File Manager

File "info + working configs.txt"
Full path: /home/auuge/domains/files.auu.ge/private_html/mikrotik/ovpn_site2site/info + working configs.txt
File size: 9.47 KB
MIME-type: text/plain
Charset: utf-8
Download Open Back
Remember you had problems making tunnel?
You made everything great. everything was working. Except -
you had to remove "out. interface" in firewall -> nat. That's it.


Working config of devices:

Server - 192.168.70.0/1

# oct/17/2019 00:21:00 by RouterOS 6.45.6
# software id = B9PQ-JM1N
#
# model = RB750r2
# serial number = 8B380A4071DA
/interface bridge
add admin-mac=74:4D:28:24:CE:01 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.70.10-192.168.70.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge change-tcp-mss=yes local-address=192.168.200.20 name=\
    openvpn remote-address=192.168.200.10 use-compression=no use-encryption=\
    required
add bridge=bridge local-address=dhcp name=VPN_DHCP remote-address=dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=VPN_DHCP enabled=yes mode=ethernet
/ip address
add address=192.168.70.1/24 comment=defconf interface=ether2 network=\
    192.168.70.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.70.0/24 comment=defconf gateway=192.168.70.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.70.1 name=router.lan
/ip firewall address-list
add address=srv.auu.ge list=kot
add address=work.auu.ge list=kot
add address=deamed.auu.ge list=kot
add address=dolidze.auu.ge list=kot
add address=eliava.auu.ge list=kot
add address=work2.auu.ge list=kot
/ip firewall filter
add action=accept chain=input comment="ALLOW REMOTE WINBOX" dst-port=8291 \
    protocol=tcp src-address-list=kot
add action=accept chain=input comment="ALLOW OPENVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
add action=dst-nat chain=dstnat dst-port=5445 protocol=tcp to-addresses=\
    192.168.200.10 to-ports=5445
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.200.10
/ppp secret
add name=midlerO password=E30bae74 profile=VPN_DHCP service=ovpn
add name=jt-bridge password=E30bae74 profile=openvpn service=ovpn
/system clock
set time-zone-name=Asia/Tbilisi
/system identity
set name=JT
/system ntp client
set enabled=yes primary-ntp=129.6.15.30 secondary-ntp=52.166.120.77
/system scheduler
add interval=5m name=IPPost on-event=\
    "/tool fetch url=\"https://all.auu.ge/mikrotik/getip/\?device=JT\"" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/15/2019 start-time=17:22:48
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN









Client - 192.168.88.0/1

# oct/17/2019 00:22:05 by RouterOS 6.45.6
# software id = CAX1-8P0S
#
# model = RBwAPR-2nD
# serial number = AE850AE91B9B
/interface lte
set [ find ] mac-address=AC:FF:FF:00:00:00 name=lte1
/interface bridge
add admin-mac=74:4D:28:ED:D9:B7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=georgia disabled=no distance=indoors frequency=auto installation=\
    outdoor mode=ap-bridge ssid="JT III Floor" wireless-protocol=802.11
/interface ovpn-client
add certificate=cert_export_CLIENT1.crt_0 cipher=aes256 connect-to=jt.auu.ge \
    mac-address=02:14:2F:47:33:00 mode=ethernet name=OVPN-BRIDGE password=\
    E30bae74 user=jt-bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=3g.ge
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=592125665 \
    wpa2-pre-shared-key=592125665
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
    192.168.88.0
/ip dhcp-server lease
add address=192.168.88.2 comment=DVR mac-address=00:02:69:0B:D7:7B server=\
    defconf
add address=192.168.88.3 comment=NVR mac-address=00:18:AE:7D:CF:4E server=\
    defconf
add address=192.168.88.7 comment="IPCAM 4" mac-address=00:18:AE:7E:A6:DB \
    server=defconf
add address=192.168.88.6 comment="IPCAM 3" mac-address=00:18:AE:7E:A6:E1 \
    server=defconf
add address=192.168.88.4 comment="IPCAM 1" mac-address=00:18:AE:7E:A6:D9 \
    server=defconf
add address=192.168.88.5 comment="IPCAM 2" mac-address=00:18:AE:7E:A6:DE \
    server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
add action=dst-nat chain=dstnat dst-address=192.168.200.10 dst-port=5445 \
    protocol=tcp to-addresses=192.168.88.2 to-ports=5445
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set pptp disabled=yes
/ip route
add distance=1 dst-address=192.168.70.0/24 gateway=192.168.200.20
/system clock
set time-zone-name=Asia/Tbilisi
/system identity
set name=JT-S
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN