###### ROAMING ROUTER ######
/interface bridge
add admin-mac=C4:AD:34:FA:0B:F5 auto-mac=no name=bridge-home
add admin-mac=C4:AD:34:FA:0B:F6 auto-mac=no name=bridge-local
/interface eoip
add local-address=192.168.78.3 mac-address=02:C0:AE:EC:AE:BF mtu=1500 name=\
tunnel-home remote-address=192.168.78.1 tunnel-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2-template-group
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=ike2-profile
/ip ipsec peer
add address=serialHQ.sn.mynetname.net exchange-mode=ike2 name=ike2-hq-peer \
profile=ike2-profile
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
es-128-gcm" lifetime=8h name=ike2-proposal pfs-group=none
/ip pool
add name=dhcp-local ranges=192.168.76.2-192.168.76.254
/ip dhcp-server
add address-pool=dhcp-local disabled=no interface=bridge-local name=\
dhcp-local
/interface bridge port
add bridge=bridge-home interface=ether2
add bridge=bridge-home interface=tunnel-home
add bridge=bridge-local interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=bridge-home list=LAN
add interface=bridge-local list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.76.1/24 interface=bridge-local network=192.168.76.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.76.0/24 gateway=192.168.76.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2
/ip dns static
add address=192.168.76.1 comment=defconf name=roaming.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="allow vpn encrypted traffic" ipsec-policy=\
in,ipsec src-address=192.168.78.0/24
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
/ip ipsec identity
add auth-method=digital-signature certificate=vpn-client-roaming \
generate-policy=port-strict mode-config=request-only peer=ike2-hq-peer \
policy-template-group=ike2-template-group
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ike2-template-group proposal=ike2-proposal \
src-address=192.168.78.0/24 template=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=hap-roaming
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN