2s-ros \
    src-address=192.168.19.0/24 tunnel=yes
add dst-address=192.168.14.0/24 peer=laci.router1.test.com proposal=proposal-s2s-ros \
    src-address=10.19.0.0/16 tunnel=yes
/ip route
add comment="Prevent package leak RFC1918 class A" distance=1 dst-address=\
    10.0.0.0/8 type=unreachable
add comment="Prevent package leak RFC1918 class B" distance=1 dst-address=\
    172.16.0.0/12 type=unreachable
add comment="Prevent package leak RFC1918 class C" distance=1 dst-address=\
    192.168.0.0/16 type=unreachable
add comment="VPN to lacinet" distance=1 dst-address=192.168.14.0/24 gateway=\
    ipsec pref-src=192.168.19.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox address=192.168.19.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=brigi profile=l2tp_vpn remote-address=10.19.200.101 service=l2tp
add name=viktornas profile=l2tp_vpn remote-address=10.19.200.102 service=l2tp
add name=brigi-oled profile=l2tp_vpn remote-address=10.19.200.103 service=\
    l2tp
/routing filter
add chain=dynamic-in set-check-gateway=ping
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=r01.magnet
/system logging
add topics=l2tp
add topics=ipsec
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add interval=1d name=e-mail-backup on-event=e-mail-backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=20:00:00
/system script
add dont-require-permissions=no name=onDhcpLease owner=gandalf policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n\
    \n\
    \n:local DHCPtag\
    \n:set DHCPtag \"#DHCP\"\
    \n\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \n\
    \n:if ( \$leaseBound = 1 ) do=\\\
    \n{\
    \n  :local ttl\
    \n  :local domain\
    \n  :local hostname\
    \n  :local fqdn\
    \n  :local leaseId\
    \n  :local comment\
    \n\
    \n  /ip dhcp-server\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\
    \n  network \
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\
    \n  \
    \n  .. lease\
    \n  :set leaseId [ find address=\$leaseActIP ]\
    \n\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\
    \n\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\
    \n  {\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\
    \n   :error \"multiple active leases for \$leaseActIP\"\
    \n  }  \
    \n\
    \n  :set hostname [ get \$leaseId host-name ]\
    \n  :set comment [ get \$leaseId comment ]\
    \n  /\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\
    \n\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\
    \n    :error \"empty lease host-name or comment\"\
    \n  }\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\
    \n    :error \"empty network domain name\"\
    \n  }\
    \n\
    \n  :set fqdn \"\$hostname.\$domain\"\
    \n  \
    \n  /ip dns static\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\
    \n  } else=\\\
    \n  {\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \
    \n  }\
    \n  /\
    \n} \\\
    \nelse=\\\
    \n{\
    \n  /ip dns static\
    \n  :local dnsDhcpId \
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\
    \n\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\
    \n  {\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\
    \n    remove \$dnsDhcpId\
    \n  }\
    \n  /\
    \n}\
    \n\
    \n"
add dont-require-permissions=no name=e-mail-backup owner=gandalf policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    system backup save encryption=aes-sha256 name=\"email.backup\" password=\"\
    ***********\";/tool e-mail send to=\"gandalf@router1.test.com\" subject=([/system id\
    entity get name].\" (system=\".[/system package get system value-name=vers\
    ion].\") backup\") file=email.backup;:log info \"Backup e-mail sent.\";  "
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=mail.router1.test.com from="Mikrotik r01.magnet <mikrotik@router1.test.com>" port=\
    465 start-tls=tls-only user=mikrotik@router1.test.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-ip-protocol=udp filter-port=dns

nagylzs · Sun Jan 16, 2022 2:02 pm

Another reason why sniffing doesn't show the responses may be that you have hw=yes on the /interface bridge port row for the port to which the PC is connected, or maybe even the WAN port is a member port of a bridge? It makes no logical sense as the packets in question are sent to the port from the CPU so hardware-assisted L2

WAN ports are not ports of any bridge on either side. I do have hw=yes on the bridges on both sides, but they only contain wlan interfaces (dynamically added by CAPsMAN) local ethernet ports, and vlan interfaces.

nagylzs · Sun Jan 16, 2022 2:12 pm

When packets are dropped by rp-filter or IPsec policy matching, I hazily remember they are dropped between prerouting and the filter chains (because that's where routing takes place). So keep the passthrough rule in mangle/prerouting, remove dst-address from it, add the same rule as the first static one to chain input of filter, and try pinging from Router 1 itself again, watching for the rules to count.

All right, this is how input filter chain begins on router1:

 /ip firewall filter> print chain=input
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; x
      chain=input action=passthrough protocol=icmp src-address=192.168.19.254

 1    ;;; Allow IKEv2 500, IKEv2 NAT-T 4500, L2TP 1701
      chain=input action=accept protocol=udp port=500,4500,1701

This is how mangle starts:

 /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; x
      chain=prerouting action=passthrough protocol=icmp src-address=192.168.19.254

Then I reset counters, and send 5 ping packets:

 /ping  192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                                          timeout
    1 192.168.19.254                                          timeout
    2 192.168.19.254                                          timeout
    3 192.168.19.254                                          timeout
    4 192.168.19.254                                          timeout
    sent=5 received=0 packet-loss=100%

Counters:

 /ip firewall mangle> print stats interval=1s where comment=x
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                ACTION                            BYTES         PACKETS
 0    ;;; x
      prerouting                                                           passthrough                         336               6

 /ip firewall filter> print stats interval=1s where comment=x
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                                                ACTION                            BYTES         PACKETS
 0    ;;; x
      input                                                                passthrough                         336               6

sindy · Sun Jan 16, 2022 2:33 pm

I'm out of ideas. Since the input filter can see the packets, and there is no drop rule between the passthrough one and the "accept established,related,untracked" one, I can see no reason why the router should ignore the ICMP echo replies unless their ID is different than expected; however, a bug in this would only explain the ICMP issue but not the DNS one.

nagylzs · Sun Jan 16, 2022 2:50 pm

Yes, DNS is also wrong. This is from 192.168.14.106 computer:

C:\Users\nagyl>nslookup nas.magnet 192.168.14.254
Server:  router.lacinet
Address:  192.168.14.254

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to router.lacinet timed-out

C:\Users\nagyl>nslookup nas.magnet 192.168.19.254
Server:  r01.magnet
Address:  192.168.19.254

Non-authoritative answer:
Name:    nas.magnet
Address:  10.19.10.101

The lookup succeeds if I query the DNS server on router2 directly. But if I use router1, then the FWD record is processed by router1 (I think) and then it cannot reach router 2. I just checked and SSH is also bad, but only from router1 ( /system ssh address=192.168.19.254 -> no response ). This is a problem for me because I have multiple partners connected via IPSEC/IKEv2, and the only place where I can add FWD records is my main DNS server router1.

What is even more interesting is that sometimes it works (for a couple of minutes every day). I also tried to disable and re-enable the ipsec identity to re-establish the connection, but it does not help. You can also see in the config that I have almost identical ipsec tunnels to other networks: 192.168.5.0/24, 192.168.18.0/24,192.168.13.0/24,
and they don't have this problem. I cannot see any difference between them (except the network address and the certificates).

Well, I'm still very grateful that you tried to help. Thank you!

nagylzs · Sun Feb 20, 2022 7:31 pm

I have uploaded a demonstration video here: https://www.youtube.com/watch?v=dWtVSEqPvDs

Even if I change action=accept and move it to position zero, the ping command times out. Most probably this is not a routing problem, and also not a firewall problem. The accept rule counter counts, so the ICMP response packet is accepted. Nevertheless, it times out.

How is this possible?

sindy · Sun Feb 20, 2022 8:09 pm

Did you try to sniff the received traffic at both ends of the tunnel, to check that the ping responses match the requests?

nagylzs · Sun Feb 20, 2022 10:07 pm

Hi Sindy! I did this on both sides:

/tool sniffer
set filter-ip-address=192.168.14.254/32,192.168.19.254/32 filter-ip-protocol=icmp
start

Then I did this on router1:

[gandalf@router.lacinet] > /ping 192.168.19.254 count=1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                                          timeout
    sent=1 received=0 packet-loss=100%

This is what I see on the remote router:

[gandalf@r01.magnet] /tool sniffer packet> print detail
 0 time=8.053 num=1 direction=rx src-mac=00:01:5C:AB:A6:45 dst-mac=08:55:31:E7:F3:6B interface=ether5-wan
   src-address=192.168.14.254 dst-address=192.168.19.254 protocol=ip ip-protocol=icmp size=70 cpu=0 fp=no ip-packet-size=56
   ip-header-size=20 dscp=0 identification=24888 fragment-offset=0 ttl=255

