Listos ahora ya parto de configuración básica de mikrotik, y como comentamos mis reglas están abajo del todo y no tengo acceso vpn ni wireguard a la red.
En qué orden debería ir para poder dejarlo funcionando? Creo según comentamos es donde me falla la cosa.
Muchas gracias.
Rectifico gracias a la configuración de wireguard de pokoyo e conseguido acceder a la VPN y a mi red, tambien moviendo las reglas del l2tp-ipsec e conseguido funcione, estaria bien en el orden que lo deje para dejar todo mas o menos un poco seguro y no partir de un firewall vacio.
Verán que desabilite mi fastrack al estar ya habilitado por el defconf, las reglas desabilitadas de no ping y no wan donde deberían ir para funcionar correctamente?
El fastrack por defecto observo viene con conection state stablished, related y untracked, mi configuracion era la misma pero solo en state stablished y related, sin el untracked, conviene desmarcarlo o mantengo el defconf?
Si ven que fallo en algun otro lado porfavor indiquenmelo, veran que adjunto tambien el nat para que vean si lo tengo bien, tengo un natloop para que funcione la domotica.
Muchas gracias por todo y perdón por las molestias.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=L2TP-IPSEC protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=\
13231 protocol=udp
add action=drop chain=input comment=NO-PING in-interface-list=WAN protocol=\
icmp
add action=drop chain=input comment=NO-WAN dst-port=8291 in-interface-list=\
WAN protocol=tcp
add action=drop chain=input dst-port=8888 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=LOCAL-ONLY disabled=yes src-address=\
192.168.1.54
add action=drop chain=forward disabled=yes src-address=192.168.1.29
add action=fasttrack-connection chain=forward comment=FASTTRACK \
connection-state=established,related disabled=yes hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=NAT disabled=yes \
out-interface-list=WAN
add action=masquerade chain=srcnat comment=HAIRPIN disabled=yes dst-address=\
192.168.1.30 dst-port=8123 out-interface-list=LAN protocol=tcp \
src-address=192.168.1.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.1.0/24 \
dst-port=8123 protocol=tcp to-addresses=192.168.1.30
add action=masquerade chain=srcnat comment=NATLOOP dst-address=192.168.1.0/24 \
src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-port=8123 in-interface-list=LAN protocol=\
tcp to-addresses=192.168.1.30 to-ports=8123
add action=dst-nat chain=dstnat comment=FORWARD dst-port=8123 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.1.30 to-ports=\
8123
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.1.30 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.1.30 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=1701 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.1 to-ports=1701
add action=dst-nat chain=dstnat disabled=yes dst-port=500 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.1 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-port=4500 in-interface-list=\
WAN protocol=udp to-addresses=192.168.1.1 to-ports=4500
add action=dst-nat chain=dstnat disabled=yes dst-port=8022 in-interface-list=\
WAN protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 \
in-interface-list=WAN protocol=udp to-addresses=192.168.1.1 to-ports=\
13231