General • Re: Wireguard and IPSec help needed

admin@XXXXXX] > export hide-sensitive# 2024-03-01 08:42:08 by RouterOS 7.14# software id = XXXXX## model = RB5009UG+S+# serial number = XXXXXX/interface bridgeadd name=br-VPN port-cost-mode=shortadd name=br_PBR port-cost-mode=shortadd admin-mac=XXXXXX auto-mac=no comment=defconf name=bridge port-cost-mode=\    short/interface ethernetset [ find default-name=ether1 ] name=ether1-WANset [ find default-name=ether2 ] name=ether2-LANset [ find default-name=ether3 ] name=ether3-WG-LANset [ find default-name=ether4 ] name=ether4-VOIPset [ find default-name=ether5 ] name="ether5-IPTV STB"/interface l2tp-clientadd connect-to=addressXXXXXXX disabled=no name=l2tp-out1 use-ipsec=yes user=\    l2tp/interface wireguardadd listen-port=13231 mtu=1420 name=wg1/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp ranges=192.168.98.10-192.168.98.254add name=dhcp_pool2 ranges=192.168.99.10-192.168.99.254/ip dhcp-serveradd address-pool=dhcp interface=bridge lease-time=10m name=defconfadd address-pool=dhcp_pool2 interface=br_PBR lease-time=10m name=dhcp2/ip smb usersset [ find default=yes ] disabled=yes/ppp profileset *FFFFFFFE bridge=br-VPN use-compression=yes use-encryption=default use-ipv6=default/routing bgp templateset default disabled=no output.network=bgp-networks/routing ospf instanceadd disabled=no name=default-v2/routing ospf areaadd disabled=yes instance=default-v2 name=backbone-v2/routing tableadd disabled=no fib name=wg/interface bridge portadd bridge=bridge comment=defconf ingress-filtering=no interface=ether2-LAN \    internal-path-cost=10 path-cost=10add bridge=br_PBR comment=defconf ingress-filtering=no interface=ether3-WG-LAN \    internal-path-cost=10 path-cost=10add bridge=br_PBR comment=defconf ingress-filtering=no interface=ether4-VOIP \    internal-path-cost=10 path-cost=10add bridge=br-VPN comment=defconf ingress-filtering=no interface="ether5-IPTV STB" \    internal-path-cost=10 path-cost=10add bridge=bridge disabled=yes ingress-filtering=no interface=ether1-WAN \    internal-path-cost=10 path-cost=10/ip firewall connection trackingset udp-timeout=1m/ip neighbor discovery-settingsset discover-interface-list=all/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=8192/interface detect-internetset detect-interface-list=all/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1-WAN list=WANadd interface=wg1 list=LANadd comment=defconf interface=br_PBR list=LAN/interface ovpn-server serverset auth=sha1,md5/interface wireguard peersadd allowed-address="0.0.0.0/0,192.168.50.0/24,192.168.88.0/24,172.16.0.0/16,172.26.0.0/1\    6,XXXXX/28,XXXXXX/28" endpoint-address=addressXXXXXX \    endpoint-port=13231 interface=wg1 persistent-keepalive=25s public-key=\    "XXXXXXXX"/ip addressadd address=192.168.98.1/24 comment=defconf interface=bridge network=192.168.98.0add address=10.0.0.2/24 disabled=yes interface=ether1-WAN network=10.0.0.0add address=192.168.50.2/24 interface=wg1 network=192.168.50.0add address=192.168.99.1/24 interface=br_PBR network=192.168.99.0/ip cloudset ddns-enabled=yes/ip dhcp-clientadd interface=ether1-WANadd add-default-route=no interface=br-VPN/ip dhcp-server leaseadd address=192.168.99.7 client-id=XXX mac-address=XXX \    server=dhcp2add address=192.168.99.183 client-id=XXXmac-address=XXX \    server=dhcp2add address=192.168.99.151 client-id=XXXX mac-address=XXX \    server=dhcp2add address=192.168.99.155 client-id=XXX mac-address=XXX \    server=dhcp2/ip dhcp-server networkadd address=192.168.98.0/24 comment=defconf dns-server=192.168.98.1 gateway=192.168.98.1add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1/ip dnsset allow-remote-requests=yes servers=192.168.88.1/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lan/ip firewall address-listadd address=192.168.98.0/24 list=localadd address=192.168.50.0/24 list=Trusted/ip firewall filteradd action=fasttrack-connection chain=forward connection-state=established,related \    disabled=yes hw-offload=yesadd action=accept chain=forward connection-state=established,relatedadd action=accept chain=input dst-port=8291 in-interface=ether1-WAN protocol=tcpadd action=accept chain=input src-address-list=Trustedadd action=accept chain=input