MANUAL: Mikrotik, OSPF sobre túneles WireGuard site to site

Hola Pokoyo

Estoy dándole vueltas a montar una OSPF con 4 nodos. Serían 3 casas conectadas (A, B, C) más un map lite en modo switch en otra casa D (conectado por EoIP para M+). Mi intención es que A y B puedan acceder a D, pero no tengo intención de poner ningún desco en C. ¿Podría usar el OSPF en este caso? En caso positivo, había pensado algo así.


Saludos!

1654636863237.png

EDIT: releyendo el hilo, no me queda claro si no sería mejor montar el OSPF entre A-B-C y dejar luego dos túneles EoIP entre A-D y B-D.
 
Última edición:
Hola Pokoyo

Estoy dándole vueltas a montar una OSPF con 4 nodos. Serían 3 casas conectadas (A, B, C) más un map lite en modo switch en otra casa D (conectado por EoIP para M+). Mi intención es que A y B puedan acceder a D, pero no tengo intención de poner ningún desco en C. ¿Podría usar el OSPF en este caso? En caso positivo, había pensado algo así.


Saludos!

Ver el adjunto 95865
EDIT: releyendo el hilo, no me queda claro si no sería mejor montar el OSPF entre A-B-C y dejar luego dos túneles EoIP entre A-D y B-D.

Yo montaría mejor la segunda opción que has dicho, ya que D no participa del intercambio de rutas. Uniría A-B-C con túneles sts + ospf, y luefo daría de alta dos túneles más entre A-D y B-D, ya eliges tú si wireguard+eoip o directamente EoIP sobre IPSec.

Saludos!
 
Buenas Pokoyo,

Así lo he intentado hacer. No obstante, creo que he liado algo con alguna IP.

Me he llevado el Router al site B y lo he conectado. El router coge internet, y puede hacer ping perfectamente a una IP (he probado con 1.1.1.1). Sin embargo, desde los dispositivos conectados no tengo internet.

No sé si viene de la parte del DHCP, la VLAN o el OSPF. Antes de meter el OSPF lo probé en mi casa y sí que funcionaba todo correctamente...

Saludos!

Código:
# jun/09/2022 20:43:06 by RouterOS 7.2.3
# software id = 7ZTN-XFC6
#
# model = RB750Gr3
# serial number = XXX
/interface bridge
add admin-mac=DC:2C:6E:AC:91:EB auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add igmp-snooping=yes name=bridge-iptv
/interface ethernet
set [ find default-name=ether2 ] comment="EoIP Movistar"
set [ find default-name=ether5 ] comment=ULR
/interface eoip
add local-address=172.17.0.1 mac-address=FE:49:F3:94:84:CE mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.2 tunnel-id=0
/interface wireguard
add listen-port=49853 mtu=1420 name=wg-sts-a
add listen-port=49852 mtu=1420 name=wg-sts-f
add listen-port=54321 mtu=1420 name=wg-sts-iptv
add listen-port=49851 mtu=1420 name=wireguard-rw
/interface vlan
add interface=ether1 name=vlan3-telefono vlan-id=3
add interface=ether1 name=vlan6-internet vlan-id=6
add interface=bridge name=vlan10-IoT vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.77.10-192.168.77.199
add name=pool-vlan10-IoT ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool-vlan10-IoT interface=vlan10-IoT name=dhcp-server-vlan10
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.2
/routing ospf area
add disabled=no instance=v2 name=backbone
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=bridge-iptv comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wg-sts-f list=LAN
/interface wireguard peers
add allowed-address=192.168.50.2/32 comment="PeerRW - XPS15" interface=\
    wireguard-rw public-key="RUtKdEGoH9oSI8wwFaY/vAVBpxcKLP1To1t3n0rg3XA="
add allowed-address=192.168.50.3/32 comment="PeerRW - iPhone SP" interface=\
    wireguard-rw public-key="wjHCAs0mQQTBrd/XoWiNvGGdkgvR0vibLoZaYaHKLGM="
add allowed-address=172.17.0.2/32 comment=b-iptv interface=wg-sts-iptv \
    public-key="8RxSVG5CINOKRZNhpjxsA0ssdKbVJ1nCSzrqBMVWbmg="
add allowed-address=172.16.0.1/32,192.168.88.0/24 endpoint-address=\
    f.myDDNS.com endpoint-port=49852 interface=wg-sts-f \
    public-key="cllaPYQPCaGs9usZEBOc8L15/OTRQISvP1mRRDEZ/hw="
add allowed-address=172.16.0.6/32,192.168.1.0/24 endpoint-address=\
    a.myDDNS.com endpoint-port=49853 interface=wg-sts-a \
    public-key="5wOksT47XlpsXkNCCR87xByUcrbIzxYiXgHHzkezIgQ="
/ip address
add address=192.168.77.1/24 comment=defconf interface=bridge network=\
    192.168.77.0
add address=192.168.50.1/24 interface=wireguard-rw network=192.168.50.0
add address=172.17.0.1/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.16.0.2/30 interface=wg-sts-f network=172.16.0.0
add address=192.168.10.1/24 interface=vlan10-IoT network=192.168.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add add-default-route=no interface=vlan3-telefono use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.10.0/24 comment=vlan10 dns-server=1.1.1.1,1.0.0.1 \
    gateway=192.168.10.1
add address=192.168.77.0/24 comment=defconf dns-server=192.168.77.1 gateway=\
    192.168.77.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="voip: accept rip multicast traffic" \
    dst-address=224.0.0.9 dst-port=520 in-interface=vlan3-telefono protocol=\
    udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
    49851 protocol=udp
add action=accept chain=input src-address=192.168.50.0/24
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49852 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49853 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard sts-iptv" \
    dst-port=54321 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
    vlan3-telefono
# internet not ready
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="voip: masq voip" out-interface=\
    vlan3-telefono
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=172.16.0.1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.77.0/24
/routing rip interface-template
add instance=rip interfaces=vlan3-telefono mode=passive
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=hEX
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Estás propagando OSPF dentro de tu red local, cosa que no debes hacer, a menos que sepas lo que estás haciendo. Tienes el error más común, no marcar tu LAN como pasiva, para que simplemente se anuncie. Cuando haces:
Código:
/routing ospf interface-template
add area=backbone disabled=no networks=192.168.77.0/24
Te falta marcar el "tick" "passive" para todas las subredes que no formen parte de OSPF, pero que se quieran anunciar en OSPF (en la template del ptp iría sin marcar, y en esta marcado). También podrías añadir aquí la subred 192.168.50.0/24, tal que cuando tú te conectes al wireguard de este router en modo roadwarrior, llegues a todos los demás, porque tengan esa ruta instalada.
1654845232561.png



Por otro lado, estás sumarizando una subred 172.16.0.2/30 -> 172.16.0.0/24. Lo cual está bien, pero ojo que el siguiente enlace que montes ha de estar también en la 172.16.0.x para que lo coja como parte de esa sumarización. Entiendo que el 172.17.0.1/30 es el del IPTV que comentamos que iba a ir aparte de OSPF, verdad?

Saludos!
 
Sí, 172.17.0.1/30 es el del IPTV que va sin OSPF. El resto de las redes van en la 172.16.0.0/24 si no la he liado.

Luego repasaré el resto de routers y aplicaré lo del passive. Gracias!
 
Pues hoy he estado haciendo pruebas. En B (con la configuración que puse arriba) puedo acceder a A sin problemas. Sin embargo, hoy he metido el router que tocaba en C y no tengo acceso ni a A ni a B.

Código:
# jun/12/2022 18:27:10 by RouterOS 7.2.3
# software id = 2PUP-W4I1
#
# model = RB760iGS
# serial number = XXX
/interface bridge
add admin-mac=B8:69:F4:D9:32:13 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on
/interface wireguard
add listen-port=49859 mtu=1420 name=wg-rw
add listen-port=49854 mtu=1420 name=wg-sts-f
add listen-port=49853 mtu=1420 name=wg-sts-o
/interface vlan
add interface=ether1 name=vlan3-telefono vlan-id=3
add interface=ether1 name=vlan6-internet vlan-id=6
add interface=bridge name=vlan20-IoT vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.199
add name=vpn-pool ranges=192.168.10.2-192.168.10.254
add name=pool-vlan20-IoT ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool-vlan20-IoT interface=vlan20-IoT name=\
    dhcp-server-vlan20-IoT
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.10.1 name=\
    vpn-profile remote-address=vpn-pool use-encryption=yes
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.3
/routing ospf area
add disabled=no instance=v2 name=backbone
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=20
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=\
    yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wg-rw list=LAN
/interface wireguard peers
add allowed-address=172.16.0.6/32,192.168.77.0/24 endpoint-address=\
    o.MyDDNS.com endpoint-port=49853 interface=wg-sts-o \
    public-key="HZ15Sna+pNz0o+520TJQdmbPHKAhLF1Uxqk+CtFsC10="
add allowed-address=192.168.50.2/32 comment=XPS15 interface=wg-sts-o \
    public-key="JHJUYqG1Y5am2UmfzQqmBOlxx3BnYTwRVvbp2N3vEHM="
add allowed-address=172.16.0.9/32,192.168.88.0/24 endpoint-address=\
    f.MyDDNS.com endpoint-port=49854 interface=wg-sts-f \
    public-key="UP8sMmLN2ZlmnMfRSV9bcrrcT/v84h1KQ7wufZwqhWw="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.20.1/24 interface=vlan20-IoT network=192.168.20.0
add address=172.16.0.6/30 interface=wg-sts-o network=172.16.0.4
add address=192.168.50.1/24 interface=wg-rw network=192.168.50.0
add address=172.16.0.9/30 interface=wg-sts-f network=172.16.0.8
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add add-default-route=no interface=vlan3-telefono use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.203 client-id=1:1c:1b:d:ee:61:ba comment=SERVIDOR \
    mac-address=1C:1B:0D:EE:61:BA server=defconf
add address=192.168.1.243 client-id=1:0:24:1d:13:7d:24 mac-address=\
    00:24:1D:13:7D:24 server=defconf
add address=192.168.1.197 client-id=1:44:d9:e7:a4:a5:7 comment=AP \
    mac-address=44:D9:E7:A4:A5:07 server=defconf
add address=192.168.1.244 client-id=1:54:a0:50:4f:c6:a1 mac-address=\
    54:A0:50:4F:C6:A1 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
add address=192.168.20.0/24 comment=vlan10 dns-server=1.1.1.1,1.0.0.1 \
    gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="voip: accept rip multicast traffic" \
    dst-address=224.0.0.9 dst-port=520 in-interface=vlan3-telefono protocol=\
    udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49853 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49854 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
    49859 protocol=udp
add action=accept chain=input src-address=192.168.50.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
    vlan3-telefono
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="voip: masq voip" out-interface=\
    vlan3-telefono
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.10.0/24
/ip route
add disabled=no distance=111 dst-address=192.168.88.0/24 gateway=172.16.0.10 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn-a service=l2tp
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.1.0/24 passive
/routing rip interface-template
add instance=rip interfaces=vlan3-telefono mode=passive
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=a
/system routerboard settings
set force-backup-booter=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Con lo bien que había empezado el día... Nunca puede funcionar todo a la primera.
 
Pues hoy he estado haciendo pruebas. En B (con la configuración que puse arriba) puedo acceder a A sin problemas. Sin embargo, hoy he metido el router que tocaba en C y no tengo acceso ni a A ni a B.

Código:
# jun/12/2022 18:27:10 by RouterOS 7.2.3
# software id = 2PUP-W4I1
#
# model = RB760iGS
# serial number = XXX
/interface bridge
add admin-mac=B8:69:F4:D9:32:13 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on
/interface wireguard
add listen-port=49859 mtu=1420 name=wg-rw
add listen-port=49854 mtu=1420 name=wg-sts-f
add listen-port=49853 mtu=1420 name=wg-sts-o
/interface vlan
add interface=ether1 name=vlan3-telefono vlan-id=3
add interface=ether1 name=vlan6-internet vlan-id=6
add interface=bridge name=vlan20-IoT vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.199
add name=vpn-pool ranges=192.168.10.2-192.168.10.254
add name=pool-vlan20-IoT ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool-vlan20-IoT interface=vlan20-IoT name=\
    dhcp-server-vlan20-IoT
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.10.1 name=\
    vpn-profile remote-address=vpn-pool use-encryption=yes
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.3
/routing ospf area
add disabled=no instance=v2 name=backbone
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=20
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=\
    yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wg-rw list=LAN
/interface wireguard peers
add allowed-address=172.16.0.6/32,192.168.77.0/24 endpoint-address=\
    o.MyDDNS.com endpoint-port=49853 interface=wg-sts-o \
    public-key="HZ15Sna+pNz0o+520TJQdmbPHKAhLF1Uxqk+CtFsC10="
add allowed-address=192.168.50.2/32 comment=XPS15 interface=wg-sts-o \
    public-key="JHJUYqG1Y5am2UmfzQqmBOlxx3BnYTwRVvbp2N3vEHM="
add allowed-address=172.16.0.9/32,192.168.88.0/24 endpoint-address=\
    f.MyDDNS.com endpoint-port=49854 interface=wg-sts-f \
    public-key="UP8sMmLN2ZlmnMfRSV9bcrrcT/v84h1KQ7wufZwqhWw="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.20.1/24 interface=vlan20-IoT network=192.168.20.0
add address=172.16.0.6/30 interface=wg-sts-o network=172.16.0.4
add address=192.168.50.1/24 interface=wg-rw network=192.168.50.0
add address=172.16.0.9/30 interface=wg-sts-f network=172.16.0.8
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add add-default-route=no interface=vlan3-telefono use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.203 client-id=1:1c:1b:d:ee:61:ba comment=SERVIDOR \
    mac-address=1C:1B:0D:EE:61:BA server=defconf
add address=192.168.1.243 client-id=1:0:24:1d:13:7d:24 mac-address=\
    00:24:1D:13:7D:24 server=defconf
add address=192.168.1.197 client-id=1:44:d9:e7:a4:a5:7 comment=AP \
    mac-address=44:D9:E7:A4:A5:07 server=defconf
add address=192.168.1.244 client-id=1:54:a0:50:4f:c6:a1 mac-address=\
    54:A0:50:4F:C6:A1 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
add address=192.168.20.0/24 comment=vlan10 dns-server=1.1.1.1,1.0.0.1 \
    gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="voip: accept rip multicast traffic" \
    dst-address=224.0.0.9 dst-port=520 in-interface=vlan3-telefono protocol=\
    udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49853 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49854 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
    49859 protocol=udp
add action=accept chain=input src-address=192.168.50.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
    vlan3-telefono
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="voip: masq voip" out-interface=\
    vlan3-telefono
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.10.0/24
/ip route
add disabled=no distance=111 dst-address=192.168.88.0/24 gateway=172.16.0.10 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn-a service=l2tp
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.1.0/24 passive
/routing rip interface-template
add instance=rip interfaces=vlan3-telefono mode=passive
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=a
/system routerboard settings
set force-backup-booter=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Con lo bien que había empezado el día... Nunca puede funcionar todo a la primera.
Porqué no plantas todo en un dibujo con los nodos interconectados entre sí y las IPs y subredes que tiene cada uno? Es mucho más sencillo detectar errores así. La red primero planifícala en papel y, cuando lo tengas todo claro como el agua, lánzate a implementarlo.

Saludos!
 
Aquí tengo todo.

Capture.PNG

Site A:

Código:
# jun/13/2022 09:53:18 by RouterOS 7.2.3
# software id = FCGY-6BV8
#
# model = RBD52G-5HacD2HnD
# serial number = XXXX
/interface bridge
add admin-mac=DC:2C:6E:61:52:4B auto-mac=no comment=defconf name=bridge
add igmp-snooping=yes name=bridge-iptv
/interface ethernet
set [ find default-name=ether2 ] comment=Salon
set [ find default-name=ether3 ] comment="Unifi AP"
set [ find default-name=ether4 ] comment=Despacho
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61524F wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-615250 wireless-protocol=802.11
/interface eoip
add local-address=172.17.10.1 mac-address=FE:E4:82:8A:C2:90 mtu=1500 name=\
    eoip-iptv remote-address=172.17.10.2 tunnel-id=0
/interface wireguard
add listen-port=49854 mtu=1420 name=wg-sts-a
add listen-port=54322 mtu=1420 name=wg-sts-iptv
add listen-port=49852 mtu=1420 name=wg-sts-o
add listen-port=49851 mtu=1420 name=wireguard-rw
/interface vlan
add interface=ether1 name=vlan6-internet vlan-id=6
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.51.2-192.168.51.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.51.1 name=\
    vpn-profile remote-address=vpn-pool use-encryption=yes
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.1
/routing ospf area
add disabled=no instance=v2 name=backbone
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=\
    yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=ether1 list=WAN
add interface=wg-sts-o list=LAN
/interface wireguard peers
add allowed-address=192.168.50.2/32 comment="PeerRW - Iphone SP" interface=\
    wireguard-rw public-key="geEnSQZK6c0s0DBggA8Sn1XCoQPwVTLvTbeiapTRVyQ="
add allowed-address=192.168.50.3/32 comment="PeerRW - iPad SP" interface=\
    wireguard-rw public-key="ircJ7fOTVYrdoSSvBrgLa66ACbkGlTWL3B/DUFC+gVA="
add allowed-address=192.168.50.4/32 comment="PeerRW - XPS" interface=\
    wireguard-rw public-key="OGCf7chgKPx0GefVMtMULQfhyLtRGf02AJEOw41vVEA="
add allowed-address=192.168.50.5/32 comment="PeerRW - Iphone Raquel" \
    interface=wireguard-rw public-key=\
    "PuJ0YMwhYMnpNkwK9ZrUMJ0TR2GdYqxtWmcvT+xk5yk="
add allowed-address=172.16.0.2/32,192.168.77.0/24 endpoint-address=\
    o.MyDDNS endpoint-port=49852 interface=wg-sts-o \
    public-key="QA7Q0S0SvzE9lr78N7ilhaEJ+T5e2m+huYiWdtUKVWo="
add allowed-address=172.17.10.2/32 comment=bailen20-iptv interface=\
    wg-sts-iptv public-key="xnRWfqWe/1h9AwYABM5yaLOtYx8CcHxDAqhvDo2iyUA="
add allowed-address=172.16.0.10/32,192.168.1.0/24 endpoint-address=\
    a.MyDDNS endpoint-port=49854 interface=wg-sts-a \
    public-key="E9kYZxCC5b99OwDk1C5tagl/1AAyiWuIheR53Kgb1TI="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.50.1/24 interface=wireguard-rw network=192.168.50.0
add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
add address=172.17.10.1/30 interface=wg-sts-iptv network=172.17.10.0
add address=172.16.0.1/30 interface=wg-sts-o network=172.16.0.0
add address=172.16.0.10/30 interface=wg-sts-a network=172.16.0.8
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.200 client-id=1:0:e0:4c:78:fc:e7 comment=\
    "Raspberry Pi 0W2 eth0" mac-address=00:E0:4C:78:FC:E7 server=defconf
add address=192.168.88.201 client-id=1:e4:5f:1:75:96:89 comment=\
    "Raspberry Pi 0W2 wlan" mac-address=E4:5F:01:75:96:89 server=defconf
add address=192.168.88.202 client-id=1:ac:d5:64:83:96:2f comment=\
    "Brother Impresora" mac-address=AC:D5:64:83:96:2F server=defconf
add address=192.168.88.253 client-id=1:94:de:80:77:10:ab comment=unRAID \
    mac-address=94:DE:80:77:10:AB server=defconf
add address=192.168.88.210 client-id=1:d0:21:f9:67:62:a1 comment=\
    "Netgear GS308E Salon" mac-address=D0:21:F9:67:62:A1 server=defconf
add address=192.168.88.220 client-id=1:f8:b4:6a:1d:ae:f5 comment=XPS15 \
    mac-address=F8:B4:6A:1D:AE:F5 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    192.168.88.252,192.168.88.200 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=e5780fa48e02.sn.mynetname.net list=public-ip
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
    49851 protocol=udp
add action=accept chain=input src-address=192.168.50.0/24
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49852 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard sts-iptv" \
    dst-port=54322 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49854 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=\
    192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.51.0/24
add action=dst-nat chain=dstnat comment=Deluge dst-port=6881 in-interface=\
    internet protocol=tcp to-addresses=192.168.88.253 to-ports=6881
add action=dst-nat chain=dstnat comment=Transmission dst-port=51413 \
    in-interface=internet protocol=tcp to-addresses=192.168.88.253 to-ports=\
    51413
add action=dst-nat chain=dstnat comment="Transmission - mam" dst-port=51410 \
    in-interface=internet protocol=udp to-addresses=192.168.88.253 to-ports=\
    51410
add action=dst-nat chain=dstnat dst-port=51410 in-interface=internet \
    protocol=tcp to-addresses=192.168.88.253 to-ports=51410
add action=dst-nat chain=dstnat comment=SWAG dst-port=443 in-interface=\
    internet protocol=tcp to-addresses=192.168.88.253 to-ports=1443
add action=dst-nat chain=dstnat comment=hairpin-nextcloud dst-address-list=\
    public-ip dst-port=443 protocol=tcp to-addresses=192.168.88.253 to-ports=\
    1443
/ip route
add disabled=no dst-address=192.168.77.0/24 gateway=172.16.0.2 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn-f service=l2tp
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.88.0/24,192.168.50.0/24 \
    passive
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=f
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Site B:

Código:
# jun/13/2022 09:50:07 by RouterOS 7.2.3
# software id = 7ZTN-XFC6
#
# model = RB750Gr3
# serial number = XXXX
/interface bridge
add admin-mac=DC:2C:6E:AC:91:EB auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add igmp-snooping=yes name=bridge-iptv
/interface ethernet
set [ find default-name=ether2 ] comment="EoIP Movistar"
set [ find default-name=ether5 ] comment=ULR
/interface eoip
add local-address=172.17.0.1 mac-address=FE:49:F3:94:84:CE mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.2 tunnel-id=0
/interface wireguard
add listen-port=49853 mtu=1420 name=wg-sts-a
add listen-port=49852 mtu=1420 name=wg-sts-f
add listen-port=54321 mtu=1420 name=wg-sts-iptv
add listen-port=49851 mtu=1420 name=wireguard-rw
/interface vlan
add interface=ether1 name=vlan3-telefono vlan-id=3
add interface=ether1 name=vlan6-internet vlan-id=6
add interface=bridge name=vlan10-IoT vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.77.10-192.168.77.199
add name=pool-vlan10-IoT ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool-vlan10-IoT interface=vlan10-IoT name=dhcp-server-vlan10
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.2
/routing ospf area
add disabled=no instance=v2 name=backbone
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=bridge-iptv comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wg-sts-f list=LAN
add interface=wg-sts-a list=LAN
/interface wireguard peers
add allowed-address=192.168.50.2/32 comment="PeerRW - XPS15" interface=\
    wireguard-rw public-key="RUtKdEGoH9oSI8wwFaY/vAVBpxcKLP1To1t3n0rg3XA="
add allowed-address=192.168.50.3/32 comment="PeerRW - iPhone SP" interface=\
    wireguard-rw public-key="wjHCAs0mQQTBrd/XoWiNvGGdkgvR0vibLoZaYaHKLGM="
add allowed-address=172.17.0.2/32 comment=bailen20-iptv interface=wg-sts-iptv \
    public-key="8RxSVG5CINOKRZNhpjxsA0ssdKbVJ1nCSzrqBMVWbmg="
add allowed-address=172.16.0.1/32,192.168.88.0/24 endpoint-address=\
    f.MyDDNS endpoint-port=49852 interface=wg-sts-f \
    public-key="cllaPYQPCaGs9usZEBOc8L15/OTRQISvP1mRRDEZ/hw="
add allowed-address=172.16.0.6/32,192.168.1.0/24 endpoint-address=\
    a.MyDDNS endpoint-port=49853 interface=wg-sts-a \
    public-key="5wOksT47XlpsXkNCCR87xByUcrbIzxYiXgHHzkezIgQ="
/ip address
add address=192.168.77.1/24 comment=defconf interface=bridge network=\
    192.168.77.0
add address=192.168.50.1/24 interface=wireguard-rw network=192.168.50.0
add address=172.17.0.1/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.16.0.2/30 interface=wg-sts-f network=172.16.0.0
add address=192.168.10.1/24 interface=vlan10-IoT network=192.168.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add add-default-route=no interface=vlan3-telefono use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.77.210 client-id=1:0:80:92:b3:c0:14 comment=\
    Brother-2270DW mac-address=00:80:92:B3:C0:14 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=vlan10 dns-server=1.1.1.1,1.0.0.1 \
    gateway=192.168.10.1
add address=192.168.77.0/24 comment=defconf dns-server=\
    192.168.88.252,192.168.88.200 gateway=192.168.77.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="voip: accept rip multicast traffic" \
    dst-address=224.0.0.9 dst-port=520 in-interface=vlan3-telefono protocol=\
    udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
    49851 protocol=udp
add action=accept chain=input src-address=192.168.50.0/24
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49852 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49853 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard sts-iptv" \
    dst-port=54321 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
    vlan3-telefono
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="voip: masq voip" out-interface=\
    vlan3-telefono
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=172.16.0.1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.77.0/24 passive
/routing rip interface-template
add instance=rip interfaces=vlan3-telefono mode=passive
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Site C:

Código:
# jun/12/2022 18:27:10 by RouterOS 7.2.3
# software id = 2PUP-W4I1
#
# model = RB760iGS
# serial number = XXX
/interface bridge
add admin-mac=B8:69:F4:D9:32:13 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on
/interface wireguard
add listen-port=49859 mtu=1420 name=wg-rw
add listen-port=49854 mtu=1420 name=wg-sts-f
add listen-port=49853 mtu=1420 name=wg-sts-o
/interface vlan
add interface=ether1 name=vlan3-telefono vlan-id=3
add interface=ether1 name=vlan6-internet vlan-id=6
add interface=bridge name=vlan20-IoT vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.199
add name=vpn-pool ranges=192.168.10.2-192.168.10.254
add name=pool-vlan20-IoT ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool-vlan20-IoT interface=vlan20-IoT name=\
dhcp-server-vlan20-IoT
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.10.1 name=\
vpn-profile remote-address=vpn-pool use-encryption=yes
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.3
/routing ospf area
add disabled=no instance=v2 name=backbone
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=20
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=\
yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wg-rw list=LAN
/interface wireguard peers
add allowed-address=172.16.0.6/32,192.168.77.0/24 endpoint-address=\
o.MyDDNS.com endpoint-port=49853 interface=wg-sts-o \
public-key="HZ15Sna+pNz0o+520TJQdmbPHKAhLF1Uxqk+CtFsC10="
add allowed-address=192.168.50.2/32 comment=XPS15 interface=wg-sts-o \
public-key="JHJUYqG1Y5am2UmfzQqmBOlxx3BnYTwRVvbp2N3vEHM="
add allowed-address=172.16.0.9/32,192.168.88.0/24 endpoint-address=\
f.MyDDNS.com endpoint-port=49854 interface=wg-sts-f \
public-key="UP8sMmLN2ZlmnMfRSV9bcrrcT/v84h1KQ7wufZwqhWw="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=192.168.20.1/24 interface=vlan20-IoT network=192.168.20.0
add address=172.16.0.6/30 interface=wg-sts-o network=172.16.0.4
add address=192.168.50.1/24 interface=wg-rw network=192.168.50.0
add address=172.16.0.9/30 interface=wg-sts-f network=172.16.0.8
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add add-default-route=no interface=vlan3-telefono use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.203 client-id=1:1c:1b:d:ee:61:ba comment=SERVIDOR \
mac-address=1C:1B:0D:EE:61:BA server=defconf
add address=192.168.1.243 client-id=1:0:24:1d:13:7d:24 mac-address=\
00:24:1D:13:7D:24 server=defconf
add address=192.168.1.197 client-id=1:44:d9:e7:a4:a5:7 comment=AP \
mac-address=44:D9:E7:A4:A5:07 server=defconf
add address=192.168.1.244 client-id=1:54:a0:50:4f:c6:a1 mac-address=\
54:A0:50:4F:C6:A1 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1
add address=192.168.20.0/24 comment=vlan10 dns-server=1.1.1.1,1.0.0.1 \
gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="voip: accept rip multicast traffic" \
dst-address=224.0.0.9 dst-port=520 in-interface=vlan3-telefono protocol=\
udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
49853 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
49854 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
49859 protocol=udp
add action=accept chain=input src-address=192.168.50.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
vlan3-telefono
add action=set-priority chain=postrouting new-priority=1 out-interface=\
internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="voip: masq voip" out-interface=\
vlan3-telefono
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.10.0/24
/ip route
add disabled=no distance=111 dst-address=192.168.88.0/24 gateway=172.16.0.10 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=vpn-a service=l2tp
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.1.0/24 passive
/routing rip interface-template
add instance=rip interfaces=vlan3-telefono mode=passive
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=a
/system routerboard settings
set force-backup-booter=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


Más bonus points, el mAP en D para el IPTV

Código:
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:F0:B5:9E auto-mac=no name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface eoip
add local-address=172.17.0.2 mac-address=FE:55:FE:0B:A8:EE mtu=1500 name=\
eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.10.2 mac-address=FE:76:56:4A:0B:0C mtu=1500 name=\
eoip-iptv-f remote-address=172.17.10.1 tunnel-id=10
/interface wireguard
add listen-port=54321 mtu=1420 name=wg-sts-iptv
add listen-port=54322 mtu=1420 name=wg-sts-iptv-f
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-f
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=XXXX \
endpoint-port=54321 interface=wg-sts-iptv persistent-keepalive=25s \
public-key="XXXX="
add allowed-address=0.0.0.0/0 comment="Pending new public key" \
endpoint-address=XXXX endpoint-port=54322 interface=\
wg-sts-iptv-f persistent-keepalive=25s public-key=\
"XXXX="
/ip address
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.10.2/30 interface=wg-sts-iptv-f network=172.17.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=172.17.10.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/system clock
set time-zone-name=Europe/Madrid

Cuál es la situación:
- Acceso A-B bidireccional funcionando.
- Acceso desde RW-A a B funcionando.
- Acceso C-A y C-B no funciona.
- Los descos tampoco funcionan, aunque en A veo periódicamente algunos bits de transferencia que me hacen sospechar que el túnel debería funcionar.

Creo que no me dejo nada. Saludos!
 
De momento vamos a centrarnos en la unión de las tres sedes, y luego vemos los otros dos túneles para la IPTV, que esos no tienen más ciencia que lo ya explicado.

Vamos a intentar darle nombres más descriptivos a los sitios, tal que las interfaces wireguard nos queden claras. Te propongo tres nombres que machean con las letras que tienes puestas a continuación de los sitios.

A) Francia
B) Omán
C) Argentina

De entrada, veo que tienes las siguientes interfaces wireguard en Francia (A)
Código:
/interface wireguard
add listen-port=49854 mtu=1420 name=wg-sts-a
add listen-port=54322 mtu=1420 name=wg-sts-iptv
add listen-port=49852 mtu=1420 name=wg-sts-o
add listen-port=49851 mtu=1420 name=wireguard-rw

Según tu dibujo, "wg-sts-a" está en Omán (B), no en Francia (A). Si te resulta confuso, pon en las interfaces wireguard origen y destino. Así, la interfaz wireguard que une Francia con Oman sería "wg-sts-fo", mientras que la equivalente en Omán del otro lado sería "wg-sts-of"

Según tu config, wg-sts-a, tiene esto en su direccionamiento:
Código:
/ip address
add address=172.16.0.10/30 interface=wg-sts-a network=172.16.0.8
Es decir, tienes mal el dibujo, coincide con una que tienes repetida en tu dibujo, llamada wg-sts-f. Por eso te digo, que si pones las iniciales de origen y destino en las interfaces wireguard, te evitas que haya interfaces repetidas con el mismo nombre. Siendo así, yo lo dejaría tal que así:

Otra cagada que tienes es que tienes en todas las sedes la misma subred para el road warrior. Esto te va a causar problemas, dado que vas a publicar esa subred como pasiva en OSPF pero...¿cual de las tres? Te he puesto debajo un ejemplo poniendo las subredes consecutivas, en un nodo la .50, en el siguiente la .51, en el último la .52 (modifícalas a tu gusto)

También recuerda que, para que se propague OSPF, necesitas que los nodos intercambien mensajes entre ellos. Eso se consigue aceptando dicho tráfico en input en los firewall, de ahí que metamos las interfaces site to site en la lista LAN (es matar moscas a cañonazos, pero la manera más simple de que automágiamente funcione). Si por lo que esa eso no te conviene, crea una lista nueva llamada como te de la gana, metes las interfaces sts en ella y, sobre el firewall de cada equipo, aceptas el tráfico de tipo "ospf" que llegue de esa interfaz. Ejemplo:
Código:
/interface list
add name=OSPF
/interface list member
add list=OSPF interface=wg-sts-x

/ip firewall filter
add action=accept chain=input comment="routing: allow ospf from wg-sts interfaces" \
    in-interface-list=OSPF protocol=ospf place-before=[find comment="defconf: drop all not coming from LAN"]

Te aconsejo des un paso atrás y primero dibujes todo, y, como último paso, implementes. Te propongo un dibujo, y si quieres lo alteramos o trabajamos sobre él.

