MANUAL: Mikrotik, el amigo gorrón [IPTV pululante]

En ese caso, un único bridge, puesto que es donde tienes el puerto físico que te une al HGU. Los EoIP vendrían a ser puertos "virtuales" ethernet, todos comunicados entre sí en el mismo bridge.

Saludos!
 
Estos serían los export de Pepe2 y Paco, no pongo Pepe1, pues funciona sin problema.

Pepe2

Código:
# nov/18/2022 04:53:21 by RouterOS 7.6
# software id = B7XX-Y1Q3
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:EA:2E:6A auto-mac=no comment=defconf name=bridge
add igmp-snooping=yes name=bridge-iptv
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=adslppp@telefonicanetpa
/interface eoip
add local-address=172.17.0.5 mac-address=FE:C3:18:3E:AE:27 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=54322 mtu=1420 name=wg-sts-iptv
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-iptv comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron-iptv endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv \
    public-key="tYq8f8UPdfo0LFsyxxxxxxxxxxxxxxxsbQXwPH9nw="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.17.0.5/30 interface=wg-sts-iptv network=172.17.0.4
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="vpn: allow wireguard gorron" dst-port=\
    54321 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Pepe2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Paco

Código:
# nov/18/2022 19:21:27 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxx
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
    eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=54321 interface=wg-sts-iptv \
    persistent-keepalive=25s public-key=\
    "SuByaNs5y1wbgYmpgxxxxxxxxxxxxxeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=54322 interface=wg-sts-iptv-2 \
    persistent-keepalive=25s public-key=\
    "X42MtXG4xsFqV1xxxxxxxxxxxxxxx13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
add address=192.168.1.200/24 disabled=yes interface=ether2 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Paco

Es posible que en mi afán de arreglar algo, lo haya empeorado aún más.
Gracias por vuestra ayuda, he tenido problemas físicos (rotura de ligamentos y radio) y es como volver a empezar.
Salu2;)
 
Estos serían los export de Pepe2 y Paco, no pongo Pepe1, pues funciona sin problema.

Pepe2

Código:
# nov/18/2022 04:53:21 by RouterOS 7.6
# software id = B7XX-Y1Q3
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:EA:2E:6A auto-mac=no comment=defconf name=bridge
add igmp-snooping=yes name=bridge-iptv
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=adslppp@telefonicanetpa
/interface eoip
add local-address=172.17.0.5 mac-address=FE:C3:18:3E:AE:27 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=54322 mtu=1420 name=wg-sts-iptv
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-iptv comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron-iptv endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv \
    public-key="tYq8f8UPdfo0LFsyxxxxxxxxxxxxxxxsbQXwPH9nw="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.17.0.5/30 interface=wg-sts-iptv network=172.17.0.4
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="vpn: allow wireguard gorron" dst-port=\
    54321 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Pepe2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Paco

Código:
# nov/18/2022 19:21:27 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxx
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
    eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=54321 interface=wg-sts-iptv \
    persistent-keepalive=25s public-key=\
    "SuByaNs5y1wbgYmpgxxxxxxxxxxxxxeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=54322 interface=wg-sts-iptv-2 \
    persistent-keepalive=25s public-key=\
    "X42MtXG4xsFqV1xxxxxxxxxxxxxxx13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
add address=192.168.1.200/24 disabled=yes interface=ether2 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Paco

Es posible que en mi afán de arreglar algo, lo haya empeorado aún más.
Gracias por vuestra ayuda, he tenido problemas físicos (rotura de ligamentos y radio) y es como volver a empezar.
Salu2;)
hola, te cuento lo que he visto por encima.

Tienes un buen cacao en la configuración de Pepe2:

- El direccionamiento está mal. has puesto la 172.17.0.5 en ambos extremos, si pones en Paco la 172.17.0.5 en Pepe2 debería ser la 172.17.0.6 y ojo con poner correctamente las IPs remotas.

- Los puertos no están bien, si tienes el 54321 entre Paco-Pepe1 y 54322 entre Paco-Pepe2, respetalo en los extremos, estoy viendo que has configurado 11117 y 11118 en Paco en la interfaz de wireguard, corrigelo para que escuchen los puertos correctamente.

- Corrige en el firewall que el puerto que tienes que abrir es el 54322 y has abierto el 54321 que es el de Pepe1

En Paco:

- Tienes creadas listas de interfaces, revisa la config inicial del manual de @pokoyo y veras como no hay ninguna creada, eso te puede dar problemas también.

- los peers y la interfaz wireguard deberían tener los mismos puertos que su extremo.

- Y revisa los puertos wireguard en el HGU que estén abiertos para la ip del mikrotik.

Hazte una idea de como deberías tenerlo:

1668801831853.png


S@lu2.
 
