firewall everything is allowed for the test. input addresses have been changed; everything else is from the working router, on which the client 10.50.0.12 opens only the Google search engine; all other sites are not accessible.
Code:
# mar/03/2024 16:06:57 by RouterOS 6.49.10# software id = UH1D-IK15## model = CCR1016-12G# serial number = D6450EB884C9/interface bridgeadd arp=reply-only name=bridge1/interface ethernetset [ find default-name=ether1 ] name=ether1-WANset [ find default-name=ether2 ] disabled=yesset [ find default-name=ether3 ] disabled=yesset [ find default-name=ether4 ] disabled=yesset [ find default-name=ether5 ] disabled=yesset [ find default-name=ether6 ] disabled=yesset [ find default-name=ether7 ] name=ether7set [ find default-name=ether8 ] disabled=yesset [ find default-name=ether9 ] disabled=yesset [ find default-name=ether10 ] disabled=yesset [ find default-name=ether11 ] disabled=yesset [ find default-name=ether12 ] disabled=yes/interface vlanadd interface=ether1-WAN name=vlan1 vlan-id=1/interface listadd name=Lanadd name=WANadd name=discover/ip ipsec mode-configadd address=10.50.0.12 address-prefix-length=22 name=IKEv2-Server static-dns=\ 172.16.0.1 system-dns=no/ip ipsec policy groupadd name=ipsecadd name=IKEv2-Server/ip ipsec profileadd enc-algorithm=aes-256,aes-192,aes-128,3des name=ipsec-profileadd dh-group=modp2048,modp1536,modp1024 enc-algorithm=\ aes-256,aes-192,aes-128,3des hash-algorithm=sha256 name=IKEv2-Server/ip ipsec peeradd exchange-mode=ike2 local-address=123.45.67.89 name=IKEv2-Server passive=\ yes profile=IKEv2-Server/ip ipsec proposaladd enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=\ ipsec-proposal pfs-group=noneadd auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\ ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \ lifetime=8h name=IKEv2-Server pfs-group=none/ip pooladd name=pool4 ranges=172.16.4.1-172.16.4.254add name=pool3 next-pool=pool4 ranges=172.16.3.1-172.16.3.254add name=pool2 next-pool=pool3 ranges=172.16.2.1-172.16.2.254add name=pool1 next-pool=pool2 ranges=172.16.1.1-172.16.1.254/ppp profileadd change-tcp-mss=yes name=l2tp-remote-client-to-site only-one=no \ use-compression=yes use-encryption=yes/snmp communityset [ find default=yes ] disabled=yesadd addresses=0.0.0.0/0 name=snmp_public/system logging actionset 1 disk-file-count=10set 3 bsd-syslog=yes remote=172.16.1.135 syslog-facility=syslogadd name=ipsec target=memoryadd name=l2tp target=memory/interface bridge portadd bridge=bridge1 hw=no interface=ether7add bridge=bridge1 interface=vlan1/ip neighbor discovery-settingsset discover-interface-list=none/interface l2tp-server serverset authentication=mschap2 default-profile=l2tp-remote-client-to-site \ enabled=yes one-session-per-host=yes use-ipsec=required/interface pptp-server serverset authentication=mschap2 default-profile=pptp/ip addressadd address=172.16.0.1/22 interface=bridge1 network=172.16.0.0add address=123.45.67.89/29 interface=\ ether1-WAN network=123.45.67.89/ip dhcp-server networkadd address=172.16.0.0/22 dns-server=172.16.0.1 gateway=172.16.0.1 \ ntp-server=172.16.0.1/ip dnsset allow-remote-requests=yes cache-max-ttl=1d cache-size=10240KiB servers=\ 8.8.8.8,1.1.1.1/ip firewall filteradd action=accept chain=forward add action=accept chain=output add action=accept chain=input /ip firewall mangleadd action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1360 \ passthrough=yes protocol=tcp src-address=10.50.0.12 tcp-flags=syn \ tcp-mss=!0-1360add action=change-mss chain=forward dst-address=10.50.0.12 ipsec-policy=\ out,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn \ tcp-mss=!0-1360/ip firewall natadd action=masquerade chain=srcnat src-address=10.50.0.12add action=masquerade chain=srcnat src-address=172.16.0.0/22 out-interface-list=WAN/ip firewall service-portset ftp disabled=yesset tftp disabled=yesset irc disabled=yesset h323 disabled=yesset sip disabled=yesset pptp disabled=yesset udplite disabled=yesset dccp disabled=yesset sctp disabled=yes/ip ipsec identityadd auth-method=digital-signature certificate=vpn.ike2 generate-policy=\ port-strict match-by=certificate mode-config=IKEv2-Server peer=\ IKEv2-Server policy-template-group=IKEv2-Server remote-certificate=\ ra@vpn.ike2 remote-id=user-fqdn:ra@vpn.ike2/ip ipsec policyadd dst-address=0.0.0.0/0 group=ipsec proposal=ipsec-proposal src-address=\ 0.0.0.0/0 template=yesadd dst-address=10.50.0.0/24 group=IKEv2-Server proposal=IKEv2-Server \ src-address=0.0.0.0/0 template=yes/ip routeadd check-gateway=ping distance=1 gateway=11.12.34.56/ip route ruleadd action=lookup-only-in-table src-address=123.45.67.89/32 table=WAN/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yesset api disabled=yesset winbox port=28291set api-ssl disabled=yes/snmpset enabled=yes trap-community=snmp_public trap-interfaces=\ ether7 trap-version=2/system clockset time-zone-name=manual/system clock manualset dst-delta=+01:00 dst-end="oct/28/2019 00:00:00" dst-start=\ "mar/31/2019 00:00:00" time-zone=+02:00/system identityset name=mtk-ccr1016/system ledsadd leds=fault-led type=fan-faultadd leds=user-led type=flash-access/system package updateset channel=long-term/tool bandwidth-serverset authenticate=no enabled=no/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=Lan/tool mac-server pingset enabled=noStatistics: Posted by anis — Mon Mar 04, 2024 12:18 pm