Hello!
Have a situation with routings in multiple mikrotiks
In mikrotiks I have Wireguard to connect all mikrotiks in one network. In Main Mikrotik I have EOIP to all mikrotiks and DHCP server for management vlan 200. All mikrotiks get ip from dhcp and can ping from main but problem is when i ping from computer. Always answer connected mikrotik and main mikrotik but only 1 other answer for ping when I add management network for allow wireguard network. Answer only last changed mikrotik. other stop answering. I can connect for all with it basic ip(different for all) but not from management vlan. What I forget to do?
Re: Wireguard EOIP and VLAN
Configuration of main router:
Code: Select all
# 2024-04-02 17:28:35 by RouterOS 7.14.2
# software id = **ELIDED**
#
# model = CCR1036-12G-4S
/interface bridge
add admin-mac=64:D1:55:7A:B5:E4 auto-mac=no comment="For server management" \
name=BridgeMGM port-cost-mode=short
add admin-mac=64:D1:55:7A:B5:E0 auto-mac=no comment="For Public Access" name=\
BridgePublic port-cost-mode=short
add admin-mac=64:D1:55:7A:B5:E3 auto-mac=no comment="SM LocalNet and EoIP" \
name=Bridge_STM_LocalNet port-cost-mode=short
add admin-mac=64:D1:55:7A:B5:E1 auto-mac=no comment="Main VLAN Bridge" name=\
VLAN_Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=SRV0_2 name=Eth1-SRV0_Lan2
set [ find default-name=ether2 ] comment=SRV0_3 name=Eth2-SRV0_Lan3
set [ find default-name=ether3 ] comment=SRV0_4 name=Eth3-SRV0_Lan4
set [ find default-name=ether4 ] comment=SRV1_1 name=Eth4-SRV1_Lan1
set [ find default-name=ether5 ] comment=SRV1_2 name=Eth5-SRV1_Lan2
set [ find default-name=ether6 ] comment=SRV1_3 name=Eth6-SRV1_Lan3
set [ find default-name=ether7 ] comment=SRV1_4 name=Eth7-SRV1_Lan4
set [ find default-name=ether8 ] comment=SRV2_1 name=Eth8-SRV2_Lan1
set [ find default-name=ether9 ] comment=SRV2_2 name=Eth9-SRV2_Lan2
set [ find default-name=ether10 ] comment=SRV2_3 name=Eth10-SRV2_Lan3
set [ find default-name=ether11 ] comment="Public_1 network" name=Eth11-WAN1
set [ find default-name=ether12 ] comment=SRV2_4 name=Eth12-SRV2_Lan4
set [ find default-name=sfp1 ] comment="SRV0 Server Management" name=\
sfp1-MGM_SRV0
set [ find default-name=sfp2 ] comment="SRV1 Server Management" name=\
sfp2-MGM_SRV1
set [ find default-name=sfp3 ] comment="SRV2 Server Management" name=\
sfp3-MGM_SRV2
set [ find default-name=sfp4 ] comment=SRV0_1 name=sfp4-SRV0_Lan1
/interface eoip
add allow-fast-path=no arp=proxy-arp mac-address=02:4E:94:90:C8:53 mtu=1510 \
name=1-1 remote-address=10.40.0.2 tunnel-id=96
add allow-fast-path=no arp=proxy-arp mac-address=02:4E:AD:97:F5:70 mtu=1510 \
name=1-2 remote-address=10.40.0.4 tunnel-id=2
add allow-fast-path=no mac-address=02:3E:62:EC:FC:A3 mtu=1510 name=\
1-3 remote-address=10.40.0.9 tunnel-id=3
add allow-fast-path=no arp=proxy-arp local-address=10.40.0.1 mac-address=\
02:56:AA:78:C8:EA mtu=1510 name=1-4 remote-address=10.40.0.3 \
tunnel-id=66
add allow-fast-path=no arp=proxy-arp local-address=10.40.0.1 mac-address=\
02:1F:42:0C:67:B4 mtu=1510 name=1-5 remote-address=10.40.0.6 \
tunnel-id=55
/interface wireguard
add listen-port=51820 mtu=1420 name=MiraWireGuard
/interface vlan
add comment="Esxi managenent" interface=VLAN_Bridge name=esxi.12 vlan-id=12
add comment="Management VLAN" interface=VLAN_Bridge name=mgm.200 vlan-id=200
add comment="Public access" interface=VLAN_Bridge name=pub.188 vlan-id=188