Chapó por @diamuxin y su famoso dibujo, muy explicativo.

@ZZii00, te falta soltura, y esto sólo se consigue practicando. No desesperes, pero no te conformes con copiar y pegar comandos. Primero planifica, haz un esquema (en papel, un dibujito como el compañero, lo que más sencillo te sea), pon todos los datos en él (incluso consúltalo antes) y, cundo lo hayas entendido, lo implementas.

Saludos.
 
Hola a todos.
Ya tengo preparado todo, antes de irme a probar la configuración, quiero exponerla para evitar moverme con muletas, que es un coñazo.
Adjunto la foto modificada de como tengo todo.
Dibujo.png

Y estos son los export de ambos, Router Paco y Pepe2

Paco:
Código:
# nov/20/2022 15:43:42 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxxxxxx
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
    eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
    ccxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11117 interface=wg-sts-iptv \
    persistent-keepalive=25s public-key=\
    "SuByaNs5y1wbgYmpg7IF2XG301hHNJeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
    ccxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv-2 \
    persistent-keepalive=25s public-key=\
    "X42MtXG4xsFqV1cKrYxNTwjpDU13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
add address=192.168.1.200/24 disabled=yes interface=ether2 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Paco

Pepe2

Código:
# nov/20/2022 15:51:23 by RouterOS 7.6
# software id = B7XX-Y1Q3
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:EA:2E:6A auto-mac=no comment=defconf name=bridge
add igmp-snooping=yes name=bridge-iptv
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes \
    user=adslppp@telefonicanetpa
/interface eoip
add local-address=172.17.0.6 mac-address=FE:C3:18:3E:AE:27 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.5 tunnel-id=1
/interface wireguard
add listen-port=11118 mtu=1420 name=wg-sts-iptv
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.80.10-192.168.80.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-iptv comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=172.17.0.5/32 comment=gorron-iptv endpoint-address=\
    ccxxxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv \
    public-key="tYq8f8UPdfo0LFsy0DTFW32uDNvy1UbTRsbQXwPH9nw="
/ip address
add address=192.168.80.1/24 comment=defconf interface=bridge network=\
    192.168.80.0
add address=172.17.0.6/30 interface=wg-sts-iptv network=172.17.0.4
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.1 gateway=\
    192.168.80.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.80.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="vpn: allow wireguard gorron" dst-port=\
    11118 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Pepe2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hoy a iniciar terminal en Paco me ha salido este mensaje:
dhcp,critical,error dhcp-client on bridge-iptv lost IP address 192.168.1.200 - received NAK from dhcp server 192.168.1.1
Desconozco si es importante o no, pero la palabra critical error suena fatal.
Pepe1 sigue funcionando bien, sin problemas.
Muchas gracias por vuestros consejos, hoy todo los cambios los hice desde winbox, nada de machacar código siguiendo las indicaciones.
Salu2;)
 
En Paco cuidado, que has duplicado el EoIP, con la misma dirección MAC. Cuando lo crees (la interfaz EoIP), no especifiques la MAC, y que sea él quien la cree. Sino, vas a liar un conflicto en L2.

Por lo demás, aparentemente, tiene buena pinta.

Saludos!
 
Ejecuta esto en Paco
Código:
/interface eoip
remove [find]
add local-address=172.17.0.2 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mtu=1500 name=\
    eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1

Saludos!
 
Ha desaparecido la S (Slave) y aparece en blanco.
Pepe1 también ha caído pero imagino que tengo que hacer un reboot en Paco, es asi?
Salu2;)
 
Hola a todos.
Ya tengo preparado todo, antes de irme a probar la configuración, quiero exponerla para evitar moverme con muletas, que es un coñazo.
Adjunto la foto modificada de como tengo todo.
Ver el adjunto 101358
Y estos son los export de ambos, Router Paco y Pepe2

Paco:
Código:
# nov/20/2022 15:43:42 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxxxxxx
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
    eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
    ccxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11117 interface=wg-sts-iptv \
    persistent-keepalive=25s public-key=\
    "SuByaNs5y1wbgYmpg7IF2XG301hHNJeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
    ccxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv-2 \
    persistent-keepalive=25s public-key=\
    "X42MtXG4xsFqV1cKrYxNTwjpDU13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
add address=192.168.1.200/24 disabled=yes interface=ether2 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Paco

Pepe2

Código:
# nov/20/2022 15:51:23 by RouterOS 7.6
# software id = B7XX-Y1Q3
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:EA:2E:6A auto-mac=no comment=defconf name=bridge
add igmp-snooping=yes name=bridge-iptv
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes \
    user=adslppp@telefonicanetpa
/interface eoip
add local-address=172.17.0.6 mac-address=FE:C3:18:3E:AE:27 mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.5 tunnel-id=1
/interface wireguard
add listen-port=11118 mtu=1420 name=wg-sts-iptv
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.80.10-192.168.80.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-iptv comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=172.17.0.5/32 comment=gorron-iptv endpoint-address=\
    ccxxxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv \
    public-key="tYq8f8UPdfo0LFsy0DTFW32uDNvy1UbTRsbQXwPH9nw="
/ip address
add address=192.168.80.1/24 comment=defconf interface=bridge network=\
    192.168.80.0
add address=172.17.0.6/30 interface=wg-sts-iptv network=172.17.0.4
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.1 gateway=\
    192.168.80.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.80.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="vpn: allow wireguard gorron" dst-port=\
    11118 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Pepe2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hoy a iniciar terminal en Paco me ha salido este mensaje:
dhcp,critical,error dhcp-client on bridge-iptv lost IP address 192.168.1.200 - received NAK from dhcp server 192.168.1.1
Desconozco si es importante o no, pero la palabra critical error suena fatal.
Pepe1 sigue funcionando bien, sin problemas.
Muchas gracias por vuestros consejos, hoy todo los cambios los hice desde winbox, nada de machacar código siguiendo las indicaciones.
Salu2;)
Jeje, casi, casi... pero aún tienes bastantes fallos.

A ver, lo que yo veo:

Paco

- Como dice @pokoyo has puesto las mismas direcciones MAC en las interfaces EoIP
- Elimina las listas de interfaces WAN y LAN, no las necesitas.
- Direccionamiento IP erróneo de la interfaz wireguard, a la IP 172.17.0.5 le corresponde la network 172.17.0.0 y has puesto la .0.4.
- Has asignado a ether2 una IP manual (192.168.1.200), no es correcto ya que este es el puerto de administración y la IP se la da el servidor DHCP que has creado con el rango 192.168.79.0

Pepe2

- Aquí también has repetido el mismo error, la network correcta es 172.17.0.0 y no la .0.4
- Otra cosa, doy por hecho que el dhcp-client se conecta bien a internet verdad?

S@lu2.
 
Última edición:
Hemos tenido un cruce de respuestas pokoyo y yo, espero no liarte.
Lo que ha hecho el compañero ha sido restaurar las interfaces EoIP para que se creen con sus MAC automáticas

S@lu2.
 
Paco

- Como dice @pokoyo has puesto las mismas direcciones MAC en las interfaces EoIP
Solucionado con el codigo del compañero pokoyo
- Elimina las listas de interfaces WAN y LAN, no las necesitas.
Eliminadas
- Direccionamiento IP erróneo de la interfaz wireguard, a la IP 172.17.0.5 le corresponde la network 172.17.0.0 y has puesto la .0.4.
Cambiado
- Has asignado a ether2 una IP manual (192.168.1.200), no es correcto ya que este es el puerto de administración y la IP se la da el servidor DHCP que has creado con el rango 192.168.79.0
Eliminada la direccion ip de ether2
Pepe2

- Aquí también has repetido el mismo error, la network correcta es 172.17.0.0 y no la .0.4
No me deja
- Otra cosa, doy por hecho que el dhcp-client se conecta bien a internet verdad?
Si, se conecta sin problemas en mi red.

Salu2;)
 
Direccionamiento IP erróneo de la interfaz wireguard, a la IP 172.17.0.5 le corresponde la network 172.17.0.0 y has puesto la .0.4.
Cuando lo intento cambiar automaticamente winbox me pone 127.17.0.4 tanto en Paco como en Pepe2 172.17.0.6.
Salu2;)
 
Es posible que, al eliminar dichas interfaces EoIP, te toque borrar dichos puertos del bridge-iptv y volver a meterlos (además de todo lo que te ha dicho el compañero, que se ha leído tu config mucho mejor que yo)

Saludos!
 
Direccionamiento IP erróneo de la interfaz wireguard, a la IP 172.17.0.5 le corresponde la network 172.17.0.0 y has puesto la .0.4.
Cuando lo intento cambiar automaticamente winbox me pone 127.17.0.4 tanto en Paco como en Pepe2 172.17.0.6.
Salu2;)
Que me corrija @pokoyo si no, pero quizás necesites una subred diferente para cada interfaz wireguard (así lo tengo yo actualmente). Por probar que no quede.

Por ejemplo:

site 1: 172.17.0.2 <-----> 172.17.0.1
site 2: 172.17.10.2 <------> 172.17.10.1 (en vez de 172.17.0.5 <----->172.17.0.6)

CONSEJO: Creo que lo mejor es empezar el manual de nuevo a rajatabla y las dudas las posteas por aquí, creo que con lo ya comentado hasta ahora ya tienes más o menos la idea de como debe ir.

