General • Re: RB1100 with Wireguard Roadwarrior VPN

# 2025-03-11 19:18:14 by RouterOS 7.18# software id = E75X-80RJ## model = RB1100Dx4# serial number = <<hidden>>/interface bridgeadd arp=proxy-arp ingress-filtering=no name=bridge1 port-cost-mode=short \    vlan-filtering=yes/interface ethernetset [ find default-name=ether5 ] name=OffBridge-5set [ find default-name=ether1 ] name=WAN1-WF900set [ find default-name=ether2 ] name=WAN2set [ find default-name=ether3 ] name="WAN3 - not in use"set [ find default-name=ether4 ] name=WAN4-Futureset [ find default-name=ether6 ] comment=TRNK-REC-18set [ find default-name=ether7 ] comment=TRNK-REC-21set [ find default-name=ether8 ] comment=TRNK-REC-34set [ find default-name=ether9 ] comment=TRNK-SPAREset [ find default-name=ether10 ] comment=TRNK-REC-SWITCHset [ find default-name=ether11 ] name=ether11-StaffMGMTset [ find default-name=ether12 ] name=ether12-StaffMGMTset [ find default-name=ether13 ] comment=\    "Legacy Interface for Lower Park far end M5 Link. VLAN20." name=\    ether13-Guest/interface l2tp-serveradd name=l2tp-in-VPN user=squibby/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1/interface vlanadd interface=bridge1 name=vlan10_MGMT vlan-id=10add interface=bridge1 name=vlan20_Guest vlan-id=20add interface=bridge1 name=vlan30_Staff vlan-id=30add interface=bridge1 name=vlan40_CCTV vlan-id=40add comment="WAN3 - WF 300/300 Fibre Connection" interface=bridge1 name=\    vlan90_WAN3 vlan-id=90/caps-man datapathadd bridge=bridge1 name=datapath_MGMT vlan-id=10 vlan-mode=use-tagadd bridge=bridge1 name=datapath_Guest vlan-id=20 vlan-mode=use-tagadd bridge=bridge1 name=datapath_Staff vlan-id=30 vlan-mode=use-tag/interface pppoe-clientadd disabled=no interface=WAN2 name=WAN2GradwellSoGEA use-peer-dns=yes user=\    oldmill-Gradwell@surfdsluk/caps-man securityadd authentication-types=wpa2-psk encryption=aes-ccm name=security_Staffadd authentication-types=wpa2-psk encryption=aes-ccm name=security_Guestadd authentication-types=wpa2-psk encryption=aes-ccm name=security_MGMTadd authentication-types=wpa2-psk encryption=aes-ccm name=security_OMHP/caps-man configurationadd country="united kingdom" datapath=datapath_Guest \    datapath.client-to-client-forwarding=no .vlan-id=20 .vlan-mode=use-tag \    installation=indoor mode=ap name=cfg_GuestWifi security=security_Guest \    ssid=OldMill_GuestWiFiadd country="united kingdom" datapath=datapath_Staff datapath.bridge=bridge1 \    installation=indoor mode=ap name=cfg_Staff security=security_Staff ssid=\    OldMill_Staffadd country="united kingdom" datapath=datapath_MGMT datapath.bridge=bridge1 \    hide-ssid=yes installation=indoor mode=ap name=cfg_MGMT security=\    security_MGMT ssid=OldMill_MGMTadd country="united kingdom" datapath=datapath_Staff datapath.bridge=bridge1 \    installation=indoor mode=ap name=cfg_OMHP security=security_OMHP ssid=\    OMHP/diskadd parent=sata1 partition-number=1 partition-offset=512 partition-size=\    "55 021 510 144" slot=disk1 type=partition/interface listadd name=WANadd name=LANadd name=MGMT/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_MGMT ranges=10.10.100.1-10.10.100.254add name=dhcp_Guest ranges=10.20.100.1-10.20.199.254add name=dhcp_staff ranges=10.30.100.1-10.30.199.254add name=dhcp_CCTV ranges=10.40.100.1-10.40.199.254add name=dhcp_VPN ranges=10.10.200.1-10.10.200.254/ip dhcp-serveradd address-pool=dhcp_MGMT interface=vlan10_MGMT lease-time=4w2d name=\    dhcpMGMTadd address-pool=dhcp_Guest interface=vlan20_Guest lease-time=1d name=\    dhcpGuestadd address-pool=dhcp_staff interface=vlan30_Staff lease-time=4w2d10m name=\    dhcpStaffadd address-pool=dhcp_staff interface=vlan40_CCTV lease-time=4w2d10m name=\    dhcpCCTV/ip smb usersset [ find default=yes ] disabled=yes/portset 0 name=serial0set 1 name=serial1/ppp profileset *0 interface-list=LANadd address-list=VPN bridge=bridge1 local-address=dhcp_MGMT name=SquibbyVPN \    remote-address=dhcp_VPN/queue typeadd kind=pcq name=pcq-download-guest pcq-classifier=dst-address pcq-rate=10Madd kind=pcq name=pcq-upload-guest pcq-classifier=src-address pcq-rate=5M/queue simpleadd disabled=yes max-limit=900M/900M name=Global queue=\    ethernet-default/ethernet-default target=\    10.10.0.0/16,10.20.0.0/16,10.30.0.0/16,10.40.0.0/16add limit-at=700M/500M max-limit=700M/500M name=Guest queue=\    pcq-upload-guest/pcq-download-guest