Buenas tardes,
Se remite el export a ver si hay algo que merme la velocidad de las VPN
/interface pptp-server
add name=VPN-PPTP user=Sito-PPTP
/interface bridge
add arp=proxy-arp name=BRIDGE protocol-mode=none
/interface ethernet
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
"ETHER00.-.WAN(SFP)"
set [ find default-name=ether1 ] name=ETHER01.-.NAS
set [ find default-name=ether2 ] name=ETHER02.-.TV
set [ find default-name=ether3 ] name=ETHER03.-.ODROID
set [ find default-name=ether4 ] name=ETHER04.-.SOFA
set [ find default-name=ether5 ] advertise=1000M-half,1000M-full name=\
ETHER05.-.TABLE&SERVER
/interface ovpn-server
add name=VPN-OVPN user=Sito-OVPN
/interface l2tp-server
add name=VPN-L2TP user=Sito-L2TP
/interface wireguard
add listen-port=5175 mtu=1420 name=VPN-WIREGUARD
/interface vlan
add interface="ETHER00.-.WAN(SFP)" mtu=1498 name=\
VLAN.-.JAZZTEL_1074_DATA&VOIP vlan-id=1074
/interface ethernet switch
set 0 mirror-source=ETHER03.-.ODROID mirror-target=ETHER04.-.SOFA
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des
add dh-group=modp1024 dpd-maximum-failures=1 enc-algorithm=3des lifetime=30m \
name=Profile-IPSEC
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
Profile-IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=Sito-IKEv2 passive=yes profile=Profile-IKEv2 \
send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des lifetime=50m
add enc-algorithms=3des lifetime=5m name=Proposal-L2TP
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=\
Proporsal-IKEv2 pfs-group=modp2048
/ip pool
add name=DHCP1 ranges=10.0.0.40-10.0.0.190
add name=DHCP3.-.VPN ranges=10.0.0.191-10.0.0.199
add name=DHCP2 ranges=10.0.1.40-10.0.1.254
add name=DHCP4.-.OPENVPN ranges=10.0.0.200-10.0.0.254
/ip dhcp-server
add address-pool=DHCP1 always-broadcast=yes authoritative=after-2sec-delay \
interface=BRIDGE lease-script="#:if (\$leaseBound = \"1\") do={\r\
\n# :log info \"\$leaseActMAC se acaba de conectar\"\r\
\n#} else={\r\
\n# :log info \"\$leaseActMAC se acaba de desconectar\"\r\
\n#}" lease-time=1d name=DHCP1
/ip ipsec mode-config
add address-pool=DHCP3.-.VPN name=Mode-IKEv2 split-include=10.0.0.0/24
/ppp profile
add bridge=BRIDGE change-tcp-mss=yes dns-server=10.0.0.1 local-address=DHCP1 \
name=Profile-L2TP only-one=yes remote-address=DHCP3.-.VPN \
use-compression=yes use-encryption=yes use-mpls=yes
add bridge=BRIDGE change-tcp-mss=yes dns-server=10.0.0.1 local-address=DHCP1 \
name=Profile-PPTP only-one=yes remote-address=DHCP3.-.VPN use-encryption=\
required use-ipv6=default
add bridge=BRIDGE change-tcp-mss=yes dns-server=10.0.0.1 local-address=DHCP1 \
name=Profile-OVPN remote-address=DHCP4.-.OPENVPN use-ipv6=default
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
add email-to=
juhn.hoo@gmail.com name=email target=email
/interface bridge port
add auto-isolate=yes bridge=BRIDGE ingress-filtering=no interface=\
ETHER02.-.TV
add auto-isolate=yes bridge=BRIDGE ingress-filtering=no interface=\
ETHER03.-.ODROID
add auto-isolate=yes bridge=BRIDGE ingress-filtering=no interface=\
ETHER04.-.SOFA
add auto-isolate=yes bridge=BRIDGE ingress-filtering=no interface=\
ETHER05.-.TABLE&SERVER
add auto-isolate=yes bridge=BRIDGE ingress-filtering=no interface=\
"ETHER00.-.WAN(SFP)"
add bridge=BRIDGE ingress-filtering=no interface=WLAN2.-.Sito-Temp_2.4Ghz
add bridge=BRIDGE ingress-filtering=no interface=ETHER01.-.NAS
