Using a wireguard VPN, access servers that are in a vlan. (2024)

Hello everyone, first I would like to make it clear that I am new to Mikrotik, I don't speak English, I use Google Translate. I apologize for any errors in translation. I have a smart home system, with several IoT devices, cameras, servers, home WiFi, guest WiFi, 2 internet links, 1 with public IP and the other CGNAT.
I decided to invest in something better for my network, safe and reliable, I opted for: 01 - HapAX3, 02 - CAP-ac, 01-managed switch TP-LINK
So after some time learning Mikrotik, I started putting things to work (everything working perfectly, with wireguard and recursive route), and then it was time for the second step. I want to segment my network into 04 vlans, example: vlan-10(home wifi) vlan-20(guest wifi), vlan-30(iot devices), vlan-40(servers).
At the moment I have the following problem, using my cell phone connected via wireguard, I cannot access my services/servers that are in a vlan. I've struggled with several firewall rules, but I still haven't been able to understand which access bars.

The scenario is this:

See Also
14 VPN terms and features everyone should knowImplementing cloud VPN solution using AWS, Linux and WireGuardFastest VPNs of March 2024 – Newsweek Vault6 Best VPNs for Gaming in 2024

OBSERVATION. Despite having 1 public IP, I use a CHR running in the cloud to allow the recursive route of the second link (LTE 5G).

(smartphones outside the network, connected wireguard) -------> (CHR V7.14 running on Oracle - Wireguard Server) < -------- (HapAx3 from my house - connected to Wireguard Server on Oracle )

See Also
WireGuard VPN: wat is het en hoe werkt het? | NordVPN

If anyone understands this and can help me I would be very grateful.

Code: Select all

# 2024-03-08 10:04:35 by RouterOS 7.14# software id = **ELIDED**## model = C53UiG+5HPaxD2HPaxD# serial number = **ELIDED**/interface bridgeadd admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge \ port-cost-mode=short vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] comment="LINK 1" name=ether1-LINK-1-VIAset [ find default-name=ether2 ] comment="LINK 2" name=ether2-LINK-2-TIM-4Gset [ find default-name=ether5 ] name=ether5-SWITCH-TPLINK/interface wireguardadd listen-port=13232 mtu=1420 name=wireguard2/interface vlanadd interface=bridge name=vlan1-starlink-10 vlan-id=10add interface=bridge name=vlan2-cft-20 vlan-id=20add interface=bridge name=vlan3-iot-30 vlan-id=30add interface=bridge name=vlan4-gerencia-50 vlan-id=50add interface=bridge name=vlan5-servers-80 vlan-id=80add interface=bridge name=vlan6-wifi-visitantes-100 vlan-id=100/interface pppoe-clientadd allow=chap,mschap1,mschap2 dial-on-demand=yes disabled=no interface=\ ether1-LINK-1-VIA name=pppoe-VIA user=**ELIDED**/interface listadd comment=defconf name=WANadd comment=defconf name=LANadd comment="LINKS INTERNET" name=WAN-LINKSadd name=Interfaces-Segurasadd name=VLAN-30/interface wifi channeladd band=5ghz-ax disabled=no name=ch-5-ax skip-dfs-channels=all width=\ 20/40/80mhzadd band=5ghz-ac disabled=no name=ch-5-ac skip-dfs-channels=all width=\ 20/40mhzadd band=2ghz-n disabled=no name=ch-2-n width=20mhzadd band=2ghz-ax disabled=no name=ch-2-ax width=20mhz/interface wifi datapathadd bridge=bridge disabled=no name=data-starlinkadd client-isolation=yes disabled=no name=data-visitantes vlan-id=100/interface wifi securityadd authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \ name=starlinkadd authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \ name=starlink-visitantes/interface wifi configurationadd channel=ch-2-ax comment=CONF-STARLINK country=Brazil datapath=\ data-starlink disabled=no mode=ap name=cfg-2-starlink-ax security=\ starlink ssid=STARLINKadd channel=ch-2-ax comment=CONF-VISITANTES country=Brazil datapath=\ data-visitantes disabled=no mode=ap name=cfg-2-visitantes-ax security=\ starlink-visitantes ssid=STARLINK_VISITANTESadd channel=ch-5-ax comment=CONF-STARLINK country=Brazil datapath=\ data-starlink disabled=no mode=ap name=cfg-5-starlink-ax security=\ starlink ssid=STARLINKadd channel=ch-5-ax comment=CONF-VISITANTES country=Brazil datapath=\ data-visitantes disabled=no mode=ap name=cfg-5-visitantes-ax security=\ starlink-visitantes ssid=STARLINK_VISITANTESadd channel=ch-5-ac comment=CONF-VISITANTES country=Brazil datapath=\ data-visitantes disabled=no mode=ap name=cfg-5-visitantes-ac security=\ starlink-visitantes ssid=STARLINK_VISITANTESadd channel=ch-5-ac comment=CONF-STARLINK country=Brazil datapath=\ data-starlink disabled=no mode=ap name=cfg-5-starlink-ac security=\ starlink ssid=STARLINKadd channel=ch-2-n comment=CONF-VISITANTES country=Brazil datapath=\ data-visitantes disabled=no mode=ap name=cfg-2-visitantes-n security=\ starlink-visitantes ssid=STARLINK_VISITANTESadd channel=ch-2-n comment=CONF-STARLINK country=Brazil datapath=\ data-starlink disabled=no mode=ap name=cfg-2-starlink-n security=starlink \ ssid=STARLINK/interface wifiset [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \ configuration=cfg-5-starlink-ax configuration.manager=local .mode=ap \ disabled=noset [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \ configuration=cfg-2-starlink-ax configuration.manager=local .mode=ap \ disabled=no/ip firewall layer7-protocoladd name=YouTube regexp="^.+(youtube.com).*\$"add comment=Facebook name=Facebook regexp="^.+(facebook.com).*\$"/ip kid-controladd disabled=yes fri=0s-1d mon=5h-22h name=Pedro rate-limit=100M sat=0s-1d \ sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22hadd disabled=yes fri=7h-12h5m name=Marcio rate-limit=100M thu=7h-9h27madd disabled=yes fri=0s-1d mon=5h-22h name="TV - Pedro" rate-limit=100M sat=\ 0s-1d sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22hadd disabled=yes fri=0s-1d mon=4h-22h name=DELL rate-limit=100m sat=0s-1d \ sun=4h-22h thu=4h-22h tue=4h-22h wed=4h-22hadd disabled=yes fri=0s-1d mon=5h-22h name="Notebook - Pedro" rate-limit=100M \ sat=0s-1d sun=5h-22h thu=5h-22h tue=5h-22h wed=5h-22h/ip pooladd name=dhcp-bridge-local ranges=192.168.88.2-192.168.88.254add name=WireGuard-VPN ranges=10.50.0.0/24add name=dhcp_pool-vlan-gerencia ranges=50.50.50.2-50.50.50.6add name=dhcp_pool13 ranges=20.20.20.2-20.20.20.14add name=dhcp_pool14 ranges=30.30.30.2-30.30.30.14add name=dhcp_pool15 ranges=80.80.80.2-80.80.80.14add name=dhcp_pool16 ranges=100.100.100.2-100.100.100.14add name=dhcp_pool17 ranges=10.10.10.2-10.10.10.254/ip dhcp-serveradd add-arp=yes address-pool=dhcp-bridge-local interface=bridge lease-time=\ 10m name=defconfadd address-pool=dhcp_pool-vlan-gerencia