HGU Movistar 1 Cable

Hola
He Montado un hAP ac3 conectado a un HGU de Movistar
He creado 2 Bridges
1 ITPV-Bridge Con los Puertos 1 Conectado al HGU y el puerto 2 donde tengo el deco
2 LAN-Bridge con los puertos 3, 4, 5 para una red local en casa
He creado un tunel wireguard con 3 peers, sobre uno de ellos he creado una interface EoIP que la he metido en el IPTV-Bridge
Todo parece funcionar correctamente, pudiendo conectar un deco externo sobre la interface EoIP y todos los peers estan conectados
A la interface wireguard le he asignado la IP 192.168.255.1 Y a los peers la .2 .3 y la .4
Desde el router puedo hacer ping a los 3 peers, pero desde la lan solo puedo hacer ping a la .3 y .4, la .2 no me responde (tanto el peer cono el la Interface EoIP asociados estan conectados y en los contadores hay trafico, tanto de entrada como de salida)
He intentado logear todas las reglas del firewall pero no veo donde se queda
¿Que estoy haciendo mal?
Os pongo la configuración por si podéis ayudarme
Gracias

He intentado subir el código en un archivo, pero no veo la forma de hacerlo

Código:
# may/04/2022 17:27:33 by RouterOS 7.2.1
# software id = DHAN-V48W
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC4F0D50D6B5
/interface bridge
add fast-forward=no igmp-snooping=yes multicast-querier=yes multicast-router=\
    permanent name=IPTV-Bridge protocol-mode=none
add fast-forward=no igmp-snooping=yes multicast-querier=yes multicast-router=\
    permanent name=LAN-Bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=LAN-e2
set [ find default-name=ether3 ] name=LAN-e3
set [ find default-name=ether4 ] name=LAN-e4
set [ find default-name=ether5 ] name=LAN-e5
set [ find default-name=ether1 ] name=WAN-e1
/interface wireless
set [ find default-name=wlan1 ] country=spain disabled=no frequency=2447 \
    installation=indoor mode=ap-bridge multicast-helper=full ssid=InfoAstur
set [ find default-name=wlan2 ] country=spain disabled=no frequency=5540 \
    installation=indoor mode=ap-bridge multicast-helper=full ssid=InfoAstur5G
/interface eoip
add allow-fast-path=no !keepalive local-address=192.168.255.1 mac-address=\
    02:A2:AC:3D:C8:92 mtu=1500 name=GarciaConde remote-address=192.168.255.2 \
    tunnel-id=11
add allow-fast-path=no disabled=yes !keepalive local-address=172.16.1.3 \
    mac-address=02:A2:AC:3D:C8:92 mtu=1500 name=InfoAsturViajes \
    remote-address=172.16.1.4 tunnel-id=12
/interface wireguard
add listen-port=12346 mtu=1420 name=wireguard-sts private-key=\
    "oGZv5iLURoYiZcXMc1ge3o5OT7Ov3DOA9r3+5rDfmU4="
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address-prefix-length=32 name=ike2-config split-include=0.0.0.0/0
/ip ipsec policy group
add name=ike2-group
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    ike2-profile prf-algorithm=sha256
add dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    IKEv2-ArceMedia
/ip ipsec peer
add address=servettalavera.dyndns.org exchange-mode=ike2 name=ServetTalavera \
    profile=ike2-profile
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2-profile
/ip ipsec proposal
set [ find default=yes ] lifetime=0s
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2-proposal \
    pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=IKEv2-ArceMedia \
    pfs-group=modp2048
/ip pool
add comment="Pool for LAN-Bridge subnet, common hosts (192.168.15.2-126)" \
    name=IPTV-subnet-pool ranges=192.168.15.2-192.168.15.126
/ip dhcp-server
add address-pool=IPTV-subnet-pool interface=LAN-Bridge name=LAN-dhcp-server
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=LAN-Bridge interface=LAN-e2 multicast-router=disabled
add bridge=LAN-Bridge interface=LAN-e3 multicast-router=disabled
add bridge=LAN-Bridge interface=LAN-e4 multicast-router=disabled
add bridge=LAN-Bridge interface=wlan1 multicast-router=disabled
add bridge=LAN-Bridge interface=wlan2
add bridge=IPTV-Bridge interface=GarciaConde multicast-router=disabled \
    priority=0x10
add bridge=LAN-Bridge interface=LAN-e5 multicast-router=disabled
add bridge=IPTV-Bridge interface=InfoAsturViajes multicast-router=disabled
add bridge=IPTV-Bridge interface=WAN-e1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=IPTV-Bridge list=WAN
add interface=LAN-Bridge list=LAN
/interface sstp-server server
set authentication=mschap2 default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.255.2/32,192.168.87.0/24,192.168.77.0/24 comment=\
    "Garc\EDa Conde" endpoint-address=ae850b228735.sn.mynetname.net \
    endpoint-port=12346 interface=wireguard-sts public-key=\
    "b4/rZeXl/8uzdVgstq/edfClAd3xPlzB2q8xSgEDEgE="
add allowed-address=192.168.255.3/32,192.168.4.0/22 comment=Antracita \
    endpoint-address=firewall.imop.es endpoint-port=51820 interface=\
    wireguard-sts public-key="/2DXXceWZXoyP6X/7DhgJUxaEzRlptpUG3Mt44hl3F4="