comment="Accept IGMP" in-interface=wg1 protocol=igmpadd action=accept chain=forward comment="Forward IGMP" in-interface=wg1 protocol=udpadd action=accept chain=input in-interface=ether1-WAN protocol=greadd action=accept chain=input in-interface=ether1-WAN protocol=ipsec-espadd action=accept chain=input in-interface=ether1-WAN protocol=ipsec-ahadd action=accept chain=input dst-port=500 in-interface=ether1-WAN protocol=tcpadd action=accept chain=input dst-port=4500 in-interface=ether1-WAN protocol=tcpadd action=accept chain=input comment="defconf: accept established,related,untracked" \    connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \    dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \    in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\    in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\    out,ipsecadd action=accept chain=forward comment="defconf: accept established,related, untracked" \    connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN/ip firewall mangleadd action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=wg1 passthrough=\    yes protocol=tcp tcp-flags=synadd action=change-mss chain=forward disabled=yes new-mss=1380 passthrough=yes protocol=\    tcp tcp-flags=syn tcp-mss=1381-65535add action=mark-routing chain=prerouting disabled=yes in-interface=br-VPN log=yes \    new-routing-mark=wg passthrough=yes/ip firewall natadd action=masquerade chain=srcnat disabled=yes out-interface=loadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \    out-interface-list=WANadd action=masquerade chain=srcnat out-interface=br_PBR/ip routeadd disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wg1 routing-table=main \    scope=10 suppress-hw-offload=noadd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src="" routing-table=\    wg scope=30 suppress-hw-offload=no target-scope=10add disabled=yes distance=1 dst-address=172.16.0.0/16 gateway=wg1 pref-src="" \    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10add disabled=yes distance=1 dst-address=172.26.0.0/16 gateway=wg1 pref-src="" \    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10add disabled=yes distance=1 dst-address=XXXX/28 gateway=wg1 pref-src="" \    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10add disabled=yes distance=1 dst-address=XXXX/28 gateway=wg1 pref-src="" \    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10add disabled=yes distance=1 dst-address=8.8.4.4/32 gateway=wg1 pref-src="" \    routing-table=main scope=30 suppress-hw-offload=no target-scope=10add disabled=yes dst-address=0.0.0.0/0 gateway=br_PBR routing-table=wg \    suppress-hw-offload=no/ip serviceset telnet disabled=yesset ftp disabled=yesset api disabled=yesset api-ssl disabled=yes/ip smb sharesset [ find default=yes ] directory=/pub/mpls ldpadd disabled=no lsr-id=192.168.12.2 transport-addresses=192.168.12.2/mpls ldp interfaceadd disabled=no interface="ether5-IPTV STB"add disabled=no interface=lo/ppp profileadd bridge=*E name=SITE-TO-SITE-L2VPN/routing bfd configurationadd disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/routing igmp-proxyset quick-leave=yes/routing igmp-proxy interfaceadd alternative-subnets="172.16.0.0/16,172.26.0.0/16,XXXX16,XXXXX/28,XXXX\    XXXXX/28,XXXXX/28,0.0.0.0/0" disabled=yes interface=wg1 upstream=yesadd disabled=yes interface="ether5-IPTV STB"/routing ruleadd action=lookup-only-in-table disabled=yes src-address=192.168.99.101/32 table=mainadd action=lookup comment="XXXXXX (Enable to bypass WG)" disabled=\    no src-address=192.168.99.183/32 table=mainadd action=lookup src-address=192.168.99.155/32 table=mainadd action=lookup-only-in-table disabled=no dst-address=192.168.99.0/24 src-address=\    192.168.99.0/24 table=mainadd action=lookup-only-in-table disabled=no src-address=192.168.99.0/24 table=wg/system clockset time-zone-name=America/XXXXX/system identityset name=XXXXXX/system noteset show-at-login=no/tool graphing interfaceadd/tool graphing resourceadd/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN/tool romonset enabled=yes/tool snifferset filter-direction=tx filter-interface="ether5-IPTV STB" filter-stream=yes \    only-headers=yes streaming-enabled=yes streaming-server=XXXXX[admin@XXXXXX] >