interface=vlan4-gerencia-50 name=\ dhcp-vlan-gerencia-50add address-pool=dhcp_pool13 interface=vlan2-cft-20 name=dhcp1add address-pool=dhcp_pool14 interface=vlan3-iot-30 name=dhcp2add address-pool=dhcp_pool15 interface=vlan5-servers-80 name=dhcp3add address-pool=dhcp_pool16 interface=vlan6-wifi-visitantes-100 name=dhcp4add address-pool=dhcp_pool17 interface=vlan1-starlink-10 name=dhcp5/queue simpleadd max-limit=20M/20M name=Controle-Banda-Wifi-Visitante target=10.10.10.0/26add disabled=yes max-limit=1M/1M name=Controle-Banda-VPN target=""add dst=ether2-LINK-2-TIM-4G max-limit=1k/1k name=\ "Limita o tr\E1fego do YOUTUBE" packet-marks=mc_youtube target=""add comment="CONTROLE DE BANDA" disabled=yes max-limit=100M/200M name=\ Controle-Banda-VIA-100M queue=pcq-upload-default/pcq-download-default \ target=""/interface bridge portadd bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=ether5-SWITCH-TPLINK \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \ path-cost=10add bridge=bridge disabled=yes interface=*10 pvid=100add bridge=bridge disabled=yes interface=*11 pvid=100/interface bridge settingsset use-ip-firewall=yes use-ip-firewall-for-vlan=yes/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=!WAN-LINKS/ipv6 settingsset max-neighbor-entries=8192/interface bridge vlanadd bridge=bridge comment="-------------- VLAN WIFI HOME --------------" \ tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=10add bridge=bridge comment="-------------- VLAN GERENCIA -------------" \ tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=50add bridge=bridge comment="-------------- VLAN VISITANTES -------------" \ tagged=bridge,ether5-SWITCH-TPLINK vlan-ids=100add bridge=bridge comment="-------------- VLAN IOT -------------" tagged=\ bridge,ether5-SWITCH-TPLINK vlan-ids=30add bridge=bridge comment="-------------- VLAN SERVERS -------------" tagged=\ bridge,ether5-SWITCH-TPLINK vlan-ids=80add bridge=bridge comment="-------------- VLAN CFTV -------------" tagged=\ bridge,ether5-SWITCH-TPLINK vlan-ids=20/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether1-LINK-1-VIA list=WANadd comment=defconf interface=ether1-LINK-1-VIA list=WAN-LINKSadd interface=pppoe-VIA list=WAN-LINKSadd interface=ether2-LINK-2-TIM-4G list=WAN-LINKSadd interface=pppoe-VIA list=WANadd interface=bridge list=Interfaces-Segurasadd interface=*A list=LANadd interface=wireguard2 list=LANadd interface=*10 list=VLAN-30add interface=*11 list=VLAN-30add interface=vlan3-iot-30 list=VLAN-30/interface wifi capsmanset package-path="" require-peer-certificate=no upgrade-policy=none/interface wifi provisioningadd action=create-dynamic-enabled disabled=yes master-configuration=\ cfg-5-visitantes-ac slave-configurations=cfg-2-starlink-n \ supported-bands=5ghz-ac/interface wireguard peersadd allowed-address=0.0.0.0/0 comment="Mikrotik-CHR-V7-Oracle -" \ endpoint-address=XX.XX.XX.XX endpoint-port=13232 interface=wireguard2 \ persistent-keepalive=20s public-key=\ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="/ip addressadd address=192.168.88.1/24 comment=defconf interface=bridge network=\ 192.168.88.0add address=192.168.100.2/24 interface=wireguard2 network=192.168.100.0add address=100.100.100.1/28 interface=vlan6-wifi-visitantes-100 network=\ 100.100.100.0add address=192.168.0.2 interface=ether2-LINK-2-TIM-4G network=192.168.0.1add address=50.50.50.1/29 interface=vlan4-gerencia-50 network=50.50.50.0add address=10.10.10.1/24 interface=vlan1-starlink-10 network=10.10.10.0add address=30.30.30.1/28 interface=vlan3-iot-30 network=30.30.30.0add address=20.20.20.1/28 interface=vlan2-cft-20 network=20.20.20.0add address=80.80.80.1/28 interface=vlan5-servers-80 network=80.80.80.0/ip arpadd address=192.168.88.6 comment="//// Poco - Marcio ////" interface=bridge \ mac-address=88:52:EB:77:5D:C8add address=192.168.88.12 comment="//// Poco - Pedro ////" interface=bridge \ mac-address=A4:55:90:DA:1F:26add address=192.168.88.66 interface=bridge mac-address=5A:00:XX:BC:FE:C7add address=192.168.88.11 comment="//// Notebook - Pedro ////" interface=\ bridge mac-address=0A:D1:6F:9B:DD:62add address=192.168.88.91 comment="//// OPI-02(HA - Node-red) ////" \ interface=bridge mac-address=6E:6E:F6:D3:58:0Badd address=192.168.88.90 comment="//// OPI-01- (Esp-Home - Frigate ) ////" \ interface=bridge mac-address=2E:2B:1A:EC:47:AFadd address=192.168.88.92 comment="//// OPI-03 - (Traccar) ////" interface=\ bridge mac-address=86:2C:1A:E7:F8:63add address=192.168.88.51 comment="//// TV - Casal ////" disabled=yes \ interface=bridge mac-address=E8:F2:E2:3B:B6:3Eadd address=192.168.88.47 comment=XBOX interface=bridge mac-address=\ 28:18:78:82:F6:99add address=192.168.88.15 comment="//// Redmi - Christiane ////" interface=\ bridge mac-address=1C:CC:D6:0A:13:3Aadd address=192.168.88.93 interface=bridge