add bridge=BRIDGE ingress-filtering=no interface=WLAN3.-.Sito-Wifi_5Ghz
add bridge=BRIDGE ingress-filtering=no interface=WLAN4.-.Sito-Temp_5Ghz
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=Profile-L2TP \
enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes
/interface list member
add interface=VLAN.-.JAZZTEL_1074_DATA&VOIP list=WAN
add interface=BRIDGE list=LAN
add interface=VPN-L2TP list=LAN
add interface=VPN-OVPN list=LAN
add interface=VPN-PPTP list=LAN
add interface=VPN-WIREGUARD list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes128 default-profile=Profile-OVPN \
enabled=yes max-mtu=1460 require-client-certificate=yes
/interface pptp-server server
set authentication=mschap2 default-profile=Profile-PPTP enabled=yes max-mru=\
1460 max-mtu=1460
/interface wireguard peers
add allowed-address=10.10.0.2/32 comment=Sito-Phone interface=VPN-WIREGUARD \
public-key="CHORIZO1"
add allowed-address=10.10.0.3/32 comment=Sito-Mac interface=VPN-WIREGUARD \
public-key="CHORIZO2"
/ip address
add address=10.0.0.1/24 comment="Bridge Network" interface=BRIDGE network=\
10.0.0.0
add address=192.168.1.100/24 comment="GPON ZISA OP151S (predeterminada)" \
disabled=yes interface=BRIDGE network=192.168.1.0
add address=10.10.0.1/24 interface=VPN-WIREGUARD network=10.10.0.0
/ip arp
add address=10.0.0.10 interface=BRIDGE mac-address=90:E6:BA:3B:E2:AB
/ip cloud
set update-time=no
/ip dhcp-client
add interface=VLAN.-.JAZZTEL_1074_DATA&VOIP
/ip dhcp-server lease
/ip dhcp-server network
add address=10.0.0.0/24 comment="DHCP Network" dns-server=10.0.0.1 gateway=\
10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d max-udp-packet-size=512 \
servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=80.24.217.4 list=WhiteClient
/ip firewall filter
add action=accept chain=input comment=\
"DEFCONF: ACCEPT ESTABLISHED, RELATED,UNTRACKED" connection-state=\
established,related,untracked
add action=drop chain=input comment="DEFCONF: DROP INVALID" connection-state=\
invalid
add action=accept chain=input comment="DEFCONF: ACCEPT ICMP" protocol=icmp
add action=accept chain=input comment="PERMITE TFTP (69) WHITECLIENT" \
disabled=yes dst-port=69 in-interface-list=WAN protocol=udp \
src-address-list=WhiteClient
add action=accept chain=input comment=\
"PERMITE BRUTE FORCE L2TP,IKEV2 (500,1701,4500) WHITECLIENT" \
connection-state=new disabled=yes dst-port=500,1701,4500 \
in-interface-list=WAN protocol=udp src-address-list=WhiteClient
add action=accept chain=input connection-state=new disabled=yes \
in-interface-list=WAN protocol=ipsec-esp src-address-list=WhiteClient
add action=accept chain=input connection-state=new disabled=yes \
in-interface-list=WAN protocol=ipsec-ah src-address-list=WhiteClient
add action=accept chain=input comment="PERMITE BRUTE FORCE PPTP WHITECLIENT" \
connection-state=new disabled=yes in-interface-list=WAN protocol=gre \
src-address-list=WhiteClient
add action=accept chain=input connection-state=new disabled=yes dst-port=1723 \
in-interface-list=WAN protocol=tcp src-address-list=WhiteClient
add action=accept chain=input comment=\
"PERMITE BRUTE FORCE OPENVPN WHITECLIENT" disabled=yes dst-port=1194 \
protocol=tcp src-address-list=WhiteClient
add action=accept chain=input comment=\
"PERMITE BRUTE FORCE WIREGUARD (5175) WHITECLIENT " disabled=yes \
