/interface bridge
add name=LAN10_Bridge
/interface ethernet
set [ find default-name=sfp-sfpplus11 ] auto-negotiation=no comment="AP1-Local D" speed=1Gbps
set [ find default-name=sfp-sfpplus12 ] auto-negotiation=no comment="ISP Modem" speed=1Gbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus12 name=Fibre_IAM user=DSTMFO
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec policy group
add name=ike2-group
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=IPSec_to_DSTI
add enc-algorithm=aes-256,3des hash-algorithm=sha256 name=ike2
/ip ipsec peer
add address=xx.xx.xx.100/32 name=IPsecToDSTI_Peer profile=IPSec_to_DSTI
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=IPSec-DSTI-Proposal pfs-group=modp2048
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=ike2-proposal pfs-group=none
/ip pool
add name=IKEv2-Pool ranges=192.168.10.50-192.168.10.59
/ip ipsec mode-config
add address-pool=IKEv2-Pool address-prefix-length=32 name=ike2
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name="TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name="TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name="TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" up-port=1700
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=LAN10_Bridge interface=sfp-sfpplus1
add bridge=LAN10_Bridge interface=sfp-sfpplus2
add bridge=LAN10_Bridge interface=sfp-sfpplus3
add bridge=LAN10_Bridge interface=sfp-sfpplus4
add bridge=LAN10_Bridge interface=sfp-sfpplus5
add bridge=LAN10_Bridge interface=sfp-sfpplus6
add bridge=LAN10_Bridge interface=sfp-sfpplus7
add bridge=LAN10_Bridge interface=sfp-sfpplus8
add bridge=LAN10_Bridge interface=sfp-sfpplus9
add bridge=LAN10_Bridge interface=sfp-sfpplus10
add bridge=LAN10_Bridge interface=sfp-sfpplus11
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add comment="[DEFAULT]" interface=LAN10_Bridge list=LAN
add interface=Fibre_IAM list=WAN
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.10.1/24 interface=LAN10_Bridge network=192.168.10.0
add address=192.168.3.1 interface=ether1 network=255.255.255.0
/ip cloud
set update-time=no
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.2-192.168.10.254 list=Allowed_to_router
add address=0.0.0.0/8 comment=BOGONS list=not_in_internet
add address=10.0.0.0/8 comment=BOGONS list=not_in_internet
add address=100.64.0.0/10 comment=BOGONS list=not_in_internet
add address=127.0.0.0/8 comment=BOGONS list=not_in_internet
add address=169.254.0.0/16 comment=BOGONS list=not_in_internet
add address=172.16.0.0/12 comment=BOGONS list=not_in_internet
add address=192.0.0.0/24 comment=BOGONS list=not_in_internet
add address=192.0.2.0/24 comment=BOGONS list=not_in_internet
add address=192.88.99.0/24 comment=BOGONS list=not_in_internet
add address=192.168.0.0/16 comment=BOGONS list=not_in_internet
add address=198.18.0.0/15 comment=BOGONS list=not_in_internet
add address=198.51.100.0/24 comment=BOGONS list=not_in_internet
add address=203.0.113.0/24 comment=BOGONS list=not_in_internet
add address=224.0.0.0/4 comment=BOGONS list=not_in_internet
add address=240.0.0.0/4 comment=BOGONS list=not_in_internet
add address=255.255.255.255 comment=BOGONS list=not_in_internet
add address=233.252.0.0/24 comment=BOGONS list=not_in_internet
add address=203.0.112.0/24 comment=BOGONS list=not_in_internet
add address=127.0.0.0/8 comment="DEFAULT_CONF: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="DEFAULT_CONF: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="DEFAULT_CONF: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="DEFAULT_CONF: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="DEFAULT_CONF: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="DEFAULT_CONF: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="DEFAULT_CONF: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="DEFAULT_CONF: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="DEFAULT_CONF: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="DEFAULT_CONF: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="DEFAULT_CONF: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="DEFAULT_CONF: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="DEFAULT_CONF: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="DEFAULT_CONF: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="DEFAULT_CONF: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="DEFAULT_CONF: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="DEFAULT_CONF: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="DEFAULT_CONF: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="DEFAULT_CONF: RFC6890" list=bad_dst_ipv4
add address=192.168.10.81 list=BANNED
add address=192.168.10.71 list=BANNED
add address=192.168.10.72 list=BANNED
add address=192.168.10.73 list=BANNED
add address=192.168.10.74 list=BANNED
add address=192.168.10.75 list=BANNED
add address=192.168.10.76 list=BANNED
add address=192.168.10.77 list=BANNED
add address=192.168.10.78 list=BANNED
add address=192.168.10.79 list=BANNED
add address=192.168.10.80 list=BANNED
add address=192.168.10.82 list=BANNED
add address=192.168.10.83 list=BANNED
add address=192.168.10.84 list=BANNED
add address=192.168.10.85 list=BANNED
add address=192.168.10.86 list=BANNED