mac-address=02:03:92:53:F7:8Fadd address=192.168.88.68 comment=ESP-Garagem interface=bridge mac-address=\ C4:5B:BE:65:6E:37add address=192.168.88.13 comment=Amazon interface=bridge mac-address=\ 44:D5:CC:ED:9B:49add address=192.168.88.33 comment="//// Alexa Quarto do Pedro ////" \ interface=bridge mac-address=2C:71:FF:F9:1B:C9add address=192.168.88.249 comment="//// Camera Xiaov ////" interface=bridge \ mac-address=B4:FB:E3:28:77:CAadd address=192.168.88.247 comment="//// Camera Xiaov ////" interface=bridge \ mac-address=B4:FB:E3:28:65:B4add address=192.168.88.3 comment=ESP32-C3-Bat interface=bridge mac-address=\ 7C:DF:A1:B6:4B:E0add address=192.168.88.199 comment=T-Relay interface=bridge mac-address=\ 44:17:93:4B:27:74add address=192.168.88.67 comment=KC868-A4-Garagem interface=bridge \ mac-address=C4:DD:57:C7:78:F4add address=192.168.88.188 interface=bridge mac-address=2E:2B:1A:EC:47:AFadd address=192.168.88.88 comment=OpenSuse-HA interface=bridge mac-address=\ 64:1C:67:A0:43:8Badd address=192.168.88.50 comment="//// Fire Stik ////" interface=bridge \ mac-address=90:39:5F:A3:A3:E7add address=192.168.88.45 comment="//// Hub Tuya ////" interface=bridge \ mac-address=50:8A:06:3C:12:DFadd address=192.168.88.186 comment="//// Adaptador Wifi Epson ////" \ interface=bridge mac-address=2A:1F:E4:2C:25:EFadd address=192.168.88.161 comment=\ "//// notebook - starlink 2.4 - epson ////" interface=bridge mac-address=\ 58:00:E3:BC:71:C7add address=192.168.88.164 comment="//// Dell - Ethernet ////" interface=\ bridge mac-address=84:7B:EB:FD:CF:CDadd address=192.168.88.177 comment="//// EspHome - Mini - APC220 ////" \ interface=bridge mac-address=98:CD:AC:30:47:04add address=192.168.88.179 comment=ESP32-C3 interface=bridge mac-address=\ D2:BF:75:94:3A:8Badd address=192.168.88.34 comment="//// Alexa 4 - Sala ////" interface=bridge \ mac-address=90:39:5F:EF:91:D3add address=192.168.88.78 interface=bridge mac-address=00:80:92:D0:F2:24add address=192.168.88.180 comment=ESP32-Lora-Lilygo interface=bridge \ mac-address=E8:6B:EA:25:20:88add address=192.168.88.7 comment="//// E1 Pro - Garagem - WIFI - 5Ghz ////" \ interface=bridge mac-address=38:C8:04:46:AD:E0add address=192.168.88.74 comment="//// Reolink -Lado Direito ////" \ interface=bridge mac-address=EC:71:DB:A3:51:74add address=192.168.88.89 comment=RPI3-01 interface=bridge mac-address=\ B8:27:EB:DB:37:B1add address=192.168.88.233 interface=bridge mac-address=28:C2:DD:3B:DD:85add address=192.168.88.100 comment="//// Router INTELBRAS ////" interface=\ bridge mac-address=80:8F:E8:9E:44:E2add address=192.168.88.75 comment="//// Reolink - Lado Esquerdo ////" \ interface=bridge mac-address=EC:71:DB:8E:AC:86add address=192.168.88.8 interface=bridge mac-address=EC:71:DB:95:FF:5Aadd address=50.50.50.3 interface=vlan4-gerencia-50 mac-address=\ 48:8F:5A:0A:74:60/ip dhcp-clientadd comment=defconf interface=ether1-LINK-1-VIA/ip dhcp-server leaseadd address=192.168.88.67 comment="//// kc868-a4 - EPS32 ////" mac-address=\ 58:00:E3:BC:71:C7 server=defconf use-src-mac=yesadd address=192.168.88.247 client-id=1:b4:fb:e3:28:65:b4 mac-address=\ B4:FB:E3:28:65:B4 server=defconfadd address=192.168.88.249 client-id=1:b4:fb:e3:28:77:ca mac-address=\ B4:FB:E3:28:77:CA server=defconfadd address=192.168.88.51 client-id=1:e8:f2:e2:3b:b6:3e comment=\ "//// TV - Casal ////" mac-address=E8:F2:E2:3B:B6:3E server=defconf \ use-src-mac=yesadd address=192.168.88.52 client-id=1:40:2f:86:31:30:e0 comment=\ "//// TV LG - Pedro ////" mac-address=40:2F:86:31:30:E0 server=defconf \ use-src-mac=yesadd address=192.168.88.47 client-id=1:28:18:78:82:f6:99 comment=XBOX \ mac-address=28:18:78:82:F6:99 server=defconfadd address=192.168.88.10 client-id=1:b8:27:eb:97:aa:21 mac-address=\ B8:27:EB:97:AA:21 server=defconfadd address=192.168.88.69 client-id=1:14:de:39:81:b9:9e comment=\ "//// Huawei - Router ////" mac-address=14:DE:39:81:B9:9E server=defconfadd address=192.168.88.12 client-id=1:56:d3:de:79:f4:63 comment=\ "//// Poco PHST ////" mac-address=56:D3:DE:79:F4:63 server=defconf \ use-src-mac=yesadd address=192.168.88.15 client-id=1:1c:cc:d6:a:13:3a comment=\ "//// Redmi - Christiane ////" mac-address=1C:CC:D6:0A:13:3A server=\ defconfadd address=192.168.88.65 comment="//// Tuya Smart Inc. ////" mac-address=\ 50:8A:06:3C:12:DF server=defconfadd address=192.168.88.222 comment="//// Alexa - Sala ////" mac-address=\ 90:A8:22:0D:76:EE server=defconfadd address=192.168.88.30 comment="//// Tuya Smart Inc. ////" mac-address=\ 84:E3:42:B8:13:4C server=defconfadd address=192.168.88.31 comment="//// Tuya Smart Inc. ////" mac-address=\ 84:E3:42:B8:B9:72 server=defconfadd address=192.168.88.28 comment=" ////Tuya Smart Inc. ////" mac-address=\ 84:E3:42:BE:17:D7 server=defconfadd address=192.168.88.5 comment="////Alexa - Casal ////" mac-address=\ 34:AF:B3:16:53:97 