target=10.20.0.0/16/routing bgp templateset default disabled=no output.network=bgp-networks/routing ospf instanceadd disabled=no name=default-v2/routing ospf areaadd disabled=yes instance=default-v2 name=backbone-v2/routing tableadd fib name=useWAN1add fib name=useWAN2/caps-man managerset enabled=yes package-path=/ upgrade-policy=suggest-same-version/caps-man manager interfaceset [ find default=yes ] forbid=yesadd disabled=no interface=bridge1add disabled=no interface=vlan10_MGMT/caps-man provisioningadd action=create-dynamic-enabled master-configuration=cfg_Staff name-format=\    identity slave-configurations=cfg_GuestWifi,cfg_MGMT,cfg_OMHP/dudeset data-directory=/dude/dude enabled=yes/interface bridge portadd bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether6 \    internal-path-cost=10 path-cost=10add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether7 \    internal-path-cost=10 path-cost=10add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether8 \    internal-path-cost=10 path-cost=10add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether9 \    internal-path-cost=10 path-cost=10add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether10 \    internal-path-cost=10 path-cost=10add bridge=bridge1 interface=ether11-StaffMGMT internal-path-cost=10 \    path-cost=10 pvid=10add bridge=bridge1 interface=ether12-StaffMGMT internal-path-cost=10 \    path-cost=10 pvid=10add bridge=bridge1 interface=ether13-Guest internal-path-cost=10 path-cost=10 \    pvid=20/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=MGMT/ip settingsset max-neighbor-entries=8192/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191/interface bridge vlanadd bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \    untagged=ether11-StaffMGMT,ether12-StaffMGMT,ether13-Guest vlan-ids=10add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \    vlan-ids=20,30,40# vlan90_WAN3 not a bridge portadd bridge=bridge1 tagged=bridge1,ether6,vlan90_WAN3 vlan-ids=90/interface l2tp-server serverset default-profile=SquibbyVPN enabled=yes use-ipsec=yes/interface list memberadd interface=WAN1-WF900 list=WANadd interface=vlan10_MGMT list=LANadd interface=vlan20_Guest list=LANadd interface=vlan30_Staff list=LANadd interface=vlan40_CCTV list=LANadd interface=vlan10_MGMT list=MGMTadd interface=OffBridge-5 list=MGMTadd interface=WAN2GradwellSoGEA list=WANadd interface=vlan90_WAN3 list=WANadd interface=l2tp-in-VPN list=LANadd interface=l2tp-in-VPN list=MGMTadd interface=wireguard1 list=MGMT/interface ovpn-server serveradd auth=sha1,md5 mac-address=FE:2E:D3:C7:90:DE name=ovpn-server1/interface pppoe-server serveradd default-profile=SquibbyVPN disabled=no interface=<l2tp> service-name=\    service1/interface wireguard peersadd allowed-address=10.10.201.11/32 comment=SquibbyLaptop interface=\    wireguard1 name=peer1 public-key=\    "<<hidden>>"add allowed-address=10.10.201.12/16 comment=peer2 interface=wireguard1 name=\    peer8 public-key="<<hidden>>"/ip addressadd address=10.30.0.1/16 interface=vlan30_Staff network=10.30.0.0add address=10.40.0.1/16 interface=vlan40_CCTV network=10.40.0.0add address=10.10.0.1/16 interface=vlan10_MGMT network=10.10.0.0add address=10.20.0.1/16 interface=vlan20_Guest network=10.20.0.0add address=192.168.55.1/24 interface=OffBridge-5 network=192.168.55.0add address=10.10.201.1/16 comment=WireguardServer interface=wireguard1 \    network=10.10.0.0/ip dhcp-clientadd default-route-distance=2 interface=vlan90_WAN3 use-peer-dns=noadd interface=WAN1-WF900 use-peer-dns=no/ip dhcp-server networkadd address=10.10.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.0.1add address=10.20.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1add address=10.30.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1add address=10.40.