firewall: для теста разрешено всё. Входящие адреса изменены; всё остальное взято с рабочего роутера, на котором клиент 10.50.0.12 открывает только поисковик Google, остальные сайты недоступны. # 03/мар/2024 16:06:57, RouterOS 6.49.10
# software id = UH1D-IK15
#
# модель = CCR1016-12G
# серийный номер = D6450EB884C9
/interface bridge
add arp=reply-only name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
/interface vlan
add interface=ether1-WAN name=vlan1 vlan-id=1
/interface list
add name=Lan
add name=WAN
add name=discover
/ip ipsec mode-config
add address=10.50.0.12 address-prefix-length=22 name=IKEv2-Server static-dns=172.16.0.1 system-dns=no
/ip ipsec policy group
add name=ipsec
add name=IKEv2-Server
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128,3des name=ipsec-profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des hash-algorithm=sha256 name=IKEv2-Server
/ip ipsec peer
add exchange-mode=ike2 local-address=123.45.67.89 name=IKEv2-Server passive=yes profile=IKEv2-Server
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=ipsec-proposal pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" lifetime=8h name=IKEv2-Server pfs-group=none
/ip pool
add name=pool4 ranges=172.16.4.1-172.16.4.254
add name=pool3 next-pool=pool4 ranges=172.16.3.1-172.16.3.254
add name=pool2 next-pool=pool3 ranges=172.16.2.1-172.16.2.254
add name=pool1 next-pool=pool2 ranges=172.16.1.1-172.16.1.254
/ppp profile
add change-tcp-mss=yes name=l2tp-remote-client-to-site only-one=no use-compression=yes use-encryption=yes
/snmp community
set [ find default=yes ] disabled=yes
add addresses=0.0.0.0/0 name=snmp_public
/system logging action
set 1 disk-file-count=10
set 3 bsd-syslog=yes remote=172.16.1.135 syslog-facility=syslog
add name=ipsec target=memory
add name=l2tp target=memory
/interface bridge port
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 interface=vlan1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-remote-client-to-site enabled=yes one-session-per-host=yes use-ipsec=required
/interface pptp-server server
set authentication=mschap2 default-profile=pptp
/ip address
add address=172.16.0.1/22 interface=bridge1 network=172.16.0.0
add address=123.45.67.89/29 interface=ether1-WAN network=123.45.67.89
/ip dhcp-server network
add address=172.16.0.0/22 dns-server=172.16.0.1 gateway=172.16.0.1 ntp-server=172.16.0.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=10240KiB servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=forward
add action=accept chain=output
add action=accept chain=input
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp src-address=10.50.0.12 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward dst-address=10.50.0.12 ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.50.0.12
add action=masquerade chain=srcnat src-address=172.16.0.0/22 out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.ike2 generate-policy=port-strict match-by=certificate mode-config=IKEv2-Server peer=IKEv2-Server policy-template-group=IKEv2-Server remote-certificate=ra@vpn.ike2 remote-id=user-fqdn:ra@vpn.ike2
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ipsec proposal=ipsec-proposal src-address=0.0.0.0/0 template=yes
add dst-address=10.50.0.0/24 group=IKEv2-Server proposal=IKEv2-Server src-address=0.0.0.0/0 template=yes
/ip route
add check-gateway=ping distance=1 gateway=11.12.34.56
/ip route rule
add action=lookup-only-in-table src-address=123.45.67.89/32 table=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=28291
set api-ssl disabled=yes
/snmp
set enabled=yes trap-community=snmp_public trap-interfaces=ether7 trap-version=2
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+01:00 dst-end="oct/28/2019 00:00:00" dst-start="mar/31/2019 00:00:00" time-zone=+02:00
/system identity
set name=mtk-ccr1016
/system leds
add leds=fault-led type=fan-fault
add leds=user-led type=flash-access
/system package update
set channel=long-term
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Lan
/tool mac-server ping
set enabled=no