add allowed-address=192.168.255.4/32,192.168.8.0/24 comment=Barcelona \
    endpoint-address=barcelona.imop.es endpoint-port=51820 interface=\
    wireguard-sts public-key="p+9xRiNMWQfdfMYh5mDOEW9+wh3foYLsJzx+hj2t40w="
/ip address
add address=192.168.15.1/24 comment="IPTV subnet" interface=LAN-Bridge \
    network=192.168.15.0
add address=192.168.255.1/24 interface=wireguard-sts network=192.168.255.0
add address=192.168.1.3/24 interface=IPTV-Bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=IPTV-Bridge
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=192.168.15.3 client-id=1:b4:2e:99:1c:85:58 mac-address=\
    B4:2E:99:1C:85:58 server=LAN-dhcp-server
add address=192.168.15.7 client-id=1:b0:c:d1:39:cd:68 mac-address=\
    B0:0C:D1:39:CD:68 server=LAN-dhcp-server
add address=192.168.15.6 client-id=1:0:15:65:6b:ca:68 mac-address=\
    00:15:65:6B:CA:68 server=LAN-dhcp-server
add address=192.168.15.2 client-id=1:50:e5:49:3e:fa:67 mac-address=\
    50:E5:49:3E:FA:67 server=LAN-dhcp-server
add address=192.168.15.206 client-id="48:55:4d:41:58:5f:50:54:54:31:30:30:30:5\
    f:45:53:5f:30:43:30:38:42:34:46:45:33:36:36:43" mac-address=\
    0C:08:B4:FE:36:6C server=LAN-dhcp-server
add address=192.168.15.204 client-id="41:52:52:49:53:5f:56:49:50:35:32:34:32:5\
    f:46:43:41:45:33:34:34:38:35:43:36:33" mac-address=FC:AE:34:48:5C:63 \
    server=LAN-dhcp-server
add address=192.168.15.5 client-id=1:c4:ad:34:83:92:48 mac-address=\
    C4:AD:34:83:92:48 server=LAN-dhcp-server
add address=192.168.15.202 client-id="76:65:73:74:65:6c:5f:49:44:54:56:4d:39:3\
    6:54:2d:30:2e:30:5f:32:38:35:34:30:30:31:32:36:39:30:31:5f" mac-address=\
    00:09:DF:CF:26:67 server=LAN-dhcp-server
/ip dhcp-server network
add address=192.168.15.0/25 comment=\
    "LAN-Bridge common hosts subnet (192.168.15.2-126)" dns-server=\
    192.168.15.1 domain=lan gateway=192.168.15.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.26.56.26,8.20.247.20
/ip dns static
add address=192.168.15.1 name=router.lan
/ip firewall address-list
add address=garciaconde9.dyndns.org list=GarciaConde
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=\
    "ping - " protocol=icmp
add action=accept chain=input comment=IPSEC dst-port=500,4500,12346 \
    log-prefix="IPSEC - " protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="OPEN VPN" dst-port=1196 log=yes \
    log-prefix="OVPN - " protocol=tcp
add action=accept chain=input comment="allow HQ access to router" \
    ipsec-policy=in,ipsec
add action=accept chain=input comment="PPTP y SSTP Server" dst-port=\
    1723,4430,443 log-prefix="pptp Server - " protocol=tcp src-address-list=\
    ""
add action=accept chain=input log-prefix="gre - " protocol=gre
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec log-prefix="IPSEC in - "
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec log-prefix="IPSEC - out"
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "defconf: masq. non  ipsec WAN traffic" ipsec-policy=out,none \
    out-interface-list=WAN
/ip ipsec identity
add my-id=user-fqdn:mikrotik@infoastur.net peer=ServetTalavera \
    policy-template-group=ike2-group remote-id=\
    key-id:servettalavera@infoastur.net secret=\
    a0c7e6039999a0efc750929984ee8f32768686cad21c0b166b407619
/ip ipsec policy
add dst-address=192.168.101.0/24 peer=ServetTalavera proposal=ike2-proposal \
    src-address=192.168.15.0/24 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=192.168.77.0/24 gateway=192.168.255.2 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.4.0/22 gateway=192.168.255.3 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.8.0/24 gateway=192.168.255.4 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp address=192.168.15.0/24
set ssh address=192.168.15.0/24
set api disabled=yes
set winbox address=192.168.15.0/24
set api-ssl disabled=yes
/ip upnp interfaces
add interface=IPTV-Bridge type=internal
add interface=LAN-e2 type=internal
add interface=LAN-e3 type=internal
add interface=LAN-e4 type=internal
add interface=LAN-e5 type=internal
/ppp secret
add local-address=172.16.1.1 name=InfoAstur profile=default-encryption \
    remote-address=172.16.1.2
add local-address=172.16.1.3 name=InfoAsturViajes profile=default-encryption \
    remote-address=172.16.1.4
/routing igmp-proxy
set query-interval=15s query-response-interval=5s quick-leave=yes
/routing igmp-proxy interface
add interface=IPTV-Bridge
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=MK-Uria
/system logging
add disabled=yes topics=l2tp
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add interval=5m name=IPCloud on-event=IPCloud policy=read,write start-time=\
    startup
/system script
add dont-require-permissions=yes name=IPCloud owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip cloud force-update"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Arriba