And this is what I see on the local router


[gandalf@router.lacinet] /tool sniffer packet> print detail
 0 time=3.748 num=1 direction=rx src-mac=00:01:5C:AB:A6:45 dst-mac=B8:69:F4:09:BE:F9 interface=ether5-wan
   src-address=192.168.19.254 dst-address=192.168.14.254 protocol=ip ip-protocol=icmp size=70 cpu=0 fp=no ip-packet-size=56
   ip-header-size=20 dscp=0 identification=16598 fragment-offset=0 ttl=64

The identification number is different. I guess this is not normal?

I still don't understand why don't I see the tx packets?

sindy · Sun Feb 20, 2022 10:17 pm

The identification number is different. I guess this is not normal?

It's the IP ID, which is used to match together IP fragments. The ICMP echo ID is not shown here - you have to sniff into files and open them using Wireshark, or read the hex dump of the packets (/tool sniffer packet print raw if i remember well).

I still don't understand why don't I see the tx packets?

Because the sniffer only shows payload packets extracted from the IPsec transport ones, but not payload packets going to be encrypted into the IPsec transport ones.

nagylzs · Sun Feb 20, 2022 11:36 pm

All right, here is another test with raw packets:

[gandalf@router.lacinet] /tool sniffer packet> print detail
 0 time=2.074 num=1 direction=rx src-mac=00:01:5C:AB:A6:45 dst-mac=B8:69:F4:09:BE:F9 interface=ether5-wan
   src-address=192.168.19.254 dst-address=192.168.14.254 protocol=ip ip-protocol=icmp size=70 cpu=0 fp=no ip-packet-size=56
   ip-header-size=20 dscp=0 identification=16584 fragment-offset=0 ttl=64
[gandalf@router.lacinet] /tool sniffer packet> print raw
 0 time=2.074 interface=ether5-wan direction=rx data=
     0000: b8 69 f4 09 be f9 00 01  5c ab a6 45 08 00 45 00  .i...... \..E..E.
     0010: 00 38 40 c8 00 00 40 01  95 b0 c0 a8 13 fe c0 a8  .8@...@. ........
     0020: 0e fe 00 00 d8 11 98 00  2d 05 ad dd af aa 03 8c  ........ -.......
     0030: 8d 5a 31 90 19 e8 a6 c2  a9 01 a7 69 6c ab fd 11  .Z1..... ...il...
     0040: d6 17 09 10 e8 ed

And

[gandalf@r01.magnet] /tool sniffer packet> print detail
 0 time=4.663 num=1 direction=rx src-mac=00:01:5C:AB:A6:45 dst-mac=08:55:31:E7:F3:6B interface=ether5-wan
   src-address=192.168.14.254 dst-address=192.168.19.254 protocol=ip ip-protocol=icmp size=70 cpu=0 fp=no ip-packet-size=56
   ip-header-size=20 dscp=0 identification=24890 fragment-offset=0 ttl=255
[gandalf@r01.magnet] /tool sniffer packet> print raw
 0 time=4.663 interface=ether5-wan direction=rx data=
     0000: 08 55 31 e7 f3 6b 00 01  5c ab a6 45 08 00 45 00  .U1..k.. \..E..E.
     0010: 00 38 61 3a 00 00 ff 01  b6 3d c0 a8 0e fe c0 a8  .8a:.... .=......
     0020: 13 fe 08 00 d0 11 98 00  2d 05 ad dd af aa 03 8c  ........ -.......
     0030: 8d 5a 31 90 19 e8 a6 c2  a9 01 a7 69 6c ab fd 11  .Z1..... ...il...
     0040: d6 17 09 10 e8 ed                                 ......
[gandalf@r01.magnet] /tool sniffer packet>

Unfortunately, I cannot use wireshark, especially on the remote site. (I have no physical access to that site right now, port mirroring is not an option).

I do not know enough to interpret these packets in hex form, it is possible to paste them for example here: https://hpd.gasmi.net/

Hex codes extracted:

b8 69 f4 09 be f9 00 01  5c ab a6 45 08 00 45 00  
00 38 40 c8 00 00 40 01  95 b0 c0 a8 13 fe c0 a8  
0e fe 00 00 d8 11 98 00  2d 05 ad dd af aa 03 8c  
8d 5a 31 90 19 e8 a6 c2  a9 01 a7 69 6c ab fd 11  
d6 17 09 10 e8 ed

And

08 55 31 e7 f3 6b 00 01  5c ab a6 45 08 00 45 00  
00 38 61 3a 00 00 ff 01  b6 3d c0 a8 0e fe c0 a8  
13 fe 08 00 d0 11 98 00  2d 05 ad dd af aa 03 8c  
8d 5a 31 90 19 e8 a6 c2  a9 01 a7 69 6c ab fd 11  
d6 17 09 10 e8 ed

sindy · Mon Feb 21, 2022 9:46 am

Wireshark can import hex dumps, the result is as follows:

Request:

(frame header, Ethernet header - not important)
Internet Protocol Version 4, Src: 192.168.14.254, Dst: 192.168.19.254
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 56
    Identification: 0x613a (24890)
    Flags: 0x00
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 255
    Protocol: ICMP (1)
    Header Checksum: 0xb63d [correct]
    [Header checksum status: Good]
    [Calculated Checksum: 0xb63d]
    Source Address: 192.168.14.254
    Destination Address: 192.168.19.254
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0
    Checksum: 0xd011 [correct]
    [Checksum Status: Good]
    Identifier (BE): 38912 (0x9800)
    Identifier (LE): 152 (0x0098)
    Sequence Number (BE): 11525 (0x2d05)
    Sequence Number (LE): 1325 (0x052d)
    [Response frame: 2]
    Data (28 bytes)

Response:

(frame header, Ethernet header - not important)
Internet Protocol Version 4, Src: 192.168.19.254, Dst: 192.168.14.254
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 56
    Identification: 0x40c8 (16584)
    Flags: 0x00
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: ICMP (1)
    Header Checksum: 0x95b0 [correct]
    [Header checksum status: Good]
    [Calculated Checksum: 0x95b0]
    Source Address: 192.168.19.254
    Destination Address: 192.168.14.254
Internet Control Message Protocol
    Type: 0 (Echo (ping) reply)
    Code: 0
    Checksum: 0xd811 [correct]
    [Checksum Status: Good]
    Identifier (BE): 38912 (0x9800)
    Identifier (LE): 152 (0x0098)
    Sequence Number (BE): 11525 (0x2d05)
    Sequence Number (LE): 1325 (0x052d)
    [Request frame: 1]
    [Response time: 0,001 ms]
    Data (28 bytes)

ICMP identifiers match, ICMP Sequence Numbers match. The Salim Gasmi's online decoder would have shown you the same.

All in all, I'd recommend to open a ticket at Mikrotik support with a brief description, supout.rif from both routers, and a link to this topic.

nagylzs · Mon Feb 21, 2022 10:16 am

SUP-75097 created, thank you for your help!

nagylzs · Tue Feb 22, 2022 5:30 pm

I got an answer within a day, but I think they did not understand the problem.

Hello,

I suspect the issue is with routing/bridging configuration. Your current setup is kind of a mess. I would suggest removing the gateway=ipsec routes which are not valid in the first place. And if you require the traffic to be sent directly out of the router, NAT should be used instead to change the source address. There are a lot of things to go wrong in your current configuration.

Emīls Z.

First of all, the ipsec routes are not only valid, but they are required for ipsec to work. Then there is the sentence about "if you require the traffic to be send directy out of the router" - I'm not sure why he thinks that this is what I want? I want (and already achieved) the exact opposite. I'm affraid they do not have the time to examine this case.

sindy · Tue Feb 22, 2022 5:40 pm

I'm affraid they do not have the time to examine this case.

With the neverending stream of RouterOS 7.x is issues pouring in, you may well be right that this niche case may get less attention right now.

It would likely need to replicate the configuration and reduce it to the bare bone, so that nothing distracts attention when reading the configuration, and maybe use other routes towards the private subnets for the same reason. I feel it makes little sense to replicate that on a pair of CHRs (in terms that it will probably work there), but if you can do that, please try, using the same private subnets.

tamagochi · Mon Feb 28, 2022 1:10 am

My idea is active connection tracking. Conntrack not see original packets addresses on router output chain (eg. ping echo request source, destination), only encoded IPSEC ESP addresses.
Packets twice run on over prerouting chain, on first replied encrypted ESP data , on second phase decrypted reply packet. Here listen connection tracking to matching.traffic.
After second phase, conntrack not known who requested this packet, only just see an answer and cant match source destination address pairs for connection state established.
Tip is connection state invalid and packet dropped.
Try disable conntrack on RAW prerouting chain with ipsec policy filter ipsec-in,ipsec action notrack, and RAW output chain ipsec-out ipsec action notrack.

nagylzs · Mon Feb 28, 2022 7:26 pm

Tip is connection state invalid and packet dropped.
Try disable conntrack on RAW prerouting chain with ipsec policy filter ipsec-in,ipsec action notrack, and RAW output chain ipsec-out ipsec action notrack.

In my last tests, "/ip firewall raw" was empty, and my input chain started like this:

 /ip firewall filter> print chain=input
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; x
      chain=input action=accept protocol=icmp src-address=192.168.19.254

 1    ;;; Allow IKEv2 500, IKEv2 NAT-T 4500, L2TP 1701
      chain=input action=accept protocol=udp port=500,4500,1701

 2    ;;; Allow IPSEC/ESP (also used below L2TP/UDP)
      chain=input action=accept protocol=ipsec-esp

 3    ;;; Accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 4    ;;; Drop invalid
      chain=input action=drop connection-state=invalid

The ICMP accept rule and the ipsec accept rule precedes the "drop connection-state=invalid" rule. In theory, even invalid-state packets should have gone through.

But at this point, I'm open to any suggestion, so I tried anyway.

/ip firewall raw add chain=prerouting action=notrack ipsec-policy=in,ipsec
/ip firewall raw add chain=output action=notrack ipsec-policy=out,ipsec
/ping 192.168.19.254
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.19.254                                          timeout
    1 192.168.19.254                                          timeout
    sent=2 received=0 packet-loss=100%

It has no effect

nagylzs · Mon Feb 28, 2022 7:29 pm

I'm thinking about buying a RB5009 router and replace router1 in this setup with that. It is also arm based (like HAP AC2), but it has routeros 7 installed.

Do you think that might fix this problem?

I'm a bit affraid of that device because ROS v7.0 is not really stable. I know, it is said to be stable, but I have heard that there are still many problems with v7.0.

sindy · Mon Feb 28, 2022 7:44 pm

After second phase, conntrack not known who requested this packet, only just see an answer and cant match source destination address pairs for connection state established.

In order to be dropped by the action=drop connection-state=invalid rule, the packet would have to be a TCP one (where session state can be tracked) or a GRE one (because there is currently a bug in connection tracking that marks some GRE packets with connection-state=invalid).

Connection tracking handles received packets still before routing, so if @nagylzs had some sort of assigning a routing-mark based on connection-mark, the response packet could be misrouted due to some error in this, but since the destination address of the ICMP echo response extracted from the IPsec transport packet is an address of the router itself, this is also not a plausible reason.

tamagochi · Thu Mar 03, 2022 10:53 am

Thanks sindy and nagyizs for analyzing and try my faulting tip.
I will a second try.
The two ipaddress (192.168.19.254, 192.168.14.254) and IP endpoints of the tunnel sit on a vlan 99 tagged interface named BASE_VLAN so you are practically trying to transfer a L2 vlan through the L3 tunnel.
Which seems to work pretty much but in fact return response packets can't arrive with a VLAN ethernet header.
The packets appear in the firewall on the input chain but are dropped by the VLAN interface.
What makes it work sometimes? Maybe if L2TP VPN clients on both sides is connected, the routing will change. But the config is very complicated and I didn’t try to analyze it further.
How can the router is using another router DNS service?
Maybe a new loopback bridge with a new ipaddress or ipaddress on interface which not sit on vlan and a route into the tunnel could work on both sides, DNS resolver listen all interface.

sindy · Thu Mar 03, 2022 11:54 am

The two ipaddress (192.168.19.254, 192.168.14.254) and IP endpoints of the tunnel sit on a vlan 99 tagged interface named BASE_VLAN so you are practically trying to transfer a L2 vlan through the L3 tunnel.

That's not how it works. If a packet for an own IP address arrives to the router, the router handles it no matter whether it came through the particular interface to which that address is assigned or through another one. And IPsec policies match and intercept IP traffic solely by IP addresses, IP protocol (UDP, TCP, ...) and, where applicable, protocol ports.

tamagochi · Thu Mar 03, 2022 1:58 pm

Ahh.. It must have be lan communication the l2...
I knew in mikrotik router OS Ipsec determines which packets should or should not be tunneled after a sort of packet-switched policy match.
One question, needs adding policy matching for reply packet accept?

nagylzs · Thu Mar 03, 2022 10:30 pm

One question, needs adding policy matching for reply packet accept?

Short answer: you specify the policy for outgoing traffic, but it also works for incoming traffic.

When you create a policy, you always specify the outgoing direction (e.g. src-address is on the local side of the tunnel and dst-address is on the remote side). You do not need to specify the incoming part manually. When an ipsec tunnel is built, a pair of SAs is created. There is a separate encryption key for outgoing and incoming packets, and they are always in pairs. Otherwise two-way communication would be impossible. You can check this under /ip ipsec installed-sa menu, you will see that for every tunnel, there are two encryption keys created.

nagylzs · Sat Mar 05, 2022 11:01 pm

After almost two months, I have found a workaround! I figured out that the difference between this ipsec client (router02, "magzatom") and all the others is that only this client has vlans. So I guessed, if I create new addresses on both sides that do not belong to any vlan and bridge, then it might work.

On router1 (router.lacinet):

/ip address
add address=10.14.201.1/24 network=10.14.201.0 interface=ipsec comment=X
/ip route
add comment="VPN to magnet-X" distance=1 dst-address=10.19.201.0/24 gateway=ipsec pref-src=10.14.201.1
/ip ipsec policy
add comment=my.office.not.telling-X dst-address=10.19.0.0/16 group=group-magzatom proposal=proposal-s2s-ros src-address=\
    10.14.201.0/24 template=yes
/ip dns static
# These are the FWD rules to *.magnet , ".*\.19\.168\.192.\in-addr\.arpa" and ".*\.19\.10.\in-addr\.arpa"
set 7,8,9 forward-to=10.19.201.1

On router2 (r01.magnet):

add address=10.19.201.1/24 network=10.19.201.0 interface=ipsec comment=X
/ip route
add comment="VPN to lacinet-X" distance=1 dst-address=10.14.201.0/24 gateway=ipsec pref-src=10.19.201.1
/ip ipsec policy
add dst-address=10.14.201.0/24 peer=laci.my.office.not.telling proposal=proposal-s2s-ros src-address=10.19.0.0/16 tunnel=yes
/ip firewall filter
 add chain=input action=accept  protocol=udp dst-port=53 src-address=10.14.201.0/24 place-before=5 comment=X

And it works! For example, I can do a traceroute from a computer on lacinet LAN to another computer on magzatom LAN, and I can see all hostnames - it means that all reverse DNS lookups are working correctly:

C:\Users\nagyl>tracert nvr.magnet

Tracing route to nvr.magnet [10.19.30.10]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  router.lacinet [192.168.14.254]
  2    39 ms    38 ms    39 ms  r01.magnet [192.168.19.254]
  3    46 ms    49 ms    57 ms  nvr.magnet [10.19.30.10]

Trace complete.

So the workaround is to create a separate network and separate addresses on both sides, that are not part of any VLAN or bridge. Please note that it also works when the source address is on a (base/management) VLAN and the destination address is not on any VLAN (on the remote side).

I still don't understand why it does not work when both src and dst addresses are on VLANs.

But this workaround works!

nagylzs · Mon Mar 07, 2022 10:42 am

Surprise. It was working for more than a day. But suddenly, it stopped working. I see the same behaviour: the response packets come in, they hit the ACCEPT rule in the firewall, and then it acts like nothing happened: timeout.

nagylzs · Mon Mar 07, 2022 9:28 pm

Upgraded both sides to 7.1.3 and the same problem exists.

I think I'll replace IKEv2/IPSEC with wireguard now.

lorem · Wed Jun 19, 2024 4:22 am

Hello, I was wondering if after a couple of years anybody has found a solution to this. Seems the issue is still there, and even though ping is fine with the Pref. Source route, DNS queries won't get forwarded to the remote server albeit the FWD record.