Ive set up ikev2 + letsencrypt certificate and radius however in order to get certificate I had to turn firewall off. When certificate was generated Ive turn firewall on again. Now, when certificate will try to renew probably it will be blocked by firewall. What kind of rule should I add to my firewall to get it done? Below is my configuration.
Code: Select all
/interface bridge
add admin-mac=DC:2C:6E:11:1A:CF arp=proxy-arp auto-mac=no comment=defconf \
name=BridgeLAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ISP
/interface vlan
add interface=ISP name=vlan1 vlan-id=35
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
use-peer-dns=yes user=xxx
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi security
add authentication-types=wpa2-psk disabled=no encryption="" name=sec1
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Poland .mode=ap .ssid=\
Mikrotik disabled=no security=sec1 security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] configuration.country=Poland .mode=ap .ssid=\
Mikrotik disabled=no security=sec1 security.authentication-types=wpa2-psk
/interface wifi configuration
add country=Poland disabled=no mode=ap name=cfg5ghz security=sec1 ssid=\
Mikrotik
add country=Poland disabled=no mode=ap name=cfg2ghz security=sec1 ssid=\
Mikrotik
/interface wifi
add configuration=cfg2ghz disabled=no name=cap-wifi1 radio-mac=\
48:A9:8A:CC:3F:16
add configuration=cfg2ghz disabled=no name=cap-wifi4 radio-mac=\
48:A9:8A:E5:BE:FB
/ip ipsec policy group
add name=ikev2-group
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2-peer passive=yes profile=ikev2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
ikev2-proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.30.20-192.168.30.59
add name=ikev2 ranges=192.168.2.10-192.168.2.20
/ip dhcp-server
add address-pool=dhcp interface=BridgeLAN lease-time=10m name=defconf
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-config \
split-include=0.0.0.0/0
/ip smb users
set [ find default=yes ] disabled=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user-manager user
add name=filip
/interface bridge port
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=wifi1 \
internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=wifi2 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=BridgeLAN list=LAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi cap
set caps-man-addresses=192.168.30.1 discovery-interfaces=BridgeLAN
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=BridgeLAN package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg5ghz \
slave-configurations="" supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=cfg2ghz \
supported-bands=2ghz-ax
/ip address
add address=192.168.30.1/24 comment=defconf interface=BridgeLAN network=\
192.168.30.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ISP
/ip dhcp-server lease
add address=192.168.30.2 client-id=1:48:a9:8a:e5:be:f8 comment=cAP \
mac-address=48:A9:8A:E5:BE:F8 server=defconf
add address=192.168.30.3 client-id=1:48:a9:8a:cc:3f:10 comment=hAP \
mac-address=48:A9:8A:CC:3F:10 server=defconf
add address=192.168.30.100 client-id=1:ac:b9:2f:21:73:3f comment=NVR \
mac-address=AC:B9:2F:21:73:3F server=defconf
add address=192.168.30.104 client-id=1:24:32:ae:d8:29:64 comment=Cam4 \
mac-address=24:32:AE:D8:29:64 server=defconf
add address=192.168.30.103 client-id=1:24:32:ae:d8:24:f2 comment=Cam3 \
mac-address=24:32:AE:D8:24:F2 server=defconf
add address=192.168.30.102 client-id=1:24:32:ae:d8:27:51 comment=Cam2 \
mac-address=24:32:AE:D8:27:51 server=defconf
add address=192.168.30.101 client-id=1:24:32:ae:d8:25:1a comment=Cam1 \
mac-address=24:32:AE:D8:25:1A server=defconf
add address=192.168.30.60 client-id=1:e0:70:ea:45:83:1 comment=Drukarka \
mac-address=E0:70:EA:45:83:01 server=defconf
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.30.2-192.168.30.254 list=allowed_to_router
add address=192.168.2.10-192.168.2.20 comment=ikev2 list=allowed_to_router
add address=192.168.30.10/31 list=allowed_to_modem
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=CAPsMAN port=5246,5247 protocol=udp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="DNS queries-TCP" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="l2tp VPN" dst-port=500,4500 protocol=\
udp
add action=drop chain=input comment="drop other input"
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else" log=yes log-prefix=\
"Drop fwall"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 src-address=\
192.168.30.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.30.0/24 \
dst-address-type=local dst-port=8000 protocol=tcp to-addresses=\
192.168.30.100
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.2.0/24
/ip ipsec identity
add auth-method=eap-radius certificate=\
letsencrypt-autogen_2024-04-20T20:58:51Z generate-policy=port-strict \
mode-config=ikev2-config peer=ikev2-peer policy-template-group=\
ikev2-group
/ip ipsec policy
add dst-address=192.168.2.0/24 group=ikev2-group proposal=ikev2-proposal \
src-address=0.0.0.0/0 template=yes
/ip service
set www-ssl certificate=letsencrypt-autogen_2024-04-20T20:58:51Z disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/radius
add address=127.0.0.1 service=ipsec
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MikroTik Filip"
/system leds
set 0 interface=*1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user-manager
set certificate=letsencrypt-autogen_2024-04-20T20:58:51Z enabled=yes
/user-manager router
add address=127.0.0.1 name=localhostIve been searching his forum and found the solution in post:
viewtopic.php?t=194400#p989477
Is it good solution?