Using a wireguard VPN, access servers that are in a vlan.
Posted: Fri Mar 15, 2024 2:19 am
Hello everyone, first I would like to make it clear that I am new to Mikrotik, I don't speak English, I use Google Translate. I apologize for any errors in translation. I have a smart home system, with several IoT devices, cameras, servers, home WiFi, guest WiFi, 2 internet links, 1 with public IP and the other CGNAT.
I decided to invest in something better for my network, safe and reliable, I opted for: 01 - HapAX3, 02 - CAP-ac, 01-managed switch TP-LINK
So after some time learning Mikrotik, I started putting things to work (everything working perfectly, with wireguard and recursive route), and then it was time for the second step. I want to segment my network into 04 vlans, example: vlan-10(home wifi) vlan-20(guest wifi), vlan-30(iot devices), vlan-40(servers).
At the moment I have the following problem, using my cell phone connected via wireguard, I cannot access my services/servers that are in a vlan. I've struggled with several firewall rules, but I still haven't been able to understand which access bars.
The scenario is this:
OBSERVATION. Despite having 1 public IP, I use a CHR running in the cloud to allow the recursive route of the second link (LTE 5G).
(smartphones outside the network, connected wireguard) -------> (CHR V7.14 running on Oracle - Wireguard Server) < -------- (HapAx3 from my house - connected to Wireguard Server on Oracle )
If anyone understands this and can help me I would be very grateful.
I decided to invest in something better for my network, safe and reliable, I opted for: 01 - HapAX3, 02 - CAP-ac, 01-managed switch TP-LINK
So after some time learning Mikrotik, I started putting things to work (everything working perfectly, with wireguard and recursive route), and then it was time for the second step. I want to segment my network into 04 vlans, example: vlan-10(home wifi) vlan-20(guest wifi), vlan-30(iot devices), vlan-40(servers).
At the moment I have the following problem, using my cell phone connected via wireguard, I cannot access my services/servers that are in a vlan. I've struggled with several firewall rules, but I still haven't been able to understand which access bars.
The scenario is this:
OBSERVATION. Despite having 1 public IP, I use a CHR running in the cloud to allow the recursive route of the second link (LTE 5G).
(smartphones outside the network, connected wireguard) -------> (CHR V7.14 running on Oracle - Wireguard Server) < -------- (HapAx3 from my house - connected to Wireguard Server on Oracle )
If anyone understands this and can help me I would be very grateful.
Code: Select all
# 2024-03-08 10:04:35 by RouterOS 7.14
# software id = **ELIDED**
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = **ELIDED**
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="LINK 1" name=ether1-LINK-1-VIA
set [ find default-name=ether2 ] comment="LINK 2" name=ether2-LINK-2-TIM-4G
set [ find default-name=ether5 ] name=ether5-SWITCH-TPLINK
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard2
/interface vlan
add interface=bridge name=vlan1-starlink-10 vlan-id=10
add interface=bridge name=vlan2-cft-20 vlan-id=20
add interface=bridge name=vlan3-iot-30 vlan-id=30
add interface=bridge name=vlan4-gerencia-50 vlan-id=50
add interface=bridge name=vlan5-servers-80 vlan-id=80
add interface=bridge name=vlan6-wifi-visitantes-100 vlan-id=100
/interface pppoe-client
add allow=chap,mschap1,mschap2 dial-on-demand=yes disabled=no interface=\
ether1-LINK-1-VIA name=pppoe-VIA user=**ELIDED**
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="LINKS INTERNET" name=WAN-LINKS
add name=Interfaces-Seguras
add name=VLAN-30
/interface wifi channel
add band=5ghz-ax disabled=no name=ch-5-ax skip-dfs-channels=all width=\
20/40/80mhz
add band=5ghz-ac disabled=no name=ch-5-ac skip-dfs-channels=all width=\
20/40mhz
add band=2ghz-n disabled=no name=ch-2-n width=20mhz
add band=2ghz-ax disabled=no name=ch-2-ax width=20mhz
/interface wifi datapath
add bridge=bridge disabled=no name=data-starlink
add client-isolation=yes disabled=no name=data-visitantes vlan-id=100
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=starlink
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=starlink-visitantes
/interface wifi configuration
add channel=ch-2-ax comment=CONF-STARLINK country=Brazil datapath=\
data-starlink disabled=no mode=ap name=cfg-2-starlink-ax security=\
starlink ssid=STARLINK
add channel=ch-2-ax comment=CONF-VISITANTES country=Brazil datapath=\
data-visitantes disabled=no mode=ap name=cfg-2-visitantes-ax security=\
starlink-visitantes ssid=STARLINK_VISITANTES
add channel=ch-5-ax comment=CONF-STARLINK country=Brazil datapath=\
data-starlink disabled=no mode=ap name=cfg-5-starlink-ax security=\
starlink ssid=STARLINK
add channel=ch-5-ax comment=CONF-VISITANTES country=Brazil datapath=\
data-visitantes disabled=no mode=ap name=cfg-5-visitantes-ax security=\
starlink-visitantes ssid=STARLINK_VISITANTES
add channel=ch-5-ac comment=CONF-VISITANTES country=Brazil datapath=\
data-visitantes disabled=no mode=ap name=cfg-5-visitantes-ac security=\
starlink-visitantes ssid=STARLINK_VISITANTES
add channel=ch-5-ac comment=CONF-STARLINK country=Brazil datapath=\
data-starlink disabled=no mode=ap name=cfg-5-starlink-ac security=\
starlink ssid=STARLINK
add channel=ch-2-n comment=CONF-VISITANTES country=Brazil datapath=\
data-visitantes disabled=no mode=ap name=cfg-2-visitantes-n security=\
starlink-visitantes ssid=STARLINK_VISITANTES
add channel=ch-2-n comment=CONF-STARLINK country=Brazil datapath=\
data-starlink disabled=no mode=ap name=cfg-2-starlink-n security=starlink \
ssid=STARLINK
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration=cfg-5-starlink-ax configuration.manager=local .mode=ap \
disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration=cfg-2-starlink-ax configuration.manager=local .mode=ap \
disabled=no
/ip firewall layer7-protocol
add name=YouTube regexp="^.+(youtube.com).*\$"
add comment=Facebook name=Facebook regexp="^.+(facebook.com).*\$"
/ip kid-control
add disabled=yes fri=0s-1d mon=5h-22h name=Pedro rate-limit=100M sat=0s-1d \
sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22h
add disabled=yes fri=7h-12h5m name=Marcio rate-limit=100M thu=7h-9h27m
add disabled=yes fri=0s-1d mon=5h-22h name="TV - Pedro" rate-limit=100M sat=\
0s-1d sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22h
add disabled=yes fri=0s-1d mon=4h-22h name=DELL rate-limit=100m sat=0s-1d \
sun=4h-22h thu=4h-22h tue=4h-22h wed=4h-22h
add disabled=yes fri=0s-1d mon=5h-22h name="Notebook - Pedro" rate-limit=100M \
sat=0s-1d sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22h
/ip pool
add name=dhcp-bridge-local ranges=192.168.88.2-192.168.88.254
add name=WireGuard-VPN ranges=10.50.0.0/24
add name=dhcp_pool-vlan-gerencia ranges=50.50.50.2-50.50.50.6
add name=dhcp_pool13 ranges=20.20.20.2-20.20.20.14
add name=dhcp_pool14 ranges=30.30.30.2-30.30.30.14
add name=dhcp_pool15 ranges=80.80.80.2-80.80.80.14
add name=dhcp_pool16 ranges=100.100.100.2-100.100.100.14
add name=dhcp_pool17 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp-bridge-local interface=bridge lease-time=\
10m name=defconf
add address-pool=dhcp_pool-vlan-gerencia interface=vlan4-gerencia-50 name=\
dhcp-vlan-gerencia-50
add address-pool=dhcp_pool13 interface=vlan2-cft-20 name=dhcp1
add address-pool=dhcp_pool14 interface=vlan3-iot-30 name=dhcp2
add address-pool=dhcp_pool15 interface=vlan5-servers-80 name=dhcp3
add address-pool=dhcp_pool16 interface=vlan6-wifi-visitantes-100 name=dhcp4
add address-pool=dhcp_pool17 interface=vlan1-starlink-10 name=dhcp5
/queue simple
add max-limit=20M/20M name=Controle-Banda-Wifi-Visitante target=10.10.10.0/26
add disabled=yes max-limit=1M/1M name=Controle-Banda-VPN target=""
add dst=ether2-LINK-2-TIM-4G max-limit=1k/1k name=\
"Limita o tr\E1fego do YOUTUBE" packet-marks=mc_youtube target=""
add comment="CONTROLE DE BANDA" disabled=yes max-limit=100M/200M name=\
Controle-Banda-VIA-100M queue=pcq-upload-default/pcq-download-default \
target=""
/interface bridge port
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5-SWITCH-TPLINK \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
path-cost=10
add bridge=bridge disabled=yes interface=*10 pvid=100
add bridge=bridge disabled=yes interface=*11 pvid=100
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!WAN-LINKS
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="-------------- VLAN WIFI HOME --------------" \
tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=10
add bridge=bridge comment="-------------- VLAN GERENCIA -------------" \
tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=50
add bridge=bridge comment="-------------- VLAN VISITANTES -------------" \
tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=100
add bridge=bridge comment="-------------- VLAN IOT -------------" tagged=\
bridge,ether5-SWITCH-TPLINK vlan-ids=30
add bridge=bridge comment="-------------- VLAN SERVERS -------------" tagged=\
bridge,ether5-SWITCH-TPLINK vlan-ids=80
add bridge=bridge comment="-------------- VLAN CFTV -------------" tagged=\
bridge,ether5-SWITCH-TPLINK vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-LINK-1-VIA list=WAN
add comment=defconf interface=ether1-LINK-1-VIA list=WAN-LINKS
add interface=pppoe-VIA list=WAN-LINKS
add interface=ether2-LINK-2-TIM-4G list=WAN-LINKS
add interface=pppoe-VIA list=WAN
add interface=bridge list=Interfaces-Seguras
add interface=*A list=LAN
add interface=wireguard2 list=LAN
add interface=*10 list=VLAN-30
add interface=*11 list=VLAN-30
add interface=vlan3-iot-30 list=VLAN-30
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=\
cfg-5-visitantes-ac slave-configurations=cfg-2-starlink-n \
supported-bands=5ghz-ac
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Mikrotik-CHR-V7-Oracle -" \
endpoint-address=XX.XX.XX.XX endpoint-port=13232 interface=wireguard2 \
persistent-keepalive=20s public-key=\
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.100.2/24 interface=wireguard2 network=192.168.100.0
add address=100.100.100.1/28 interface=vlan6-wifi-visitantes-100 network=\
100.100.100.0
add address=192.168.0.2 interface=ether2-LINK-2-TIM-4G network=192.168.0.1
add address=50.50.50.1/29 interface=vlan4-gerencia-50 network=50.50.50.0
add address=10.10.10.1/24 interface=vlan1-starlink-10 network=10.10.10.0
add address=30.30.30.1/28 interface=vlan3-iot-30 network=30.30.30.0
add address=20.20.20.1/28 interface=vlan2-cft-20 network=20.20.20.0
add address=80.80.80.1/28 interface=vlan5-servers-80 network=80.80.80.0
/ip arp
add address=192.168.88.6 comment="//// Poco - Marcio ////" interface=bridge \
mac-address=88:52:EB:77:5D:C8
add address=192.168.88.12 comment="//// Poco - Pedro ////" interface=bridge \
mac-address=A4:55:90:DA:1F:26
add address=192.168.88.66 interface=bridge mac-address=5A:00:XX:BC:FE:C7
add address=192.168.88.11 comment="//// Notebook - Pedro ////" interface=\
bridge mac-address=0A:D1:6F:9B:DD:62
add address=192.168.88.91 comment="//// OPI-02(HA - Node-red) ////" \
interface=bridge mac-address=6E:6E:F6:D3:58:0B
add address=192.168.88.90 comment="//// OPI-01- (Esp-Home - Frigate ) ////" \
interface=bridge mac-address=2E:2B:1A:EC:47:AF
add address=192.168.88.92 comment="//// OPI-03 - (Traccar) ////" interface=\
bridge mac-address=86:2C:1A:E7:F8:63
add address=192.168.88.51 comment="//// TV - Casal ////" disabled=yes \
interface=bridge mac-address=E8:F2:E2:3B:B6:3E
add address=192.168.88.47 comment=XBOX interface=bridge mac-address=\
28:18:78:82:F6:99
add address=192.168.88.15 comment="//// Redmi - Christiane ////" interface=\
bridge mac-address=1C:CC:D6:0A:13:3A
add address=192.168.88.93 interface=bridge mac-address=02:03:92:53:F7:8F
add address=192.168.88.68 comment=ESP-Garagem interface=bridge mac-address=\
C4:5B:BE:65:6E:37
add address=192.168.88.13 comment=Amazon interface=bridge mac-address=\
44:D5:CC:ED:9B:49
add address=192.168.88.33 comment="//// Alexa Quarto do Pedro ////" \
interface=bridge mac-address=2C:71:FF:F9:1B:C9
add address=192.168.88.249 comment="//// Camera Xiaov ////" interface=bridge \
mac-address=B4:FB:E3:28:77:CA
add address=192.168.88.247 comment="//// Camera Xiaov ////" interface=bridge \
mac-address=B4:FB:E3:28:65:B4
add address=192.168.88.3 comment=ESP32-C3-Bat interface=bridge mac-address=\
7C:DF:A1:B6:4B:E0
add address=192.168.88.199 comment=T-Relay interface=bridge mac-address=\
44:17:93:4B:27:74
add address=192.168.88.67 comment=KC868-A4-Garagem interface=bridge \
mac-address=C4:DD:57:C7:78:F4
add address=192.168.88.188 interface=bridge mac-address=2E:2B:1A:EC:47:AF
add address=192.168.88.88 comment=OpenSuse-HA interface=bridge mac-address=\
64:1C:67:A0:43:8B
add address=192.168.88.50 comment="//// Fire Stik ////" interface=bridge \
mac-address=90:39:5F:A3:A3:E7
add address=192.168.88.45 comment="//// Hub Tuya ////" interface=bridge \
mac-address=50:8A:06:3C:12:DF
add address=192.168.88.186 comment="//// Adaptador Wifi Epson ////" \
interface=bridge mac-address=2A:1F:E4:2C:25:EF
add address=192.168.88.161 comment=\
"//// notebook - starlink 2.4 - epson ////" interface=bridge mac-address=\
58:00:E3:BC:71:C7
add address=192.168.88.164 comment="//// Dell - Ethernet ////" interface=\
bridge mac-address=84:7B:EB:FD:CF:CD
add address=192.168.88.177 comment="//// EspHome - Mini - APC220 ////" \
interface=bridge mac-address=98:CD:AC:30:47:04
add address=192.168.88.179 comment=ESP32-C3 interface=bridge mac-address=\
D2:BF:75:94:3A:8B
add address=192.168.88.34 comment="//// Alexa 4 - Sala ////" interface=bridge \
mac-address=90:39:5F:EF:91:D3
add address=192.168.88.78 interface=bridge mac-address=00:80:92:D0:F2:24
add address=192.168.88.180 comment=ESP32-Lora-Lilygo interface=bridge \
mac-address=E8:6B:EA:25:20:88
add address=192.168.88.7 comment="//// E1 Pro - Garagem - WIFI - 5Ghz ////" \
interface=bridge mac-address=38:C8:04:46:AD:E0
add address=192.168.88.74 comment="//// Reolink -Lado Direito ////" \
interface=bridge mac-address=EC:71:DB:A3:51:74
add address=192.168.88.89 comment=RPI3-01 interface=bridge mac-address=\
B8:27:EB:DB:37:B1
add address=192.168.88.233 interface=bridge mac-address=28:C2:DD:3B:DD:85
add address=192.168.88.100 comment="//// Router INTELBRAS ////" interface=\
bridge mac-address=80:8F:E8:9E:44:E2
add address=192.168.88.75 comment="//// Reolink - Lado Esquerdo ////" \
interface=bridge mac-address=EC:71:DB:8E:AC:86
add address=192.168.88.8 interface=bridge mac-address=EC:71:DB:95:FF:5A
add address=50.50.50.3 interface=vlan4-gerencia-50 mac-address=\
48:8F:5A:0A:74:60
/ip dhcp-client
add comment=defconf interface=ether1-LINK-1-VIA
/ip dhcp-server lease
add address=192.168.88.67 comment="//// kc868-a4 - EPS32 ////" mac-address=\
58:00:E3:BC:71:C7 server=defconf use-src-mac=yes
add address=192.168.88.247 client-id=1:b4:fb:e3:28:65:b4 mac-address=\
B4:FB:E3:28:65:B4 server=defconf
add address=192.168.88.249 client-id=1:b4:fb:e3:28:77:ca mac-address=\
B4:FB:E3:28:77:CA server=defconf
add address=192.168.88.51 client-id=1:e8:f2:e2:3b:b6:3e comment=\
"//// TV - Casal ////" mac-address=E8:F2:E2:3B:B6:3E server=defconf \
use-src-mac=yes
add address=192.168.88.52 client-id=1:40:2f:86:31:30:e0 comment=\
"//// TV LG - Pedro ////" mac-address=40:2F:86:31:30:E0 server=defconf \
use-src-mac=yes
add address=192.168.88.47 client-id=1:28:18:78:82:f6:99 comment=XBOX \
mac-address=28:18:78:82:F6:99 server=defconf
add address=192.168.88.10 client-id=1:b8:27:eb:97:aa:21 mac-address=\
B8:27:EB:97:AA:21 server=defconf
add address=192.168.88.69 client-id=1:14:de:39:81:b9:9e comment=\
"//// Huawei - Router ////" mac-address=14:DE:39:81:B9:9E server=defconf
add address=192.168.88.12 client-id=1:56:d3:de:79:f4:63 comment=\
"//// Poco PHST ////" mac-address=56:D3:DE:79:F4:63 server=defconf \
use-src-mac=yes
add address=192.168.88.15 client-id=1:1c:cc:d6:a:13:3a comment=\
"//// Redmi - Christiane ////" mac-address=1C:CC:D6:0A:13:3A server=\
defconf
add address=192.168.88.65 comment="//// Tuya Smart Inc. ////" mac-address=\
50:8A:06:3C:12:DF server=defconf
add address=192.168.88.222 comment="//// Alexa - Sala ////" mac-address=\
90:A8:22:0D:76:EE server=defconf
add address=192.168.88.30 comment="//// Tuya Smart Inc. ////" mac-address=\
84:E3:42:B8:13:4C server=defconf
add address=192.168.88.31 comment="//// Tuya Smart Inc. ////" mac-address=\
84:E3:42:B8:B9:72 server=defconf
add address=192.168.88.28 comment=" ////Tuya Smart Inc. ////" mac-address=\
84:E3:42:BE:17:D7 server=defconf
add address=192.168.88.5 comment="////Alexa - Casal ////" mac-address=\
34:AF:B3:16:53:97 server=defconf
add address=192.168.88.3 client-id=1:7c:df:a1:b6:4b:e0 comment=ESP32-C3-Bat \
mac-address=7C:DF:A1:B6:4B:E0 server=defconf
add address=192.168.88.13 comment="//// Alexa Cozinha ////" mac-address=\
44:D5:CC:ED:9B:49 server=defconf
add address=192.168.88.78 client-id=1:0:80:92:d0:f2:24 comment=\
"//// Silex Technology, Inc. ////" mac-address=00:80:92:D0:F2:24 server=\
defconf