Untitled Diagram.drawio-2.png

Una vez tengas eso, revisa la formación de vecinos en OSPF (Routing -> OSPF -> Neighbors), ahí es donde vas a ver si el protocolo funciona como debe. Cada nodo ha de tener dos vecinos con el stage a "Full" si todo está funcionando. Y en la tabla de LSA verás los tres routers, con los 3 IDs que hayas elegido para cada uno de ellos.

Saludos!
 
Hola Pokoyo,

De nuevo mil millones de gracias por tu ayuda. Eres un crack!

Me he estado peleando, sin éxito, con lo que me has dicho. He metido los cambios que me has sugerido y repasado las /ip address para que coincidan con tu sugerencia, pero nada. Sigue funcionando la conexión por Wireguard, pero en Neighbors no aparece nadie. No sé que más puedo estar haciendo mal, lo he mirado todo 4 veces...

Saludos!

Site A: Francia
Código:
# jun/13/2022 23:18:30 by RouterOS 7.2.3
# software id = FCGY-6BV8
#
# model = RBD52G-5HacD2HnD
# serial number = XXXX
/interface bridge
add admin-mac=DC:2C:6E:61:52:4B auto-mac=no comment=defconf name=bridge
add igmp-snooping=yes name=bridge-iptv
/interface ethernet
set [ find default-name=ether2 ] comment=Salon
set [ find default-name=ether3 ] comment="Unifi AP"
set [ find default-name=ether4 ] comment=Despacho
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-61524F wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=MikroTik-615250 wireless-protocol=802.11
/interface eoip
add local-address=172.17.10.1 mac-address=FE:E4:82:8A:C2:90 mtu=1500 name=\
    eoip-iptv remote-address=172.17.10.2 tunnel-id=0
/interface wireguard
add listen-port=49854 mtu=1420 name=wg-sts-fa
add listen-port=49852 mtu=1420 name=wg-sts-fo
add listen-port=54322 mtu=1420 name=wg-sts-iptv
add listen-port=49851 mtu=1420 name=wireguard-rw
/interface vlan
add interface=ether1 name=vlan6-internet vlan-id=6
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.51.2-192.168.51.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.51.1 name=\
    vpn-profile remote-address=vpn-pool use-encryption=yes
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.1
/routing ospf area
add disabled=no instance=v2 name=backbone
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=\
    yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=ether1 list=WAN
add interface=wg-sts-fo list=LAN
add interface=wg-sts-fa list=LAN
/interface wireguard peers
add allowed-address=192.168.50.2/32 comment="PeerRW - Iphone SP" interface=\
    wireguard-rw public-key="geEnSQZK6c0s0DBggA8Sn1XCoQPwVTLvTbeiapTRVyQ="
add allowed-address=192.168.50.3/32 comment="PeerRW - iPad SP" interface=\
    wireguard-rw public-key="ircJ7fOTVYrdoSSvBrgLa66ACbkGlTWL3B/DUFC+gVA="
add allowed-address=192.168.50.4/32 comment="PeerRW - XPS" interface=\
    wireguard-rw public-key="OGCf7chgKPx0GefVMtMULQfhyLtRGf02AJEOw41vVEA="
add allowed-address=192.168.50.5/32 comment="PeerRW - Iphone Raquel" \
    interface=wireguard-rw public-key=\
    "PuJ0YMwhYMnpNkwK9ZrUMJ0TR2GdYqxtWmcvT+xk5yk="
add allowed-address=172.16.0.2/32,192.168.77.0/24 endpoint-address=\
    o.MyDDNS.com endpoint-port=49852 interface=wg-sts-fo public-key=\
    "QA7Q0S0SvzE9lr78N7ilhaEJ+T5e2m+huYiWdtUKVWo="
add allowed-address=172.17.10.2/32 comment=bailen20-iptv interface=\
    wg-sts-iptv public-key="xnRWfqWe/1h9AwYABM5yaLOtYx8CcHxDAqhvDo2iyUA="
add allowed-address=172.16.0.10/32,192.168.1.0/24 endpoint-address=\
    a.MyDDNS.com endpoint-port=49854 interface=wg-sts-fa public-key=\
    "E9kYZxCC5b99OwDk1C5tagl/1AAyiWuIheR53Kgb1TI="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.50.1/24 interface=wireguard-rw network=192.168.50.0
add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
add address=172.17.10.1/30 interface=wg-sts-iptv network=172.17.10.0
add address=172.16.0.1/30 interface=wg-sts-fo network=172.16.0.0
add address=172.16.0.10/30 interface=wg-sts-fa network=172.16.0.8
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.200 client-id=1:0:e0:4c:78:fc:e7 comment=\
    "Raspberry Pi 0W2 eth0" mac-address=00:E0:4C:78:FC:E7 server=defconf
add address=192.168.88.201 client-id=1:e4:5f:1:75:96:89 comment=\
    "Raspberry Pi 0W2 wlan" mac-address=E4:5F:01:75:96:89 server=defconf
add address=192.168.88.202 client-id=1:ac:d5:64:83:96:2f comment=\
    "Brother Impresora" mac-address=AC:D5:64:83:96:2F server=defconf
add address=192.168.88.253 client-id=1:94:de:80:77:10:ab comment=unRAID \
    mac-address=94:DE:80:77:10:AB server=defconf
add address=192.168.88.210 client-id=1:d0:21:f9:67:62:a1 comment=\
    "Netgear GS308E Salon" mac-address=D0:21:F9:67:62:A1 server=defconf
add address=192.168.88.220 client-id=1:f8:b4:6a:1d:ae:f5 comment=XPS15 \
    mac-address=F8:B4:6A:1D:AE:F5 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    192.168.88.252,192.168.88.200 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=e5780fa48e02.sn.mynetname.net list=public-ip
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
    49851 protocol=udp
add action=accept chain=input src-address=192.168.50.0/24
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49852 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard sts-iptv" \
    dst-port=54322 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49854 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=\
    192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.51.0/24
add action=dst-nat chain=dstnat comment=Deluge dst-port=6881 in-interface=\
    internet protocol=tcp to-addresses=192.168.88.253 to-ports=6881
add action=dst-nat chain=dstnat comment=Transmission dst-port=51413 \
    in-interface=internet protocol=tcp to-addresses=192.168.88.253 to-ports=\
    51413
add action=dst-nat chain=dstnat comment="Transmission - mam" dst-port=51410 \
    in-interface=internet protocol=udp to-addresses=192.168.88.253 to-ports=\
    51410
add action=dst-nat chain=dstnat dst-port=51410 in-interface=internet \
    protocol=tcp to-addresses=192.168.88.253 to-ports=51410
add action=dst-nat chain=dstnat comment=SWAG dst-port=443 in-interface=\
    internet protocol=tcp to-addresses=192.168.88.253 to-ports=1443
add action=dst-nat chain=dstnat comment=hairpin-nextcloud dst-address-list=\
    public-ip dst-port=443 protocol=tcp to-addresses=192.168.88.253 to-ports=\
    1443
/ip route
add disabled=no dst-address=192.168.77.0/24 gateway=172.16.0.2 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn-ferraz service=l2tp
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.88.0/24,192.168.50.0/24 \
    passive
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Site B: Oman
Código:
# jun/13/2022 23:19:16 by RouterOS 7.2.3
# software id = 7ZTN-XFC6
#
# model = RB750Gr3
# serial number = XXXX
/interface bridge
add admin-mac=DC:2C:6E:AC:91:EB auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add igmp-snooping=yes name=bridge-iptv
/interface ethernet
set [ find default-name=ether2 ] comment="EoIP Movistar"
set [ find default-name=ether5 ] comment=ULR
/interface eoip
add local-address=172.17.0.1 mac-address=FE:49:F3:94:84:CE mtu=1500 name=\
    eoip-iptv remote-address=172.17.0.2 tunnel-id=0
/interface wireguard
add listen-port=54321 mtu=1420 name=wg-sts-iptv
add listen-port=49853 mtu=1420 name=wg-sts-oa
add listen-port=49852 mtu=1420 name=wg-sts-of
add listen-port=49851 mtu=1420 name=wireguard-rw
/interface vlan
add interface=ether1 name=vlan3-telefono vlan-id=3
add interface=ether1 name=vlan6-internet vlan-id=6
add interface=bridge name=vlan10-IoT vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.77.10-192.168.77.199
add name=pool-vlan10-IoT ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool-vlan10-IoT interface=vlan10-IoT name=dhcp-server-vlan10
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.2
/routing ospf area
add disabled=no instance=v2 name=backbone
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=bridge-iptv comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wg-sts-of list=LAN
add interface=wg-sts-oa list=LAN
/interface wireguard peers
add allowed-address=192.168.51.2/32 comment="PeerRW - XPS15" interface=\
    wireguard-rw public-key="RUtKdEGoH9oSI8wwFaY/vAVBpxcKLP1To1t3n0rg3XA="
add allowed-address=192.168.51.3/32 comment="PeerRW - iPhone SP" interface=\
    wireguard-rw public-key="wjHCAs0mQQTBrd/XoWiNvGGdkgvR0vibLoZaYaHKLGM="
add allowed-address=172.17.0.2/32 comment=bailen20-iptv interface=wg-sts-iptv \
    public-key="8RxSVG5CINOKRZNhpjxsA0ssdKbVJ1nCSzrqBMVWbmg="
add allowed-address=172.16.0.1/32,192.168.88.0/24 endpoint-address=\
    f.MyDDNS.com endpoint-port=49852 interface=wg-sts-of public-key=\
    "cllaPYQPCaGs9usZEBOc8L15/OTRQISvP1mRRDEZ/hw="
add allowed-address=172.16.0.6/32,192.168.1.0/24 endpoint-address=\
    a.MyDDNS.com endpoint-port=49853 interface=wg-sts-oa public-key=\
    "5wOksT47XlpsXkNCCR87xByUcrbIzxYiXgHHzkezIgQ="
/ip address
add address=192.168.77.1/24 comment=defconf interface=bridge network=\
    192.168.77.0
add address=192.168.51.1/24 interface=wireguard-rw network=192.168.51.0
add address=172.17.0.1/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.16.0.2/30 interface=wg-sts-of network=172.16.0.0
add address=192.168.10.1/24 interface=vlan10-IoT network=192.168.10.0
add address=172.16.0.5/30 interface=wg-sts-oa network=172.16.0.4
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add add-default-route=no interface=vlan3-telefono use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.77.210 client-id=1:0:80:92:b3:c0:14 comment=\
    Brother-2270DW mac-address=00:80:92:B3:C0:14 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=vlan10 dns-server=1.1.1.1,1.0.0.1 \
    gateway=192.168.10.1
add address=192.168.77.0/24 comment=defconf dns-server=\
    192.168.88.252,192.168.88.200 gateway=192.168.77.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="voip: accept rip multicast traffic" \
    dst-address=224.0.0.9 dst-port=520 in-interface=vlan3-telefono protocol=\
    udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
    49851 protocol=udp
add action=accept chain=input src-address=192.168.51.0/24
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49852 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49853 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard sts-iptv" \
    dst-port=54321 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
    in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
    vlan3-telefono
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="voip: masq voip" out-interface=\
    vlan3-telefono
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=172.16.0.1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.77.0/24,192.168.51.0/24 \
    passive
/routing rip interface-template
add instance=rip interfaces=vlan3-telefono mode=passive
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Site C:
Código:
# jun/12/2022 17:56:47 by RouterOS 7.2.3
# software id = 2PUP-W4I1
#
# model = RB760iGS
# serial number = XXXX
/interface bridge
add admin-mac=B8:69:F4:D9:32:13 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on
/interface wireguard
add listen-port=49859 mtu=1420 name=wg-rw
add listen-port=49854 mtu=1420 name=wg-sts-af
add listen-port=49853 mtu=1420 name=wg-sts-ao
/interface vlan
add interface=ether1 name=vlan3-telefono vlan-id=3
add interface=ether1 name=vlan6-internet vlan-id=6
add interface=bridge name=vlan20-IoT vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.199
add name=vpn-pool ranges=192.168.10.2-192.168.10.254
add name=pool-vlan20-IoT ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool-vlan20-IoT interface=vlan20-IoT name=\
    dhcp-server-vlan20-IoT
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.10.1 name=\
    vpn-profile remote-address=vpn-pool use-encryption=yes
/routing ospf instance
add disabled=no name=v2 router-id=0.0.0.3
/routing ospf area
add disabled=no instance=v2 name=backbone
/routing rip instance
add afi=ipv4 disabled=no name=rip
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=20
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=\
    yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wg-rw list=LAN
add interface=wg-sts-ao list=LAN
add interface=wg-sts-af list=LAN
/interface wireguard peers
add allowed-address=172.16.0.6/32,192.168.77.0/24 endpoint-address=\
    o.MyDDNS.com endpoint-port=49853 interface=wg-sts-ao public-key=\
    "HZ15Sna+pNz0o+520TJQdmbPHKAhLF1Uxqk+CtFsC10="
add allowed-address=192.168.52.2/32 comment=XPS15 interface=wg-sts-ao \
    public-key="JHJUYqG1Y5am2UmfzQqmBOlxx3BnYTwRVvbp2N3vEHM="
add allowed-address=172.16.0.9/32,192.168.88.0/24 endpoint-address=\
    f.MyDDNS.com endpoint-port=49854 interface=wg-sts-af public-key=\
    "UP8sMmLN2ZlmnMfRSV9bcrrcT/v84h1KQ7wufZwqhWw="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.20.1/24 interface=vlan20-IoT network=192.168.20.0
add address=172.16.0.6/30 interface=wg-sts-ao network=172.16.0.4
add address=192.168.52.1/24 interface=wg-rw network=192.168.52.0
add address=172.16.0.9/30 interface=wg-sts-af network=172.16.0.8
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
add add-default-route=no interface=vlan3-telefono use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.203 client-id=1:1c:1b:d:ee:61:ba comment=SERVIDOR \
    mac-address=1C:1B:0D:EE:61:BA server=defconf
add address=192.168.1.243 client-id=1:0:24:1d:13:7d:24 mac-address=\
    00:24:1D:13:7D:24 server=defconf
add address=192.168.1.197 client-id=1:44:d9:e7:a4:a5:7 comment=AP \
    mac-address=44:D9:E7:A4:A5:07 server=defconf
add address=192.168.1.244 client-id=1:54:a0:50:4f:c6:a1 mac-address=\
    54:A0:50:4F:C6:A1 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
add address=192.168.20.0/24 comment=vlan10 dns-server=1.1.1.1,1.0.0.1 \
    gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
    verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="voip: accept rip multicast traffic" \
    dst-address=224.0.0.9 dst-port=520 in-interface=vlan3-telefono protocol=\
    udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49853 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-sts" dst-port=\
    49854 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
    49859 protocol=udp
add action=accept chain=input src-address=192.168.52.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=\
    vlan3-telefono
# internet not ready
add action=set-priority chain=postrouting new-priority=1 out-interface=\
    internet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="voip: masq voip" out-interface=\
    vlan3-telefono
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.10.0/24
/ip route
add disabled=no distance=111 dst-address=192.168.88.0/24 gateway=172.16.0.10 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn-a service=l2tp
/routing ospf interface-template
add area=backbone disabled=no networks=172.16.0.0/24 type=ptp
add area=backbone disabled=no networks=192.168.1.0/24,192.168.52.0/24 passive
/routing rip interface-template
add instance=rip interfaces=vlan3-telefono mode=passive
/system identity
set name=a
/system routerboard settings
set force-backup-booter=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Tienes mal los peers. Para que OSPF se propague, necesitas añadir a cada peer de tipo sts, en el allowed address, las direcciones multicast que usa el protocolo como origen de los mensajes para intercambiar rutas: 224.0.0.5 y 224.0.0.6