S@lu2
 
Paco
Código:
# nov/20/2022 21:10:52 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCXXXXXXXXXX
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:A5:F9:A8:CA:CF mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:1E:BE:B7:37:65 mtu=1500 name=\
    eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11117 interface=wg-sts-iptv \
    persistent-keepalive=25s public-key=\
    "SuByaNs5y1wbgYmpg7IF2XG301hHNJeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv-2 \
    persistent-keepalive=25s public-key=\
    "X42MtXG4xsFqV1cKrYxNTwjpDU13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Paco

Esta linea:
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
tanto en Paco (172.17.0.5/30) como en Pepe2 (172.17.0.6/30) me dan error al editarlas si pongo 172.17.0.0, se cambian auto a 172.17.0.4
Muchas gracias a los dos por vuestro tiempo.
Salu2;)
 
Paco
Código:
# nov/20/2022 21:10:52 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCXXXXXXXXXX
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:A5:F9:A8:CA:CF mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:1E:BE:B7:37:65 mtu=1500 name=\
    eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11117 interface=wg-sts-iptv \
    persistent-keepalive=25s public-key=\
    "SuByaNs5y1wbgYmpg7IF2XG301hHNJeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
    ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv-2 \
    persistent-keepalive=25s public-key=\
    "X42MtXG4xsFqV1cKrYxNTwjpDU13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Paco

Esta linea:
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
tanto en Paco (172.17.0.5/30) como en Pepe2 (172.17.0.6/30) me dan error al editarlas si pongo 172.17.0.0, se cambian auto a 172.17.0.4
Muchas gracias a los dos por vuestro tiempo.
Salu2;)
Eso es por la limitación de la máscara /30 --> cambiala en ambos extremos a /29 por ejemplo y ya te dejará ponerlo a 0.0

S@lu2.


S@ludos
 
El direccionamiento estaba bien chicos. Una subred /24, se puede partir en 64 subredes de tipo /30, cada una con dos IPs usables y dos de red y broadcast. Lo único que el compañero tenía "mal" (esto ya es una pijada mía, podéis ponerlo como querais) es que, para uno de los pepes (el primero) Paco se quedaba con la primera de esas IPs usables de esa subred /30, mientras que para el segundo lo hacía con la última (.6, en Paco y .5 en Pepe, en lugar del al revés).

Os pongo un ejemplo de cómo se parte la subred 172.17.0.0/24 en 64 subredes más pequeñitas /30, todas ellas independientes entre sí
(256 IPs que tiene la subred grande 172.17.0.0/24, a 4 direcciones que tiene cada subred /30 = 64 posibles subredes)

SubredCIDR SubredIP de RedPrimera IP usableSegunda IP UsableIP de Broadcast
0172.17.0.0/30172.17.0.0172.17.0.1172.17.0.2172.17.0.3
1172.17.0.4/30172.17.0.4172.17.0.5172.17.0.6172.17.0.7
2172.17.0.8/30172.17.0.8172.17.0.9172.17.0.10172.17.0.11
3172.17.0.12/30172.17.0.12172.17.0.13172.17.0.14172.17.0.15
... 63172.17.0.252/30172.17.0.252172.17.0.253172.17.0.254172.17.0.255

Así no se desaprovenchan segmentos. Lo que creo que sugería @diamuxin es configurarlos todos como /24, así tendrías, por ejemplo
172.17.0.1/24 = Paco -> Pepe1 = 172.17.0.2/24
172.17.1.1/24 = Paco -> Pepe2 = 172.17.1.2/24

Que también es otra opción, igual de válida, si os aclaráis mejor. Así que, cuando pasaba esto
Esta linea:
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
tanto en Paco (172.17.0.5/30) como en Pepe2 (172.17.0.6/30) me dan error al editarlas si pongo 172.17.0.0, se cambian auto a 172.17.0.4
Muchas gracias a los dos por vuestro tiempo.
Era totalmente normal, puesto que la dirección de red de la IP 172.17.0.5/30 esa la 172.17.0.4, como podéis comprobar en la tabla, no la 172.17.0.0. No obstante, si lo entendéis mejor con redes /24, que son las que acostumbramos a manejar, hacedlo así, que funciona igualmente.

Saludos!
 
Buenas!

Antes de nada muchas gracias por todo, increíble la cantidad de info que compartís. Deciros que tengo montado un Paco y un Pepe sin problemas y funcionando a tope :)

La cuestión es que he intentado agregar un nuevo peer a Paco para desde cualquier sitio, poder gestionarlo, tanto a Paco como al router de la operadora en caso de necesidad y no tener que ir a Pepe o a Paco en persona.

A parte de añadir el peer tengo que hacer algo más en Paco?

Gracias!!
 
Arriba