add address=192.168.88.6 comment="//// Poco - Marcio ////" mac-address=\
88:52:EB:77:5D:C8 server=defconf use-src-mac=yes
add address=192.168.88.11 comment="//// Notebook - Pedro ////" mac-address=\
00:D7:6D:9B:F7:62 server=defconf use-src-mac=yes
add address=192.168.88.90 comment=OPI-01 mac-address=2E:2B:1A:EC:47:AF \
server=defconf use-src-mac=yes
add address=192.168.88.92 mac-address=86:2C:1A:E7:F8:63 server=defconf \
use-src-mac=yes
add address=192.168.88.93 comment=TANIX-TX6 mac-address=02:03:92:53:F7:8F \
server=defconf use-src-mac=yes
add address=192.168.88.68 comment=ESP-Garagem mac-address=C4:5B:BE:65:6E:37 \
server=defconf use-src-mac=yes
add address=192.168.88.188 mac-address=2E:2B:1A:EC:47:AF server=defconf
add address=192.168.88.91 comment="//// OPI-02 (HA - Node-red) ////" \
mac-address=6E:6E:F6:D3:58:0B server=defconf
add address=192.168.88.88 comment=TKC-01 mac-address=64:1C:67:A0:43:8B \
server=defconf
add address=192.168.88.50 comment="//// Fire Stick ////" mac-address=\
90:39:5F:A3:A3:E7 server=defconf
add address=192.168.88.168 comment="//// Adaptador wifi Epson ////" \
mac-address=2A:1F:E4:2C:25:EF server=defconf
add address=192.168.88.161 comment="//// Notebook- starlink 2.4 - epson ////" \
mac-address=58:00:E3:BC:71:C7 server=defconf
add address=192.168.88.164 comment="//// Dell - Ehernet ////" mac-address=\
84:7B:EB:FD:CF:CD server=defconf
add address=192.168.88.177 comment="//// EspHome - Mini - APC220 ////" \
mac-address=98:CD:AC:30:47:04 server=defconf
add address=192.168.88.179 comment=ESP32-C3 mac-address=D2:BF:75:94:3A:8B \
server=defconf
add address=192.168.88.34 comment="//// Alexa 4 - Sala ////" mac-address=\
90:39:5F:EF:91:D3 server=defconf
add address=192.168.88.180 comment=ESP32-Lora-Lilygo mac-address=\
E8:6B:EA:25:20:88 server=defconf
add address=192.168.88.74 client-id=1:ec:71:db:a3:51:74 comment=\
"//// Reolink - Lado Direito ////" mac-address=EC:71:DB:A3:51:74 server=\
defconf
add address=192.168.88.89 comment=RPI3-01 mac-address=B8:27:EB:DB:37:B1 \
server=defconf
add address=192.168.88.233 mac-address=28:C2:DD:3B:DD:85 server=defconf
add address=192.168.88.100 comment="//// Router INTELBRAS ////" mac-address=\
80:8F:E8:9E:44:E2 server=defconf use-src-mac=yes
add address=192.168.88.75 comment="//// Reolink - Lado Esquerdo ////" \
mac-address=EC:71:DB:8E:AC:86 server=defconf
add address=192.168.88.33 comment="//// Alexa Quarto Pedro ////" mac-address=\
2C:71:FF:F9:1B:C9 server=defconf
add address=192.168.88.8 client-id=1:ec:71:db:95:ff:5a mac-address=\
EC:71:DB:95:FF:5A server=defconf
add address=192.168.88.16 client-id=1:50:91:e3:d9:48:6c mac-address=\
50:91:E3:D9:48:6C server=defconf
add address=192.168.88.14 client-id=1:38:c8:4:29:f2:a9 mac-address=\
38:C8:04:29:F2:A9 server=defconf
add address=192.168.88.7 client-id=1:38:c8:4:46:ad:e0 comment=\
"E1-PRO - GARAGEM" mac-address=38:C8:04:46:AD:E0 server=defconf
add address=50.50.50.3 client-id=1:48:8f:5a:a:74:60 comment=\
"----------------------------- CAP-ac-01 -----------------------------" \
mac-address=48:8F:5A:0A:74:60 server=dhcp-vlan-gerencia-50
/ip dhcp-server network
add address=10.1.0.0/29 gateway=10.1.0.0
add address=10.10.10.0/26 gateway=10.10.10.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.20.20.0/28 gateway=10.20.20.0
add address=10.30.30.0/26 gateway=10.30.30.0
add address=10.50.50.0/28 gateway=10.50.50.0
add address=10.90.90.0/29 dns-server=8.8.4.4 gateway=10.90.90.0
add address=10.90.90.0/28 dns-server=192.168.88.91 gateway=10.90.90.1
add address=20.20.20.0/28 dns-server=20.20.20.1 gateway=20.20.20.1
add address=30.30.30.0/28 dns-server=30.30.30.1 gateway=30.30.30.1
add address=50.50.50.0/29 dns-server=50.50.50.1 gateway=50.50.50.1
add address=80.80.80.0/28 dns-server=80.80.80.1 gateway=80.80.80.1
add address=100.100.100.0/28 dns-server=100.100.100.1 gateway=100.100.100.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.90.0/28 dns-server=192.168.88.91 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.88.91,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.91 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.161 list=" (SUPORTE-WINBOX)"
add address=50.50.50.4 list=" (SUPORTE-WINBOX)"
add list=PORTSCAN
add address=50.50.50.3 list=" (SUPORTE-WINBOX)"
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=add-dst-to-address-list address-list=SITES-BLOQUEADOS-LINK2-TIM \
address-list-timeout=5m chain=forward comment=\
"Adiciona ips do facebook no link 2 em uma blacklist " disabled=yes log=\
yes protocol=tcp tls-host=*facebook*
add action=drop chain=forward comment="Drop no youtube pelo link 2 (TIM)" \
dst-address-list=SITES-BLOQUEADOS-LINK2-TIM
add action=drop chain=forward comment="DROP YOUTUBE LINK-2" disabled=yes \
layer7-protocol=YouTube log=yes log-prefix="TOUTUBE BLOQUEADO NO LINK 2"
add action=accept chain=forward comment="LIBERA YOUTUBE LINK-1" \
layer7-protocol=YouTube out-interface=pppoe-VIA
add action=fasttrack-connection chain=forward comment="***********************\
***** HABILITA O FASTTRACKER ****************************" disabled=yes \
hw-offload=yes in-interface=pppoe-VIA out-interface=bridge
add action=add-src-to-address-list address-list=PORTSCAN \
address-list-timeout=1w chain=input comment="PEGA MALANDRO - PORTSCAN" \
dst-port=23,25,80,110,1723,53,44,1883 in-interface-list=WAN-LINKS \
protocol=tcp
add action=add-src-to-address-list address-list=PORTSCAN \
address-list-timeout=1w chain=input comment="DETECTA - PORTSCAN" \
in-interface-list=WAN-LINKS protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="-------------------------- CONEXOES INVAL\
IDAS - DROP --------------------------" connection-state=invalid \
log-prefix="Conexoes Invalidas"
add action=accept chain=input comment=\
"ACEITA CONEXOES: estabelecidas,relacionadas" connection-state=\
established,related
add action=jump chain=input comment="ICMP - Passe pelo Controle - Chain ICMP" \
in-interface-list=WAN-LINKS jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="ACEITA: ICMP - Echo Reply " \
icmp-options=0:0-255 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Destination Unreachable" \
icmp-options=3:0-255 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Time Exceeded" icmp-options=\
11:0-255 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="ACEITA: ICMP - Echo Request" \
icmp-options=8:0-255 limit=10,5:packet protocol=icmp
add action=drop chain=ICMP comment="ICMP - ALL - DROP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=tarpit chain=input in-interface-list=WAN-LINKS log=yes protocol=\
tcp psd=21,3s,3,1
add action=accept chain=input comment="(LIBERA ACESSO AO WINBOX)" log=yes \
src-address-list=" (SUPORTE-WINBOX)"
add action=accept chain=input comment=\
"(LIBERA ACESSO AO WINBOX - IPS LIBERADOS)" dst-port=25476 \
in-interface-list=WAN-LINKS protocol=tcp src-address-list=IPs-liberados
add action=accept chain=input comment="-----------------------LIBERA PORTA DO \
WIREGUARD-------------------------" dst-port=13231 protocol=udp
add action=accept chain=input comment="-----------------------LIBERA PORTA DO \
WIREGUARD2-------------------------" dst-port=13232 protocol=udp
add action=accept chain=input comment=\
"-------------- LIBERA COM. WIREGUARD ----------------" dst-address=\
192.168.88.0/24 src-address=192.168.100.0/24
add action=accept chain=input comment=\
"-------------- LIBERA COM. WIREGUARD ----------------" dst-address=\
192.168.100.0/24 src-address=192.168.88.0/24
add action=add-src-to-address-list address-list=PORTA-1 address-list-timeout=\
5s chain=input comment="PORTKNOCKING - PORTA-1" dst-port=35621 \
in-interface-list=WAN-LINKS log=yes protocol=tcp
add action=add-src-to-address-list address-list=PORTA-2 address-list-timeout=\
5s chain=input comment="PORTKNOCKING - PORTA-2" dst-port=24987 \
in-interface-list=WAN-LINKS log=yes protocol=tcp src-address-list=PORTA-1
add action=add-src-to-address-list address-list=IPs-liberados \
address-list-timeout=10m chain=input comment="PORTKNOCKING - IP-LIBERADO" \
dst-port=41687 in-interface-list=WAN-LINKS log=yes protocol=tcp \
src-address-list=PORTA-2
add action=add-src-to-address-list address-list=\
"######## TENTATIVA LOGIN - 1 ########" address-list-timeout=1m chain=\
input comment="TENTATIVA LOGIN -1" connection-state=new dst-port=\
1701,8728 in-interface-list=WAN-LINKS log=yes protocol=udp
add action=add-src-to-address-list address-list=\
"######## TENTATIVA LOGIN - 1 ########" address-list-timeout=1m chain=\
input comment="TENTATIVA LOGIN - 1 - TCP" connection-state=new dst-port=\
