I have a problem with setting up port forwarding on my Mikrotik devices to RaspberryPi running PiVPN (I also tried with an ASUS router supporting Wireguard and the result was the same).
The Mikrotik network devices have been provided and the initial setup has been done by my ISP. I think I configured everything in line with the info I found in the Internet, but the VPN doesn't work. Additionally the packages counters in RouterOS for both in the rules I setup and NAT are constantly "0", so I assume something is wrong with the Mikrotik config. As a sidenote - I have a static IP.
Any help will be appreciated. According to PiVPN tutorials the goal is to forward traffic incoming to port 51820 to RaspberryPi's (192.168.88.86) port 51820
Code: Select all
[user@MikroTik] > export hide-sensitive
# jan/30/2024 10:33:19 by RouterOS 6.45.9
# software id = IFC3-I6DH
#
# model = RBD52G-5HacD2HnD
# serial number = D7160CCDD84D
/caps-man channel
add band=2ghz-g/n extension-channel=XX frequency=2437 name=2ghz
add band=5ghz-n/ac extension-channel=XXXX frequency=5180 name=5ghz
/interface bridge
add admin-mac=48:8F:5A:F0:49:F3 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=my_street_address
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-eC/gn(27dBm), SSID: MyWifiSSID, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-F049F7 \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: MyWifiSSID, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-F049F8 \
wireless-protocol=802.11
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=security1
/caps-man configuration
add channel=2ghz datapath=datapath1 datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes mode=ap name=2ghz security=security1 ssid=MyWifiSSID
add channel=5ghz channel.band=5ghz-a/n/ac country=germany datapath=datapath1 datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes mode=ap name=5ghz security=security1 \
ssid=MyWifiSSID
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=2ghz
add action=create-dynamic-enabled hw-supported-modes=an,ac master-configuration=5ghz
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=192.168.88.1 enabled=yes interfaces=wlan2,wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.86 client-id=1:b8:27:eb:88:35:80 mac-address=B8:27:EB:88:35:80 server=defconf
add address=192.168.88.75 client-id=1:c8:7f:54:3f:c4:0 mac-address=C8:7F:54:3F:C4:00 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward dst-port=51820 in-interface-list=WAN protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 protocol=udp to-addresses=192.168.88.86 to-ports=51820
/system clock
set time-zone-name=Europe/Berlin