add comment="RM Local network" interface=VLAN_Bridge name=rm_loc.5 vlan-id=5
add comment="SM Local network" interface=VLAN_Bridge name=sm_loc.35 vlan-id=\
35
add comment="Esxi vMotion" interface=VLAN_Bridge name=vmot.100 vlan-id=100
/interface bonding
add comment="SRV0 Bonding" disabled=yes mode=802.3ad name=SRV0_lag1 slaves=\
sfp4-SRV0_Lan1,Eth1-SRV0_Lan2,Eth2-SRV0_Lan3,Eth3-SRV0_Lan4 \
transmit-hash-policy=layer-2-and-3
/ip pool
add name=dhcp_pool_MGM0 ranges=10.1.1.100-10.1.1.200
add name=dhcp_pool_ESXI0 ranges=10.1.2.100-10.1.2.200
add name=ovpn_pool_ovpn ranges=10.70.0.100-10.70.0.199
add name=dhcp_pool_vmotion ranges=10.1.3.2-10.1.3.254
add name=dhcp_pool_Management ranges=10.5.200.2-10.5.200.254
/ip dhcp-server
add address-pool=dhcp_pool_MGM0 interface=BridgeMGM lease-time=12h name=\
dhcp_MGM
add address-pool=dhcp_pool_ESXI0 interface=esxi.12 lease-time=12h name=\
dhcp_ESXI
add address-pool=dhcp_pool_vmotion interface=vmot.100 name=dhcp_vMotion
add address-pool=dhcp_pool_Management interface=mgm.200 name=dhcp_Management
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BridgePublic ingress-filtering=no interface=Eth11-WAN1 \
internal-path-cost=10 path-cost=10
add bridge=Bridge_STM_LocalNet interface=1-5 internal-path-cost=10 \
path-cost=10
add bridge=BridgeMGM interface=sfp1-MGM_SRV0
add bridge=BridgeMGM interface=sfp2-MGM_SRV1
add bridge=BridgeMGM interface=sfp3-MGM_SRV2
add bridge=BridgePublic interface=pub.188
add bridge=Bridge_STM_LocalNet interface=sm_loc.35
add bridge=VLAN_Bridge interface=sfp4-SRV0_Lan1
add bridge=VLAN_Bridge interface=Eth1-SRV0_Lan2
add bridge=VLAN_Bridge interface=Eth2-SRV0_Lan3
add bridge=VLAN_Bridge interface=Eth3-SRV0_Lan4
add bridge=VLAN_Bridge interface=Eth4-SRV1_Lan1
add bridge=VLAN_Bridge interface=Eth5-SRV1_Lan2
add bridge=VLAN_Bridge interface=Eth6-SRV1_Lan3
add bridge=VLAN_Bridge interface=Eth7-SRV1_Lan4
add bridge=VLAN_Bridge interface=Eth8-SRV2_Lan1
add bridge=VLAN_Bridge interface=Eth9-SRV2_Lan2
add bridge=VLAN_Bridge interface=Eth10-SRV2_Lan3
add bridge=VLAN_Bridge interface=Eth12-SRV2_Lan4
add bridge=VLAN_Bridge interface=1-4
add bridge=VLAN_Bridge interface=1-2
add bridge=VLAN_Bridge interface=1-1
add bridge=VLAN_Bridge interface=1-3
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=VLAN_Bridge comment="Esxi Vlan" tagged="VLAN_Bridge,sfp4-\
SRV0_Lan1,Eth1-SRV0_Lan2,Eth2-SRV0_Lan3,Eth3-SRV0_Lan4,Eth4-SRV1_Lan1,Eth5\
-SRV1_Lan2,Eth6-SRV1_Lan3,Eth7-SRV1_Lan4,Eth8-SRV2_Lan1,Eth9-SRV2_Lan2,Eth\
10-SRV2_Lan3,Eth12-SRV2_Lan4" vlan-ids=12
add bridge=VLAN_Bridge comment="RM_Local Vlan" tagged="VLAN_Bridge,s\
fp4-SRV0_Lan1,Eth1-SRV0_Lan2,Eth2-SRV0_Lan3,Eth3-SRV0_Lan4,Eth4-SRV1_Lan1,\
Eth5-SRV1_Lan2,Eth6-SRV1_Lan3,Eth7-SRV1_Lan4,Eth8-SRV2_Lan1,Eth9-SRV2_Lan2\
,Eth10-SRV2_Lan3,Eth12-SRV2_Lan4,1-4" vlan-ids=5
add bridge=VLAN_Bridge comment="Public Vlan" tagged="VLAN_Bridge,sfp\
4-SRV0_Lan1,Eth1-SRV0_Lan2,Eth2-SRV0_Lan3,Eth3-SRV0_Lan4,Eth4-SRV1_Lan1,Et\
h5-SRV1_Lan2,Eth6-SRV1_Lan3,Eth7-SRV1_Lan4,Eth8-SRV2_Lan1,Eth9-SRV2_Lan2,E\
th10-SRV2_Lan3,Eth12-SRV2_Lan4" vlan-ids=188
add bridge=VLAN_Bridge comment="SM_Local Vlan" tagged="VLAN_Bridge,s\
fp4-SRV0_Lan1,Eth1-SRV0_Lan2,Eth2-SRV0_Lan3,Eth3-SRV0_Lan4,Eth4-SRV1_Lan1,\
Eth5-SRV1_Lan2,Eth6-SRV1_Lan3,Eth7-SRV1_Lan4,Eth8-SRV2_Lan1,Eth9-SRV2_Lan2\
,Eth10-SRV2_Lan3,Eth12-SRV2_Lan4" vlan-ids=35
add bridge=VLAN_Bridge comment="vMotion Vlan" tagged="VLAN_Bridge,sf\