25476 in-interface-list=WAN-LINKS log=yes protocol=tcp
add action=add-src-to-address-list address-list=\
"######## TENTATIVA LOGIN - 2 ########" address-list-timeout=1m chain=\
input comment="TEMTATIVA LOGIN - 2" connection-state=new dst-port=\
1701,8728 in-interface-list=WAN-LINKS log=yes protocol=udp \
src-address-list="TENTATIVA LOGIN - 1"
add action=add-src-to-address-list address-list=\
"######## TENTATIVA LOGIN - 2 ########" address-list-timeout=1m chain=\
input comment="TEMTATIVA LOGIN - 2 - TCP" connection-state=new dst-port=\
25476 in-interface-list=WAN-LINKS log=yes protocol=tcp src-address-list=\
"TENTATIVA LOGIN - 1"
add action=add-src-to-address-list address-list=\
"######## TENTATIVA LOGIN - BLOQUEADO ########" address-list-timeout=1h \
chain=input comment="TENTATIVA LOGIN - BLOQUEADA" connection-state=new \
dst-port=1701,8728 in-interface-list=WAN-LINKS log=yes log-prefix=\
"TENTATIVA DE LOGIN - BLOQUEADA" protocol=udp src-address-list=\
"TENTATIVA LOGIN - 2"
add action=add-src-to-address-list address-list=\
"######## TENTATIVA LOGIN - BLOQUEADO ########" address-list-timeout=1h \
chain=input comment="TENTATIVA LOGIN - BLOQUEADA - TCP" connection-state=\
new dst-port=25476 in-interface-list=WAN-LINKS log=yes log-prefix=\
"TENTATIVA DE LOGIN - BLOQUEADA - TCP" protocol=tcp src-address-list=\
"TENTATIVA LOGIN - 2"
add action=drop chain=input comment=\
"######## TENTATIVA DE LOGIN - DROP ########" log=yes log-prefix=\
"DROP - TENTATIVA DE LOGIN" src-address-list=\
"TENTATIVA LOGIN - BLOQUEADO"
add action=drop chain=input comment=\
"######## TUDO QUE N\C3O VENHA DA LAN: DROP ########" in-interface-list=\
!LAN log-prefix="Nao vem da LAN"
add action=drop chain=forward comment=\
"######## ISOLA REDE VIVISITANTE/LAN ########" connection-state="" \
disabled=yes dst-address=192.168.88.0/24 log=yes log-prefix=\
"Isola rede visitantes" out-interface-list=!LAN src-address=10.10.10.0/26
add action=fasttrack-connection chain=forward comment=\
"######## defconf: fasttrack ########" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"######## defconf: accept established,related, untracked ########" \
connection-state=established,related
add action=reject chain=forward comment="TESTE LAN" disabled=yes dst-address=\
100.100.100.12 reject-with=icmp-network-unreachable src-address=\
30.30.30.2
add action=drop chain=forward comment=\
"######## defconf: drop all from WAN not DSTNATed ########" \
connection-nat-state=!dstnat connection-state=new in-interface-list=\
WAN-LINKS
add action=drop chain=input comment=\
"######## DROP - GERAL - LIKS 1, 2 ########" in-interface-list=WAN-LINKS \
log=yes log-prefix="drop geral links 1, 2"
/ip firewall mangle
add action=mark-packet chain=forward comment=\
"########Marcar paquetes de YouTube ########" connection-mark=mc_youtube \
new-packet-mark=mc_youtube passthrough=no
add action=mark-connection chain=forward comment=\
"######## Marcar conexiones de YouTube ########" connection-mark=no-mark \
layer7-protocol=YouTube new-connection-mark=mc_youtube passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
"######## MASQ. - TRAFEGO - LINKS - WAN ########" ipsec-policy=out,none \
out-interface-list=WAN-LINKS
add action=masquerade chain=srcnat comment=\
"######## MASQ. - TRAFEGO WIREGUARD ########" ipsec-policy=out,none \
out-interface=wireguard2
add action=dst-nat chain=dstnat comment="######## PORT KNOCKING ########" \
dst-port=59272 in-interface-list=WAN-LINKS protocol=tcp src-address-list=\
IPs-liberados to-addresses=192.168.88.1 to-ports=25476
add action=dst-nat chain=dstnat comment=\
"######## Porta - 1883 - MQTT ########" dst-port=1883 in-interface-list=\
WAN-LINKS protocol=tcp src-address=204.216.162.246 to-addresses=\
192.168.88.88 to-ports=1883
add action=dst-nat chain=dstnat comment=\
"######## Porta - 5055 - SATVIX ########" disabled=yes dst-port=5055 \
in-interface-list=WAN-LINKS log=yes log-prefix="NAT - Porta 5055" \
protocol=tcp to-addresses=192.168.88.92
add action=dst-nat chain=dstnat comment=\
"######## Porta - 5013 - SATVIX ########" disabled=yes dst-port=5013 \
in-interface-list=WAN-LINKS log=yes log-prefix="NAT - Porta 5013 - Xing" \
protocol=tcp to-addresses=192.168.88.92
add action=dst-nat chain=dstnat comment=\