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.40.0.1/ip dnsset servers=8.8.8.8,8.8.4.4/ip firewall address-listadd address=10.20.100.1-10.20.199.254 list=Guestadd address=10.10.100.0/24 list=localadd address=10.20.100.0/24 list=localadd address=10.30.100.0/24 list=localadd address=10.40.100.0/24 list=localadd address=10.10.0.1-10.10.199.254 list=localLANadd address=10.10.200.1-10.10.200.254 list=VPN/ip firewall filteradd action=accept chain=input comment="Allow establised, related, untracked" \    connection-state=established,related,untrackedadd action=accept chain=input protocol=icmpadd action=accept chain=input comment="allow WireGuard" dst-port=13231 \    in-interface-list=WAN log=yes protocol=udpadd action=accept chain=input comment="WAN2 L2TP allow" in-interface=\    WAN2GradwellSoGEA protocol=ipsec-espadd action=accept chain=input comment="WAN2 L2TP allow" dst-port=\    500,1701,4500 in-interface=WAN2GradwellSoGEA protocol=udpadd action=accept chain=input comment="Allow all VPN traffic" \    src-address-list=VPNadd action=drop chain=input comment="Drop invalid" connection-state=invalidadd action=accept chain=input comment=\    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input in-interface-list=MGMTadd action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udpadd action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcpadd action=accept chain=input comment="accept PPP" in-interface=all-pppadd action=drop chain=input comment="Drop all else"add action=fasttrack-connection chain=forward comment=\    "fasttrack - disabled to allow queue function" connection-state=\    established,related disabled=yes hw-offload=yesadd action=accept chain=forward comment=related-establ-untracked \    connection-state=established,related,untrackedadd action=drop chain=forward connection-state=invalidadd action=accept chain=forward comment="allow internet traffic" \    in-interface-list=LAN out-interface-list=WANadd action=accept chain=forward comment="port forwarding" \    connection-nat-state=dstnat disabled=yesadd action=accept chain=forward comment="MGMT to all vlans" \    in-interface-list=MGMT out-interface-list=LANadd action=drop chain=forward comment="drop all else"/ip firewall mangleadd action=mark-connection chain=forward comment=\    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \    connection-mark=no-mark disabled=yes dst-address-type=!local \    in-interface-list=LAN new-connection-mark=viaWAN1 \    per-connection-classifier=both-addresses:2/0add action=mark-connection chain=forward comment=\    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \    connection-mark=no-mark disabled=yes dst-address-type=!local \    in-interface-list=LAN new-connection-mark=viaWAN2 \    per-connection-classifier=both-addresses:2/1add action=mark-routing chain=prerouting comment=\    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \    connection-mark=viaWAN1 disabled=yes new-routing-mark=useWAN1 \    passthrough=noadd action=mark-routing chain=prerouting comment=\    "Disabled as currently set for DUAL WAN not PCC Load Balancing" \    connection-mark=viaWAN2 disabled=yes new-routing-mark=useWAN2 \    passthrough=no/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \    ipsec-policy=out,none out-interface-list=WAN/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip ipsec profileset [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5/ip routeadd disabled=no distance=3 dst-address=0.0.0.0/0 gateway=WAN2GradwellSoGEAadd comment="Disabled as not load balancing" disabled=yes dst-address=\    0.0.0.0/0 gateway=192.168.2.1 routing-table=useWAN1add comment="Disabled as not load balancing" disabled=yes dst-address=\    0.0.0.0/0 gateway=WAN2GradwellSoGEA routing-table=useWAN2/ip serviceset telnet address=10.10.0.0/16set www disabled=yesset ssh disabled=yesset api address=10.10.0.0/16/ip smb sharesset [ find default=yes ] directory=/pub/ppp secretadd name=squibby profile=SquibbyVPN/routing bfd configurationadd disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/system clockset time-zone-name=Europe/London/system identityset name=RB1100-Reception/system noteset show-at-login=no/tool graphing interfaceadd allow-address=10.10.0.0/16 interface=WAN1-WF900add allow-address=10.10.0.0/16 interface=WAN2GradwellSoGEAadd allow-address=10.30.0.0/16 interface=WAN1-WF900add allow-address=10.30.0.0/16 interface=WAN2GradwellSoGEAadd allow-address=10.10.0.0/16 interface=vlan90_WAN3add allow-address=10.30.0.0/16 interface=vlan90_WAN3/tool graphing queueadd allow-address=10.10.0.0/16 simple-queue=Guestadd allow-address=10.30.0.0/16 simple-queue=Guest/tool graphing resourceadd allow-address=10.10.0.0/16add allow-address=10.30.0.0/16/tool snifferset filter-ip-protocol=icmp

[Interface]PrivateKey = <<hidden>>Address = 10.10.201.11/32DNS = 8.8.8.8[Peer]PublicKey = <<hidden>>AllowedIPs = 10.10.0.0/0Endpoint = <<hidden>>:13231