add address=192.168.10.87 list=BANNED
add address=192.168.10.88 list=BANNED
add address=192.168.10.89 list=BANNED
add address=192.168.10.90 list=BANNED
add address=192.168.10.91 list=BANNED
add address=192.168.10.92 list=BANNED
add address=192.168.10.93 list=BANNED
add address=192.168.10.94 list=BANNED
add address=192.168.10.95 list=BANNED
add address=192.168.10.96 list=BANNED
add address=192.168.10.97 list=BANNED
add address=192.168.10.98 list=BANNED
add address=192.168.10.99 list=BANNED
add address=192.168.10.71 list=Machine_List
/ip firewall filter
add action=drop chain=input src-address-list=BANNED
add action=drop chain=icmp src-address-list=Machine_List src-mac-address=!12:A5:1D:09:57:7C
add action=accept chain=input comment="[DEFAULT] accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="[DEFAULT] drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="[DEFAULT] accept ICMP" protocol=icmp
add action=accept chain=input comment="[DEFAULT] accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="[DEFAULT] drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="[DEFAULT] accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="[DEFAULT] accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="[DEFAULT] fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="[DEFAULT] accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="[DEFAULT] drop invalid" connection-state=invalid
add action=drop chain=forward comment="[DEFAULT] drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="DEFAULT-Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN out-interface-list=!LAN
add action=drop chain=forward comment="DEFAULT-Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="DEFAULT-Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="DEFAULT-Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address=!192.168.10.0/24
add action=accept chain=icmp comment="DEFAULT-echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="DEFAULT-net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="DEFAULT-host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="DEFAULT-host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="DEFAULT-allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="DEFAULT-allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="DEFAULT-allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="DEFAULT-deny all other types"
add action=accept chain=input dst-address=192.168.10.11 dst-port=500 protocol=udp src-port=500
add action=accept chain=input dst-address=192.168.10.11 dst-port=4500 protocol=udp src-port=4500
add action=accept chain=input dst-address=192.168.10.11 dst-port=1701 protocol=udp src-port=1701
/ip firewall nat
add action=accept chain=srcnat comment="Tunnel VPN DSTM-DSTI" dst-address=192.168.173.0/24 src-address=192.168.10.0/24
add action=accept chain=srcnat dst-address=192.168.11.0/24 src-address=192.168.10.0/24
add action=accept chain=srcnat dst-address=192.168.81.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="DEFAULT_CONF.: masquerade" dst-address-list=!BANNED out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.194 dst-port=500 protocol=udp to-addresses=192.168.10.11 to-ports=500
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.194 dst-port=4500 protocol=udp to-addresses=192.168.10.11 to-ports=4500
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.194 dst-port=1701 protocol=udp to-addresses=192.168.10.11 to-ports=1701
/ip ipsec identity
add peer=IPsecToDSTI_Peer
add auth-method=digital-signature certificate=VPN_IKE2_SERVER generate-policy=port-strict match-by=certificate mode-config=ike2 peer=ike2-peer policy-template-group=ike2-group remote-certificate=VPN_IKE2_CLIENT remote-id=ignore
/ip ipsec policy
add dst-address=192.168.173.0/24 peer=IPsecToDSTI_Peer proposal=IPSec-DSTI-Proposal src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.81.0/24 peer=IPsecToDSTI_Peer proposal=IPSec-DSTI-Proposal src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.11.0/24 peer=IPsecToDSTI_Peer proposal=IPSec-DSTI-Proposal src-address=192.168.10.0/24 tunnel=yes
set 3 group=ike2-group proposal=ike2-proposal
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="DEFAULT-unspecified address" list=bad_ipv6
add address=::1/128 comment="DEFAULT-loopback address" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="DEFAULT-IPv4-mapped addresses" list=bad_ipv6
add address=::/96 comment="DEFAULT-IPv4-compatible addresses" list=bad_ipv6
add address=100::/64 comment=DEFAULT list=bad_ipv6
add address=2001:10::/28 comment=DEFAULT list=bad_ipv6
add address=2001:db8::/32 comment=DEFAULT list=bad_ipv6
add address=fc00::/7 comment=DEFAULT list=bad_ipv6
add address=fe80::/10 comment=DEFAULT list=bad_ipv6
add address=fec0::/10 comment=DEFAULT list=bad_ipv6
add address=ff00::/8 comment=DEFAULT list=bad_ipv6
add address=2002::/24 comment=DEFAULT list=bad_ipv6
add address=2002:a00::/24 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:7f00::/24 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:a9fe::/32 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:ac10::/28 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:c000::/40 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:c000:200::/40 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:c0a8::/32 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:c612::/31 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:c633:6400::/40 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:cb00:7100::/40 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:e000::/20 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:f000::/20 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2002:ffff:ffff::/48 comment="DEFAULT-false 6to4 packets" list=bad_ipv6
add address=2001::/40 comment=DEFAULT list=bad_ipv6
add address=2001:0:a00::/40 comment=DEFAULT list=bad_ipv6
add address=2001:0:7f00::/40 comment=DEFAULT list=bad_ipv6
add address=2001:0:a9fe::/48 comment=DEFAULT list=bad_ipv6
add address=2001:0:ac10::/44 comment=DEFAULT list=bad_ipv6
add address=2001:0:c000::/56 comment=DEFAULT list=bad_ipv6
add address=2001:0:c000:200::/56 comment=DEFAULT list=bad_ipv6
add address=2001:0:c0a8::/48 comment=DEFAULT list=bad_ipv6
add address=2001:0:c612::/47 comment=DEFAULT list=bad_ipv6
add address=2001:0:c633:6400::/56 comment=DEFAULT list=bad_ipv6
add address=2001:0:cb00:7100::/56 comment=DEFAULT list=bad_ipv6
add address=2001:0:e000::/36 comment=DEFAULT list=bad_ipv6
add address=2001:0:f000::/36 comment=DEFAULT list=bad_ipv6
add address=2001:0:ffff:ffff::/64 comment=DEFAULT- list=bad_ipv6
add address=3ffe::/16 comment="[DEFAULT]-6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="[DEFAULT] other" list=bad_ipv6
add address=::127.0.0.0/104 comment="[DEFAULT] other" list=bad_ipv6
add address=::/104 comment="[DEFAULT] other" list=bad_ipv6
add address=::255.0.0.0/104 comment="[DEFAULT] other" list=bad_ipv6
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="[DEFAULT] accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="[DEFAULT] drop invalid" connection-state=invalid
add action=accept chain=input comment="[DEFAULT] accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="[DEFAULT] accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="[DEFAULT] accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="[DEFAULT] accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="[DEFAULT] accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="[DEFAULT] accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="[DEFAULT] accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="[DEFAULT] drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="[DEFAULT] accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="[DEFAULT] drop invalid" connection-state=invalid
add action=drop chain=forward comment="[DEFAULT] drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="[DEFAULT] drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="[DEFAULT] rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="[DEFAULT] accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="[DEFAULT] accept HIP" protocol=139
add action=accept chain=forward comment="[DEFAULT] accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="[DEFAULT] accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="[DEFAULT] accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="[DEFAULT] accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="[DEFAULT] drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="DEFAULT-allow established and related" connection-state=established,related
add action=accept chain=input comment="DEFAULT-accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="DEFAULT-accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="DEFAULT-accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="DEFAULT-allow allowed addresses" src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment="DEFAULT-Protect the LAN devices-established,related" connection-state=established,related
add action=drop chain=forward comment="DEFAULT-Protect the LAN devices-invalid" connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="DEFAULT-Protect the LAN devices" log-prefix=IPV6
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=icmpv6
/system clock
set time-zone-name=Africa/Casablanca
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes
/system ntp client servers
add address=196.200.131.160
add address=41.175.36.40
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add disabled=yes interface=sfp-sfpplus12 name=Download_50Mo on-event=":local CurDate [/system clock get date]\r\
\n:local CurTime [/system clock get time]\r\
\n\r\
\n#Log\r\
\n:log info \"Download speed is more than 50M\"\r\
\n\r\
\n#SendTelegram\r\
\n/tool fetch url=\"https://api.telegram.org/bot6477343083: ... ourMessage\"" threshold=50000000 traffic=received
add disabled=yes interface=sfp-sfpplus12 name=Upload_50Mo on-event=":local CurDate [/system clock get date]\r\
\n:local CurTime [/system clock get time]\r\
\n\r\
\n#Log\r\
\n:log info \"Download speed is more than 50M\"\r\
\n\r\
\n#SendTelegram\r\
\n/tool fetch url=\"https://api.telegram.org/bot<TOKEN>/sen ... ourMessage\"" threshold=50000000
[ITAdmin@MikroTik] >
IKEv2 IPsec / Windows VPN not working
You do not have the required permissions to view the files attached to this post.
Last edited by Abdelhadi on Thu Jan 02, 2025 6:26 pm, edited 2 times in total.
Re: IKEv2 IPsec / Windows VPN not working
Could you surround the config with code blocks, pretty please? You select the config and press the </> button. That way it will be more readable
Re: IKEv2 IPsec / Windows VPN not working
I don't see the need from these address translations as well as the dst-addresses and src-ports in:add action=dst-nat chain=dstnat dst-address=Public-IP-2 dst-port=500 \
protocol=udp to-addresses=192.168.10.11 to-ports=500
add action=dst-nat chain=dstnat dst-address=Public-IP-2 dst-port=4500 \
protocol=udp to-addresses=192.168.10.11 to-ports=4500
add action=dst-nat chain=dstnat dst-address=Public-IP-2 dst-port=1701 \
protocol=udp to-addresses=192.168.10.11 to-ports=1701
Also, suggest moving them somewhere before:add action=accept chain=input dst-address=192.168.10.11 dst-port=500 \
protocol=udp src-port=500
add action=accept chain=input dst-address=192.168.10.11 dst-port=4500 \
protocol=udp src-port=4500
add action=accept chain=input dst-address=192.168.10.11 dst-port=1701 \
protocol=udp src-port=1701
add action=drop chain=input comment="[DEFAULT] drop all not coming from LAN" \
in-interface-list=!LAN
and adding one more:
add action=accept chain=input protocol=ipsec-esp
Further, check whether the level of encryption in the IPsec tunnel policies is set to unique as to avoid conflicts between them
Re: IKEv2 IPsec / Windows VPN not working
By default, the native Windows VPN client does not like the IPsec server to run on a private address behind a NAT.
But before suggesting the possible solutions for that - you've got an IPsec peer on the Mikrotik itself and presumably another one running at 192.168.10.11. Can you elaborate on the topology? Do you use one public address for the Mikrotik-local responder and another one for the one in LAN? If yes, to which one of the two the Windows clients fail to connect?
But before suggesting the possible solutions for that - you've got an IPsec peer on the Mikrotik itself and presumably another one running at 192.168.10.11. Can you elaborate on the topology? Do you use one public address for the Mikrotik-local responder and another one for the one in LAN? If yes, to which one of the two the Windows clients fail to connect?
Re: IKEv2 IPsec / Windows VPN not working
Hi,
Thanks for your reply.
I deleted rules/ports you mentioned (I was deploying a different VPN in the past, and forgot to delete them).
I also add the rule you suggested.
Now I'm getting this error: Invalid certificate type.
I'm googling to see if i can figure out why I'm getting this error. If you have any suggestion, I'm will be thankful.
Many thanks.
Thanks for your reply.
I deleted rules/ports you mentioned (I was deploying a different VPN in the past, and forgot to delete them).
I also add the rule you suggested.
Now I'm getting this error: Invalid certificate type.
I'm googling to see if i can figure out why I'm getting this error. If you have any suggestion, I'm will be thankful.
Many thanks.
Re: IKEv2 IPsec / Windows VPN not working
Hi,By default, the native Windows VPN client does not like the IPsec server to run on a private address behind a NAT.
But before suggesting the possible solutions for that - you've got an IPsec peer on the Mikrotik itself and presumably another one running at 192.168.10.11. Can you elaborate on the topology? Do you use one public address for the Mikrotik-local responder and another one for the one in LAN? If yes, to which one of the two the Windows clients fail to connect?
there are 2 VPN tunnels.
The first one is a site-to-site and it's functional.
The second one, is a Client-to-site that I'm trying to deploy.
Thanks.
Re: IKEv2 IPsec / Windows VPN not working
@TheCat12 already suggested to remove those dst-nat rules before me, so the [SOLVED] mark should have gone to his post, not mine.
Regarding the certificate - Windows need the same type of encryption to be used in the certificate and in the Phase 1/ Phase 2 proposals, either both must be RSA or both must be EC. But I'm not sure whether that is the actual reason for that error message - also the certificate purpose may be wrong, it must contain the tls-server bit at least in order that the WIndows embedded client wouild accept it, and if I am not mistaken, the domain name must be in the Subject-Alt-Names list, many IPsec initiators do not look for it in the Common Name field. Where does the certificate come from?
Regarding the certificate - Windows need the same type of encryption to be used in the certificate and in the Phase 1/ Phase 2 proposals, either both must be RSA or both must be EC. But I'm not sure whether that is the actual reason for that error message - also the certificate purpose may be wrong, it must contain the tls-server bit at least in order that the WIndows embedded client wouild accept it, and if I am not mistaken, the domain name must be in the Subject-Alt-Names list, many IPsec initiators do not look for it in the Common Name field. Where does the certificate come from?
Who is online
Users browsing this forum: kickstart24, sindy and 37 guests