"######## Porta - 5027 - SATVIX - Teltonika ########" disabled=yes \
dst-port=5027 in-interface-list=WAN-LINKS log=yes log-prefix=\
"NAT - Porta 5027 - Teltonika" protocol=tcp to-addresses=192.168.88.92
add action=dst-nat chain=dstnat comment=\
"######## Direciona para o OPI-01 ########" disabled=yes dst-port=80 \
in-interface=pppoe-VIA log=yes log-prefix="NAT - Direciona para o OPI-01" \
protocol=tcp to-addresses=192.168.88.90
add action=dst-nat chain=dstnat comment=\
"######## Direciona para o Winbox ########" disabled=yes dst-port=9272 \
in-interface=pppoe-VIA log=yes log-prefix="NAT - Porta Winbox2" protocol=\
tcp src-address-list=IPs-liberados to-addresses=192.168.88.1 to-ports=\
25476
add action=masquerade chain=srcnat comment=\
"######## Masquerade LTE ########" disabled=yes out-interface=wireguard2
add action=masquerade chain=srcnat disabled=yes out-interface-list=VLAN-30
/ip kid-control device
add mac-address=58:00:E3:BC:71:C7 name=DELL user=DELL
add mac-address=40:2F:86:31:30:E0 name="LG - PHST" user=Pedro
add mac-address=88:52:EB:77:5D:C8 name="MAC - real - Poco Marcio " user=\
Marcio
add mac-address=A4:55:90:DA:1F:26 name="MAC - real - Poco PHST" user=Pedro
/ip route
add comment="monitora 8.8.8.8 via link 1 - VIA" disabled=no distance=1 \
dst-address=8.8.8.8/32 gateway=pppoe-VIA pref-src="" routing-table=main \
scope=10 suppress-hw-offload=no
add comment="monitora 1.1.1.1 via link 2 - TIM" disabled=no distance=1 \
dst-address=1.1.1.1/32 gateway=192.168.0.1 pref-src="" routing-table=main \
scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Rota principal - VIA" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="Rota Secund\E1ria" disabled=no distance=2 \
dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api port=25576
set winbox port=25476
set api-ssl disabled=yes
/ipv6 address
add address=::cafe from-pool=pda-ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-VIA pool-name=pda-ipv6 request=\
prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=add-dst-to-address-list address-list=\
SITES-BLOQUEADOS-LINK2-TIM-IPV6 address-list-timeout=4w2d chain=forward \
comment="Bloqueia o youtube no link 2 TIM" disabled=yes protocol=tcp \
tls-host=*youtube*
add action=drop chain=forward comment="Drop no youtube pelo link 2 (TIM)" \
disabled=yes dst-address-list="SITES-BLOQUEADOS-LINK-2-TIM-(IPV6)"
add action=accept chain=input comment="Libera porta Wireguard" disabled=yes \
dst-port=13231 protocol=udp
add action=drop chain=forward connection-state=new in-interface-list=\
WAN-LINKS log=yes log-prefix=IPV6-Drop
add action=drop chain=input connection-state=new in-interface-list=WAN-LINKS \
log=yes log-prefix=drop-ipv6-input
/ipv6 firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN-LINKS
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=America/Sao_Paulo
/system identity
set name=hAP-AX3
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=a.ntp.br
add address=b.ntp.br
/system script
add dont-require-permissions=no name=backup-email owner=Turbovix-Mk policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global nome [/system identity get name]\r\
\n:global data [/system clock get date]\r\
\n:global hora [/system clock get time]\r\
\n/system backup save name=HapX3;\r\
\n/tool e-mail send to=\"mkmt.es@gmail.com\" subject=\"Backup Mikrotik - H\
apX3\" file=HapX3.backup body=\"Segue em anexo o arquivo de backup da \$no\
me realizado em \$data as \$hora\";\r\
\n:log info \"Backup e-mail sent.\94;"
add dont-require-permissions=no name=envia-backup-gmail owner=Turbovix-Mk \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":global nome [/system identity get name]\r\
\n:global data [/system clock get date]\r\
\n:global hora [/system clock get time]\r\
\n/export file=HapX3.rsc;\r\
\n/tool e-mail send to=\"mkmt.es@gmail.com\" subject=\"Backup HapX3\" file\
=HapX3.rsc body=\"Segue anexo o backup da \$nome realizado em \$data as \$\
hora\";\r\
\n:log info \"Backup e-mail sent.\";"
/tool e-mail
set from="<**** MIKROTIK-HapX3 ****>" port=587 server=smtp.gmail.com tls=\
starttls user=mkmt.es@gmail.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch **ELIDED**
/tool romon
set id=XXXXXXXXXXXXXXXX
/tool romon port
set [ find default=yes ] forbid=yes
add disabled=no interface=ether5-SWITCH-TPLINK