p4-SRV0_Lan1,Eth1-SRV0_Lan2,Eth2-SRV0_Lan3,Eth3-SRV0_Lan4,Eth4-SRV1_Lan1,E\
th5-SRV1_Lan2,Eth6-SRV1_Lan3,Eth7-SRV1_Lan4,Eth8-SRV2_Lan1,Eth9-SRV2_Lan2,\
Eth10-SRV2_Lan3,Eth12-SRV2_Lan4" vlan-ids=100
add bridge=Bridge_STM_LocalNet disabled=yes tagged=\
Bridge_STM_LocalNet,1-5,sm_loc.35 vlan-ids=35
add bridge=BridgePublic disabled=yes tagged=BridgePublic,Eth11-WAN1,pub.188 \
vlan-ids=188
add bridge=VLAN_Bridge comment="Management Vlan" tagged=\
VLAN_Bridge,1-4,1-2,1-1,1-5,1-3 \
vlan-ids=200
/interface detect-internet
set detect-interface-list=all
/interface wireguard peers
add allowed-address="10.40.0.2/32,10.96.0.0/16,10.40.0.100/32,10.5.200.0/24,10\
.5.10.0/24,10.40.0.101/32,10.40.0.111/32,10.1.0.0/16" comment=KHNW \
endpoint-address=11.22.33.44 endpoint-port=51820 interface=MiraWireGuard \
persistent-keepalive=10s public-key=\
"shjhjggfjhgfg"
add allowed-address=10.40.0.3/32 comment=4 interface=MiraWireGuard \
persistent-keepalive=10s public-key=\
"fghfdhfhf"
add allowed-address=10.40.0.4/32,10.5.200.0/24,10.50.2.0/24 comment=\
"1" interface=MiraWireGuard persistent-keepalive=10s \
public-key="sdfsdsfdfsd"
add allowed-address=10.40.0.5/32,10.50.1.0/24,192.168.9.0/24 comment=\
"2" disabled=yes interface=MiraWireGuard \
persistent-keepalive=10s public-key=\
"sdfgsdfdsg"
add allowed-address=10.40.0.6/32,10.40.0.101/32 comment=1 interface=\
MiraWireGuard persistent-keepalive=10s public-key=\
"sdsdsffdsdhsh"
add allowed-address=10.40.0.7/32,10.22.1.0/24 comment=3 interface=\
MiraWireGuard persistent-keepalive=10s public-key=\
"sdsdsfdfggf"
add allowed-address=10.40.0.101/32 comment=5 interface=MiraWireGuard \
persistent-keepalive=10s public-key=\
"sdfsdfdfdhfd"
add allowed-address=10.40.0.23/32 comment=6 interface=\
MiraWireGuard persistent-keepalive=10s public-key=\
"dfsfdfdgdghddfhhhf"
add allowed-address=10.40.0.22/32 comment=7 \
endpoint-address="" interface=MiraWireGuard persistent-keepalive=10s \
public-key="sdgfdhdfhhfhh"
add allowed-address=10.40.0.201/32 comment=8 disabled=yes interface=\
MiraWireGuard persistent-keepalive=10s public-key=\
"sdfsdfgfdgfhf"
add allowed-address=10.40.0.8/32 comment=9 interface=MiraWireGuard \
persistent-keepalive=10s public-key=\
"zdsfsdfdfhdhfsf"
add allowed-address=10.40.0.102/32 comment=10 disabled=yes interface=\
MiraWireGuard persistent-keepalive=10s public-key=\
"sadfsdsfgdfdghgh"
add allowed-address=10.40.0.111/32,10.0.0.0/8 comment=11 interface=\
MiraWireGuard persistent-keepalive=10s public-key=\
"asddsfsgdhgffjj"
add allowed-address=10.40.0.9/32,10.50.3.0/24,10.5.200.0/24 comment=\
12 interface=MiraWireGuard persistent-keepalive=10s \
public-key="asdafgdhfgffjfj"
add allowed-address=10.40.0.103/32 comment=13 interface=MiraWireGuard \
persistent-keepalive=10s public-key=\
"asddgfdgjgkjkhk"
/ip address
add address=10.1.1.1/24 comment="Local management bridge" interface=BridgeMGM \
network=10.1.1.0
add address=10.1.2.1/24 comment="Local ESXI bridge" interface=esxi.12 \
network=10.1.2.0
add address=11.22.33.44/24 comment=\
"For RouterOS access and Internet inside network" interface=BridgePublic \
network=11.22.33.0
add address=10.35.100.254/24 comment="SM local network" interface=\
Bridge_STM_LocalNet network=10.35.100.0
add address=10.5.10.1/24 comment="RM local network" interface=rm_loc.5 \
network=10.5.10.0
add address=11.22.33.55/24 comment="For STM Access" interface=BridgePublic \
network=11.22.33.0
add address=11.22.33.66/24 comment="Telephone and Internet RM access" \
interface=BridgePublic network=11.22.33.0
add address=11.22.33.77/24 comment="For RM Remote Access" interface=\
BridgePublic network=11.22.33.0
add address=11.22.33.88/24 comment="ERP External Access" interface=\
BridgePublic network=11.22.33.0
add address=10.40.0.1/24 comment="WireGuard Server KHNW" interface=\
MiraWireGuard network=10.40.0.0
add address=10.1.3.1/24 comment="vMotion network" interface=vmot.100 network=\
10.1.3.0
add address=10.5.200.1/24 interface=mgm.200 network=10.5.200.0
/ip dhcp-server network
add address=10.1.1.0/24 comment="For Local Management" dns-server=10.1.1.1 \
gateway=10.1.1.1
add address=10.1.2.0/24 comment="For Local ESXI" dns-server=10.1.2.1 gateway=\
10.1.2.1
add address=10.1.3.0/24 comment="For vMotion" dns-server=10.1.3.1 gateway=\
10.1.3.1
add address=10.5.200.0/24 dns-server=10.5.200.1 gateway=10.5.200.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="Block outside access dns" dst-port=53 \
in-interface=BridgePublic protocol=udp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=\
22 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=gre
add action=accept chain=input comment=WireGuard dst-port=51820 in-interface=\
BridgePublic protocol=udp
/ip firewall mangle
add action=change-ttl chain=prerouting dst-address=!10.0.0.0/8 new-ttl=\
increment:1 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment="Masquarade" dst-address=\
!10.0.0.0/8 out-interface=BridgePublic src-address=10.5.0.0/16 \
to-addresses=11.22.33.66
add action=src-nat chain=srcnat comment=Masquerade dst-address=!10.0.0.0/8 \
out-interface=BridgePublic src-address=10.0.0.0/8 to-addresses=\
11.22.33.44
add action=dst-nat chain=dstnat comment="ERP http" dst-address=11.22.33.88 \
dst-port=80 in-interface=BridgePublic protocol=tcp to-addresses=\
10.5.10.60 to-ports=80
add action=dst-nat chain=dstnat comment="ERP https" dst-address=\
11.22.33.88 dst-port=443 in-interface=BridgePublic protocol=tcp \
to-addresses=10.5.10.60 to-ports=443
add action=dst-nat chain=dstnat comment="ERP SSH" dst-address=11.22.33.88 \
dst-port=22 in-interface=BridgePublic protocol=tcp to-addresses=\
10.5.10.60 to-ports=22
add action=dst-nat chain=dstnat dst-address=11.22.33.55 dst-port=80 \
in-interface=BridgePublic protocol=tcp to-addresses=10.5.10.65 to-ports=\
80
add action=dst-nat chain=dstnat dst-address=11.22.33.55 dst-port=443 \
in-interface=BridgePublic protocol=tcp to-addresses=10.5.10.65 to-ports=\
443
add action=dst-nat chain=dstnat dst-address=11.22.33.55 dst-port=22 \
in-interface=BridgePublic protocol=tcp to-addresses=10.5.10.65 to-ports=\
22
add action=dst-nat chain=dstnat dst-address=11.22.33.55 dst-port=18966 \
in-interface=BridgePublic protocol=tcp to-addresses=10.5.10.13 to-ports=\
3389
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=11.22.33.1
add disabled=no dst-address=10.35.200.0/24 gateway=10.10.12.2
add check-gateway=ping disabled=no distance=1 dst-address=10.5.1.0/24 \
gateway=10.5.10.2 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.22.1.0/24 \
gateway=10.40.0.7 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.50.1.0/24 \
gateway=10.40.0.5 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=192.168.9.1/32 \
gateway=10.40.0.5 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.8.0/24 gateway=10.40.0.9 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.10.1/32 gateway=10.40.0.3 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.50.2.0/24 gateway=10.40.0.4 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=10.96.0.0/16 gateway=10.40.0.2 routing-table=main \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.50.3.0/24 gateway=10.40.0.9 \
pref-src="" routing-table=main suppress-hw-offload=no
Last edited by tangent on Wed Apr 03, 2024 12:48 am, edited 1 time in total.
Reason: elided PII; wrapped config in code tag
Reason: elided PII; wrapped config in code tag
Re: Wireguard EOIP and VLAN
Configuration on other routers:
Code: Select all
# 2024-04-02 17:57:28 by RouterOS 7.14.2
# software id = **ELIDED**
#
# model = RB951Ui-2HnD
/interface bridge
add name=MGM_Bridge vlan-filtering=yes
add name=localBridge port-cost-mode=short
/interface lte
set [ find default-name=lte1 ] name=lte1_WAN
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard_MiraIn
/interface eoip
add allow-fast-path=no arp=proxy-arp mac-address=02:CB:FD:47:11:5D mtu=1500 \
name=modem2-mira remote-address=10.40.0.1 tunnel-id=2
/interface vlan
add interface=MGM_Bridge name=2_mgm.200 vlan-id=200
/ip pool
add name=dhcp_pool0 ranges=10.50.2.150-10.50.2.199
/ip dhcp-server
add address-pool=dhcp_pool0 interface=localBridge lease-time=23h name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=localBridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=localBridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=localBridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=localBridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=localBridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=localBridge interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=MGM_Bridge interface=modem2-mira
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=MGM_Bridge tagged=MGM_Bridge,modem2-mira vlan-ids=200
/interface detect-internet
set detect-interface-list=all
/interface wireguard peers
add allowed-address="0.0.0.0/0,10.40.0.1/32,10.0.0.0/8,10.40.0.101/32,10.40.0.\
100/32,10.40.0.102/32,10.40.0.111/32" endpoint-address=11.22.33.44 \
endpoint-port=51820 interface=wireguard_MiraIn persistent-keepalive=10s \
public-key="asddgdfdhgfd"
/ip address
add address=10.50.2.1/24 comment=1 interface=localBridge network=\
10.50.2.0
add address=10.40.0.4/24 interface=wireguard_MiraIn network=10.40.0.0
/ip dhcp-client
add add-default-route=no interface=2_mgm.200
/ip dhcp-server network
add address=10.50.2.0/24 dns-server=10.50.2.1 gateway=10.50.2.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input dst-port=51820 protocol=udp
/ip firewall mangle
add action=change-ttl chain=prerouting dst-address=!10.0.0.0/8 new-ttl=\
increment:1 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1_WAN
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=10.5.10.0/24 \
gateway=10.40.0.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.96.0.0/16 \
gateway=10.40.0.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=10.50.1.0/24 \
gateway=10.40.0.1 pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.50.3.0/24 gateway=10.40.0.1 \
pref-src="" routing-table=main suppress-hw-offload=no
Last edited by tangent on Wed Apr 03, 2024 12:49 am, edited 2 times in total.
Reason: elided PII; wrapped config in code tag
Reason: elided PII; wrapped config in code tag