server=defconfadd address=192.168.88.3 client-id=1:7c:df:a1:b6:4b:e0 comment=ESP32-C3-Bat \ mac-address=7C:DF:A1:B6:4B:E0 server=defconfadd address=192.168.88.13 comment="//// Alexa Cozinha ////" mac-address=\ 44:D5:CC:ED:9B:49 server=defconfadd address=192.168.88.78 client-id=1:0:80:92:d0:f2:24 comment=\ "//// Silex Technology, Inc. ////" mac-address=00:80:92:D0:F2:24 server=\ defconfadd address=192.168.88.6 comment="//// Poco - Marcio ////" mac-address=\ 88:52:EB:77:5D:C8 server=defconf use-src-mac=yesadd address=192.168.88.11 comment="//// Notebook - Pedro ////" mac-address=\ 00:D7:6D:9B:F7:62 server=defconf use-src-mac=yesadd address=192.168.88.90 comment=OPI-01 mac-address=2E:2B:1A:EC:47:AF \ server=defconf use-src-mac=yesadd address=192.168.88.92 mac-address=86:2C:1A:E7:F8:63 server=defconf \ use-src-mac=yesadd address=192.168.88.93 comment=TANIX-TX6 mac-address=02:03:92:53:F7:8F \ server=defconf use-src-mac=yesadd address=192.168.88.68 comment=ESP-Garagem mac-address=C4:5B:BE:65:6E:37 \ server=defconf use-src-mac=yesadd address=192.168.88.188 mac-address=2E:2B:1A:EC:47:AF server=defconfadd address=192.168.88.91 comment="//// OPI-02 (HA - Node-red) ////" \ mac-address=6E:6E:F6:D3:58:0B server=defconfadd address=192.168.88.88 comment=TKC-01 mac-address=64:1C:67:A0:43:8B \ server=defconfadd address=192.168.88.50 comment="//// Fire Stick ////" mac-address=\ 90:39:5F:A3:A3:E7 server=defconfadd address=192.168.88.168 comment="//// Adaptador wifi Epson ////" \ mac-address=2A:1F:E4:2C:25:EF server=defconfadd address=192.168.88.161 comment="//// Notebook- starlink 2.4 - epson ////" \ mac-address=58:00:E3:BC:71:C7 server=defconfadd address=192.168.88.164 comment="//// Dell - Ehernet ////" mac-address=\ 84:7B:EB:FD:CF:CD server=defconfadd address=192.168.88.177 comment="//// EspHome - Mini - APC220 ////" \ mac-address=98:CD:AC:30:47:04 server=defconfadd address=192.168.88.179 comment=ESP32-C3 mac-address=D2:BF:75:94:3A:8B \ server=defconfadd address=192.168.88.34 comment="//// Alexa 4 - Sala ////" mac-address=\ 90:39:5F:EF:91:D3 server=defconfadd address=192.168.88.180 comment=ESP32-Lora-Lilygo mac-address=\ E8:6B:EA:25:20:88 server=defconfadd address=192.168.88.74 client-id=1:ec:71:db:a3:51:74 comment=\ "//// Reolink - Lado Direito ////" mac-address=EC:71:DB:A3:51:74 server=\ defconfadd address=192.168.88.89 comment=RPI3-01 mac-address=B8:27:EB:DB:37:B1 \ server=defconfadd address=192.168.88.233 mac-address=28:C2:DD:3B:DD:85 server=defconfadd address=192.168.88.100 comment="//// Router INTELBRAS ////" mac-address=\ 80:8F:E8:9E:44:E2 server=defconf use-src-mac=yesadd address=192.168.88.75 comment="//// Reolink - Lado Esquerdo ////" \ mac-address=EC:71:DB:8E:AC:86 server=defconfadd address=192.168.88.33 comment="//// Alexa Quarto Pedro ////" mac-address=\ 2C:71:FF:F9:1B:C9 server=defconfadd address=192.168.88.8 client-id=1:ec:71:db:95:ff:5a mac-address=\ EC:71:DB:95:FF:5A server=defconfadd address=192.168.88.16 client-id=1:50:91:e3:d9:48:6c mac-address=\ 50:91:E3:D9:48:6C server=defconfadd address=192.168.88.14 client-id=1:38:c8:4:29:f2:a9 mac-address=\ 38:C8:04:29:F2:A9 server=defconfadd address=192.168.88.7 client-id=1:38:c8:4:46:ad:e0 comment=\ "E1-PRO - GARAGEM" mac-address=38:C8:04:46:AD:E0 server=defconfadd address=50.50.50.3 client-id=1:48:8f:5a:a:74:60 comment=\ "----------------------------- CAP-ac-01 -----------------------------" \ mac-address=48:8F:5A:0A:74:60 server=dhcp-vlan-gerencia-50/ip dhcp-server networkadd address=10.1.0.0/29 gateway=10.1.0.0add address=10.10.10.0/26 gateway=10.10.10.1add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1add address=10.20.20.0/28 gateway=10.20.20.0add address=10.30.30.0/26 gateway=10.30.30.0add address=10.50.50.0/28 gateway=10.50.50.0add address=10.90.90.0/29 dns-server=8.8.4.4 gateway=10.90.90.0add address=10.90.90.0/28 dns-server=192.168.88.91 gateway=10.90.90.1add address=20.20.20.0/28 dns-server=20.20.20.1 gateway=20.20.20.1add address=30.30.30.0/28 dns-server=30.30.30.1 gateway=30.30.30.1add address=50.50.50.0/29 dns-server=50.50.50.1 gateway=50.50.50.1add address=80.80.80.0/28 dns-server=80.80.80.1 gateway=80.80.80.1add address=100.100.100.0/28 dns-server=100.100.100.1 gateway=100.100.100.1add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\ 192.168.88.1add address=192.168.90.0/28 dns-server=192.168.88.91 gateway=192.168.90.1/ip dnsset allow-remote-requests=yes cache-max-ttl=1d servers=192.168.88.91,8.8.4.4/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lanadd address=192.168.88.91 comment=defconf name=router.lan/ip firewall address-listadd address=192.168.88.161 list=" (SUPORTE-WINBOX)"add address=50.50.50.4 list=" (SUPORTE-WINBOX)"add list=PORTSCANadd address=50.50.50.3 list=" (SUPORTE-WINBOX)"/ip firewall filteradd action=jump chain=forward comment="jump