dst-port=5175 in-interface-list=WAN protocol=udp src-address-list=\
WhiteClient
add action=accept chain=input comment=\
"PERMITE BRUTE FORCE WINBOX (8291) WHITECLIENT" dst-port=8291 \
in-interface-list=WAN protocol=tcp src-address-list=WhiteClient
add action=accept chain=input comment=\
"PERMITE BRUTE FORCE TIKTOOL (872

WHITECLIENT" disabled=yes dst-port=\
8728 in-interface-list=WAN protocol=tcp src-address-list=WhiteClient
add action=drop chain=input comment="DEFCONF: DROP <> LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"PERMITE BRUTE FORCE FTP (21) WHITECLIENT" disabled=yes dst-port=21 \
in-interface-list=WAN protocol=tcp src-address-list=WhiteClient
add action=accept chain=forward comment=\
"PERMITE BRUTE FORCE SSH (22) WHITECLIENT" dst-port=22 in-interface-list=\
WAN protocol=tcp src-address-list=WhiteClient
add action=accept chain=forward comment=\
"PERMITE BRUTE FORCE RDP (3389) WHITECLIENT" disabled=yes dst-port=\
3389,8081-8200 in-interface-list=WAN protocol=tcp src-address-list=\
WhiteClient
add action=accept chain=forward comment=\
"PERMITE BRUTE FORCE VNC (5900) WHITECLIENT" disabled=yes dst-port=5900 \
in-interface-list=WAN protocol=tcp src-address-list=WhiteClient
add action=drop chain=forward comment="FILTRA SITO-CAM" disabled=yes \
src-address=10.0.0.7
add action=drop chain=forward comment="FILTRA FAIL2BAN ASTERISK (5170)" \
dst-port=5170 in-interface-list=WAN protocol=udp src-address-list=\
F2B-Asterisk
add action=accept chain=forward comment="DEFCONF: ACCEPT IN IPSEC" disabled=\
yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="DEFCONF: ACCEPT OUT IPSEC" disabled=\
yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"DEFCONF: ACCEPT ESTABLISHED, RELATED" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"DEFCONF: ACCEPT ESTABLISHED, RELATED, UNTRACKED" connection-state=\
established,related,untracked
add action=drop chain=forward comment="DEFCONF: DROP INVALID" \
connection-state=invalid
add action=drop chain=forward comment="DEFCONF: DROP WAN <> NAT" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="DEFCONF: MASQUERADE" \
ipsec-policy=out,none out-interface-list=WAN to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="ONT's" disabled=yes \
out-interface-list=LAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add generate-policy=port-strict mode-config=Mode-IKEv2 peer=Sito-IKEv2
/ip ipsec policy
set 0 proposal=Proposal-L2TP
add comment="POLICY FOR SITO-L2TP" proposal=Proposal-L2TP template=yes
add comment="POLICY FOR SITO-IKEv2" proposal=Proporsal-IKEv2 template=yes
/ip proxy
set cache-path=web-proxy1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip tftp
add disabled=yes
/ip upnp
set show-dummy-rule=no
/ip upnp interfaces
add interface=VLAN.-.JAZZTEL_1074_DATA&VOIP type=external
/ppp secret
add name=Sito-L2TP profile=Profile-L2TP service=l2tp
add name=Sito-PPTP profile=Profile-PPTP service=pptp
add name=Sito-OVPN profile=Profile-OVPN service=ovpn
/routing igmp-proxy interface
add disabled=yes interface=BRIDGE
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Madrid
/system identity
set name=Sito-MikroTik
/system logging
add action=email disabled=yes topics=error
add topics=tftp
/system ntp client
set enabled=yes
/system ntp client servers
add address=17.253.52.253
add address=150.214.94.5
/tool bandwidth-server
set authenticate=no enabled=no
Cordialmente,
Juhn_Hoo