O, si lo quieres simplificar, en los enlaces de tipo sts donde se vaya a correr OSPF, declara un allowed-address=0.0.0.0/0 y así te evitas meter subredes nuevas cuando, por ejemplo, publiques una subred nueva en cualquier nodo OSPF (sino tendras que acordarte e ir manualmente añadiendo subredes a los allowed address de todos los nodos adyacentes).

Saludos!
 
Perfecto!! Ya parece que me funciona. Al menos en los 2 peers que tengo conectados, ya tengo los vecinos.

Ahora podría hacer lo que comentas de asignar distancia 111 a la ruta estática que había definido antes, que si no me equivoco, es esta (en Francia):

Código:
/ip route
add disabled=no dst-address=192.168.77.0/24 gateway=172.16.0.2 routing-table=\
    main suppress-hw-offload=no

El tema del IPTV, ¿lo hablamos por aquí o me voy al otro hilo?

Saludos!
 
Perfecto!! Ya parece que me funciona. Al menos en los 2 peers que tengo conectados, ya tengo los vecinos.

Ahora podría hacer lo que comentas de asignar distancia 111 a la ruta estática que había definido antes, que si no me equivoco, es esta (en Francia):

Código:
/ip route
add disabled=no dst-address=192.168.77.0/24 gateway=172.16.0.2 routing-table=\
    main suppress-hw-offload=no

El tema del IPTV, ¿lo hablamos por aquí o me voy al otro hilo?

Saludos!
Eso es, si quieres una ruta de backup, edita la que tienes y le pones. una distancia mayor a 110 que son las que crea OSPF.

Lo del IPTV muévelo mejor a otro hilo, que no ensuciemos mucho más este.

Saludos!
 
hola una ayuda porfi, este esquema estaría bién realizado para unir 4 router con OSFP? gracias por el gran trabajo.

Código:
/ip address (router A)

add address=172.16.0.1/30 interface=wg-sts-b network=172.16.0.0

add address=172.16.0.10/30 interface=wg-sts-c network=172.16.0.8

add address=172.16.0.13/30 interface=wg-sts-d network=172.16.0.12


/ip address (router B)


add address=172.16.0.2/30 interface=wg-sts-a network=172.16.0.0

add address=172.16.0.5/30 interface=wg-sts-c network=172.16.0.4

add address=172.16.0.14/30 interface=wg-sts-d network=172.16.0.12

/ip address (router C)

add address=172.16.0.6/30 interface=wg-sts-a network=172.16.0.4

add address=172.16.0.9/30 interface=wg-sts-b network=172.16.0.8

add address=172.16.0.17/30 interface=wg-sts-d network=172.16.0.16


/ip address (router D)

add address=172.16.0.18/30 interface=wg-sts-a network=172.16.0.16

add address=172.16.0.21/30 interface=wg-sts-b network=172.16.0.20

add address=172.16.22./30 interface=wg-sts-c network=172.16.0.20
 
hola una ayuda porfi, este esquema estaría bién realizado para unir 4 router con OSFP? gracias por el gran trabajo.

Código:
/ip address (router A)

add address=172.16.0.1/30 interface=wg-sts-b network=172.16.0.0

add address=172.16.0.10/30 interface=wg-sts-c network=172.16.0.8

add address=172.16.0.13/30 interface=wg-sts-d network=172.16.0.12


/ip address (router B)


add address=172.16.0.2/30 interface=wg-sts-a network=172.16.0.0

add address=172.16.0.5/30 interface=wg-sts-c network=172.16.0.4

add address=172.16.0.14/30 interface=wg-sts-d network=172.16.0.12

/ip address (router C)

add address=172.16.0.6/30 interface=wg-sts-a network=172.16.0.4

add address=172.16.0.9/30 interface=wg-sts-b network=172.16.0.8

add address=172.16.0.17/30 interface=wg-sts-d network=172.16.0.16


/ip address (router D)

add address=172.16.0.18/30 interface=wg-sts-a network=172.16.0.16

add address=172.16.0.21/30 interface=wg-sts-b network=172.16.0.20

add address=172.16.22./30 interface=wg-sts-c network=172.16.0.20
Si las subredes están bien hechas (lo puedes comprobar con esto:http://www.network-calculator.com) y sumarizas luego el OSPF con 172.16.0.0/24, diría que sí, que tiene buena pinta.

Saludos!
 
Arriba