to kid-control rules" \ jump-target=kid-controladd action=add-dst-to-address-list address-list=SITES-BLOQUEADOS-LINK2-TIM \ address-list-timeout=5m chain=forward comment=\ "Adiciona ips do facebook no link 2 em uma blacklist " disabled=yes log=\ yes protocol=tcp tls-host=*facebook*add action=drop chain=forward comment="Drop no youtube pelo link 2 (TIM)" \ dst-address-list=SITES-BLOQUEADOS-LINK2-TIMadd action=drop chain=forward comment="DROP YOUTUBE LINK-2" disabled=yes \ layer7-protocol=YouTube log=yes log-prefix="TOUTUBE BLOQUEADO NO LINK 2"add action=accept chain=forward comment="LIBERA YOUTUBE LINK-1" \ layer7-protocol=YouTube out-interface=pppoe-VIAadd action=fasttrack-connection chain=forward comment="***********************\ ***** HABILITA O FASTTRACKER ****************************" disabled=yes \ hw-offload=yes in-interface=pppoe-VIA out-interface=bridgeadd action=add-src-to-address-list address-list=PORTSCAN \ address-list-timeout=1w chain=input comment="PEGA MALANDRO - PORTSCAN" \ dst-port=23,25,80,110,1723,53,44,1883 in-interface-list=WAN-LINKS \ protocol=tcpadd action=add-src-to-address-list address-list=PORTSCAN \ address-list-timeout=1w chain=input comment="DETECTA - PORTSCAN" \ in-interface-list=WAN-LINKS protocol=tcp psd=21,3s,3,1add action=drop chain=input comment="-------------------------- CONEXOES INVAL\ IDAS - DROP --------------------------" connection-state=invalid \ log-prefix="Conexoes Invalidas"add action=accept chain=input comment=\ "ACEITA CONEXOES: estabelecidas,relacionadas" connection-state=\ established,relatedadd action=jump chain=input comment="ICMP - Passe pelo Controle - Chain ICMP" \ in-interface-list=WAN-LINKS jump-target=ICMP protocol=icmpadd action=accept chain=ICMP comment="ACEITA: ICMP - Echo Reply " \ icmp-options=0:0-255 limit=10,5:packet protocol=icmpadd action=accept chain=ICMP comment="ICMP - Destination Unreachable" \ icmp-options=3:0-255 limit=10,5:packet protocol=icmpadd action=accept chain=ICMP comment="ICMP - Time Exceeded" icmp-options=\ 11:0-255 limit=10,5:packet protocol=icmpadd action=accept chain=ICMP comment="ACEITA: ICMP - Echo Request" \ icmp-options=8:0-255 limit=10,5:packet protocol=icmpadd action=drop chain=ICMP comment="ICMP - ALL - DROP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=tarpit chain=input in-interface-list=WAN-LINKS log=yes protocol=\ tcp psd=21,3s,3,1add action=accept chain=input comment="(LIBERA ACESSO AO WINBOX)" log=yes \ src-address-list=" (SUPORTE-WINBOX)"add action=accept chain=input comment=\ "(LIBERA ACESSO AO WINBOX - IPS LIBERADOS)" dst-port=25476 \ in-interface-list=WAN-LINKS protocol=tcp src-address-list=IPs-liberadosadd action=accept chain=input comment="-----------------------LIBERA PORTA DO \ WIREGUARD-------------------------" dst-port=13231 protocol=udpadd action=accept chain=input comment="-----------------------LIBERA PORTA DO \ WIREGUARD2-------------------------" dst-port=13232 protocol=udpadd action=accept chain=input comment=\ "-------------- LIBERA COM. WIREGUARD ----------------" dst-address=\ 192.168.88.0/24 src-address=192.168.100.0/24add action=accept chain=input comment=\ "-------------- LIBERA COM. WIREGUARD ----------------" dst-address=\ 192.168.100.0/24 src-address=192.168.88.0/24add action=add-src-to-address-list address-list=PORTA-1 address-list-timeout=\ 5s chain=input comment="PORTKNOCKING - PORTA-1" dst-port=35621 \ in-interface-list=WAN-LINKS log=yes protocol=tcpadd action=add-src-to-address-list address-list=PORTA-2 address-list-timeout=\ 5s chain=input comment="PORTKNOCKING - PORTA-2" dst-port=24987 \ in-interface-list=WAN-LINKS log=yes protocol=tcp src-address-list=PORTA-1add action=add-src-to-address-list address-list=IPs-liberados \ address-list-timeout=10m chain=input comment="PORTKNOCKING - IP-LIBERADO" \ dst-port=41687 in-interface-list=WAN-LINKS log=yes protocol=tcp \ src-address-list=PORTA-2add action=add-src-to-address-list address-list=\ "######## TENTATIVA LOGIN - 1 ########" address-list-timeout=1m chain=\ input comment="TENTATIVA LOGIN -1" connection-state=new dst-port=\ 1701,8728 in-interface-list=WAN-LINKS log=yes protocol=udpadd action=add-src-to-address-list address-list=\ "######## TENTATIVA LOGIN - 1 ########" address-list-timeout=1m chain=\ input comment="TENTATIVA LOGIN - 1 - TCP" connection-state=new dst-port=\ 25476 in-interface-list=WAN-LINKS log=yes protocol=tcpadd action=add-src-to-address-list address-list=\ "######## TENTATIVA LOGIN - 2 ########" address-list-timeout=1m chain=\ input comment="TEMTATIVA LOGIN - 2" connection-state=new dst-port=\ 1701,8728 in-interface-list=WAN-LINKS log=yes protocol=udp \ src-address-list="TENTATIVA LOGIN - 1"add action=add-src-to-address-list address-list=\ "######## TENTATIVA LOGIN - 2 ########" address-list-timeout=1m chain=\ input comment="TEMTATIVA LOGIN - 2 - TCP" connection-state=new dst-port=\ 25476 in-interface-list=WAN-LINKS log=yes protocol=tcp src-address-list=\ "TENTATIVA LOGIN - 1"add action=add-src-to-address-list address-list=\ "######## TENTATIVA LOGIN - BLOQUEADO ########" address-list-timeout=1h \ chain=input comment="TENTATIVA LOGIN - BLOQUEADA" connection-state=new \ dst-port=1701,8728 in-interface-list=WAN-LINKS log=yes log-prefix=\ "TENTATIVA DE LOGIN - BLOQUEADA" protocol=udp src-address-list=\ "TENTATIVA LOGIN - 2"add action=add-src-to-address-list address-list=\ "######## TENTATIVA LOGIN - BLOQUEADO ########" address-list-timeout=1h \ chain=input comment="TENTATIVA LOGIN - BLOQUEADA - TCP" connection-state=\ new dst-port=25476 in-interface-list=WAN-LINKS log=yes log-prefix=\ "TENTATIVA DE LOGIN - BLOQUEADA - TCP" protocol=tcp src-address-list=\ "TENTATIVA LOGIN - 2"add action=drop chain=input comment=\ "######## TENTATIVA DE LOGIN - DROP ########" log=yes log-prefix=\ "DROP - TENTATIVA DE LOGIN" src-address-list=\ "TENTATIVA LOGIN - BLOQUEADO"add action=drop chain=input comment=\ "######## TUDO QUE N\C3O VENHA DA LAN: DROP ########" in-interface-list=\ !LAN log-prefix="Nao vem da LAN"add action=drop chain=forward comment=\ "######## ISOLA REDE VIVISITANTE/LAN ########" connection-state="" \ disabled=yes dst-address=192.168.88.0/24 log=yes log-prefix=\ "Isola rede visitantes" out-interface-list=!LAN src-address=10.10.10.0/26add action=fasttrack-connection chain=forward comment=\ "######## defconf: fasttrack ########" connection-state=\ established,related hw-offload=yesadd action=accept chain=forward comment=\ "######## defconf: accept established,related, untracked ########" \ connection-state=established,relatedadd action=reject chain=forward comment="TESTE LAN" disabled=yes dst-address=\ 100.100.100.12 reject-with=icmp-network-unreachable src-address=\ 30.30.30.2add action=drop chain=forward comment=\ "######## defconf: drop all from WAN not DSTNATed ########" \ connection-nat-state=!dstnat connection-state=new in-interface-list=\ WAN-LINKSadd action=drop chain=input comment=\ "######## DROP - GERAL - LIKS 1, 2 ########" in-interface-list=WAN-LINKS \ log=yes log-prefix="drop geral links 1, 2"/ip firewall mangleadd action=mark-packet chain=forward comment=\ "########Marcar paquetes de YouTube ########" connection-mark=mc_youtube \ new-packet-mark=mc_youtube passthrough=noadd action=mark-connection chain=forward comment=\ "######## Marcar conexiones de YouTube ########" connection-mark=no-mark \ layer7-protocol=YouTube new-connection-mark=mc_youtube passthrough=yes/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WANadd action=masquerade chain=srcnat comment=\ "######## MASQ. - TRAFEGO - LINKS - WAN ########" ipsec-policy=out,none \ out-interface-list=WAN-LINKSadd action=masquerade chain=srcnat comment=\ "######## MASQ. - TRAFEGO WIREGUARD ########" ipsec-policy=out,none \ out-interface=wireguard2add action=dst-nat chain=dstnat comment="######## PORT KNOCKING ########" \ dst-port=59272 in-interface-list=WAN-LINKS protocol=tcp src-address-list=\ IPs-liberados to-addresses=192.168.88.1 to-ports=25476add action=dst-nat chain=dstnat comment=\ "######## Porta - 1883 - MQTT ########" dst-port=1883 in-interface-list=\ WAN-LINKS protocol=tcp src-address=204.216.162.246 to-addresses=\ 192.168.88.88 to-ports=1883add action=dst-nat chain=dstnat comment=\ "######## Porta - 5055 - SATVIX ########" disabled=yes dst-port=5055 \ in-interface-list=WAN-LINKS log=yes log-prefix="NAT - Porta 5055" \ protocol=tcp to-addresses=192.168.88.92add action=dst-nat chain=dstnat comment=\ "######## Porta - 5013 - SATVIX ########" disabled=yes dst-port=5013 \ in-interface-list=WAN-LINKS log=yes log-prefix="NAT - Porta 5013 - Xing" \ protocol=tcp to-addresses=192.168.88.92add action=dst-nat chain=dstnat comment=\ "######## Porta - 5027 - SATVIX - Teltonika ########" disabled=yes \ dst-port=5027 in-interface-list=WAN-LINKS log=yes log-prefix=\ "NAT - Porta 5027 - Teltonika" protocol=tcp to-addresses=192.168.88.92add action=dst-nat chain=dstnat comment=\ "######## Direciona para o OPI-01 ########" disabled=yes dst-port=80 \ in-interface=pppoe-VIA log=yes log-prefix="NAT - Direciona para o OPI-01" \ protocol=tcp to-addresses=192.168.88.90add action=dst-nat chain=dstnat comment=\ "######## Direciona para o Winbox ########" disabled=yes dst-port=9272 \ in-interface=pppoe-VIA log=yes log-prefix="NAT - Porta Winbox2" protocol=\ tcp src-address-list=IPs-liberados to-addresses=192.168.88.1 to-ports=\ 25476add action=masquerade chain=srcnat comment=\ "######## Masquerade LTE ########" disabled=yes out-interface=wireguard2add action=masquerade chain=srcnat disabled=yes out-interface-list=VLAN-30/ip kid-control deviceadd mac-address=58:00:E3:BC:71:C7 name=DELL user=DELLadd mac-address=40:2F:86:31:30:E0 name="LG - PHST" user=Pedroadd mac-address=88:52:EB:77:5D:C8 name="MAC - real - Poco Marcio " user=\ Marcioadd mac-address=A4:55:90:DA:1F:26 name="MAC - real - Poco PHST" user=Pedro/ip routeadd comment="monitora 8.8.8.8 via link 1 - VIA" disabled=no distance=1 \ dst-address=8.8.8.8/32 gateway=pppoe-VIA pref-src="" routing-table=main \ scope=10 suppress-hw-offload=noadd comment="monitora 1.1.1.1 via link 2 - TIM" disabled=no distance=1 \ dst-address=1.1.1.1/32 gateway=192.168.0.1 pref-src="" routing-table=main \ scope=10 suppress-hw-offload=no target-scope=10add check-gateway=ping comment="Rota principal - VIA" disabled=no distance=1 \ dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main \ scope=30 suppress-hw-offload=no target-scope=11add check-gateway=ping comment="Rota Secund\E1ria" disabled=no distance=2 \ dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main \ scope=30 suppress-hw-offload=no target-scope=11/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yesset api port=25576set winbox port=25476set api-ssl disabled=yes/ipv6 addressadd address=::cafe from-pool=pda-ipv6 interface=bridge/ipv6 dhcp-clientadd add-default-route=yes interface=pppoe-VIA pool-name=pda-ipv6 request=\ prefix use-peer-dns=no/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=jump chain=forward comment="jump to kid-control rules" \ jump-target=kid-controladd action=add-dst-to-address-list address-list=\ SITES-BLOQUEADOS-LINK2-TIM-IPV6 address-list-timeout=4w2d chain=forward \ comment="Bloqueia o youtube no link 2 TIM" disabled=yes protocol=tcp \ tls-host=*youtube*add action=drop chain=forward comment="Drop no youtube pelo link 2 (TIM)" \ disabled=yes dst-address-list="SITES-BLOQUEADOS-LINK-2-TIM-(IPV6)"add action=accept chain=input comment="Libera porta Wireguard" disabled=yes \ dst-port=13231 protocol=udpadd action=drop chain=forward connection-state=new in-interface-list=\ WAN-LINKS log=yes log-prefix=IPV6-Dropadd action=drop chain=input connection-state=new in-interface-list=WAN-LINKS \ log=yes log-prefix=drop-ipv6-input/ipv6 firewall natadd action=masquerade chain=srcnat disabled=yes out-interface-list=WAN-LINKS/routing bfd configurationadd disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5/system clockset time-zone-autodetect=no time-zone-name=America/Sao_Paulo/system identityset name=hAP-AX3/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp client serversadd address=a.ntp.bradd address=b.ntp.br/system scriptadd dont-require-permissions=no name=backup-email owner=Turbovix-Mk policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\ global nome [/system identity get name]\r\ \n:global data [/system clock get date]\r\ \n:global hora [/system clock get time]\r\ \n/system backup save name=HapX3;\r\ \n/tool e-mail send to=\"mkmt.es@gmail.com\" subject=\"Backup Mikrotik - H\ apX3\" file=HapX3.backup body=\"Segue em anexo o arquivo de backup da \$no\ me realizado em \$data as \$hora\";\r\ \n:log info \"Backup e-mail sent.\94;"add dont-require-permissions=no name=envia-backup-gmail owner=Turbovix-Mk \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source=":global nome [/system identity get name]\r\ \n:global data [/system clock get date]\r\ \n:global hora [/system clock get time]\r\ \n/export file=HapX3.rsc;\r\ \n/tool e-mail send to=\"mkmt.es@gmail.com\" subject=\"Backup HapX3\" file\ =HapX3.rsc body=\"Segue anexo o backup da \$nome realizado em \$data as \$\ hora\";\r\ \n:log info \"Backup e-mail sent.\";"/tool e-mailset from="<**** MIKROTIK-HapX3 ****>" port=587 server=smtp.gmail.com tls=\ starttls user=mkmt.es@gmail.com/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN/tool netwatch **ELIDED**/tool romonset id=XXXXXXXXXXXXXXXX/tool romon portset [ find default=yes ] forbid=yesadd disabled=no interface=ether5-SWITCH-TPLINK

Last edited by tangent on Fri Mar 15, 2024 7:22 am, edited 1 time in total.
Reason: elided PII, API keys, PSKs…

Using a wireguard VPN, access servers that are in a vlan. (2024)
Top Articles
Low Carb Keto Cheese Sauce Recipe | Wholesome Yum
Easy Homemade Caramel Corn & Kettle Corn Recipes
Samxfrank: From TikTok to Twitter, How She Built a Loyal Fanbase - Biography Tribune
Osteria da Rita (dal 1991) ristorante, Taormina - Recensioni del ristorante
Latest Posts
Easy French Onion Soup Recipe | The Gracious Pantry
10 Traditional Polish Breakfast Recipes
Article information

Author: Terrell Hackett

Last Updated:

Views: 6098

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Terrell Hackett

Birthday: 1992-03-17

Address: Suite 453 459 Gibson Squares, East Adriane, AK 71925-5692

Phone: +21811810803470

Job: Chief Representative

Hobby: Board games, Rock climbing, Ghost hunting, Origami, Kabaddi, Mushroom hunting, Gaming

Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.