: zatím je to 1:1, ale plánuju přidat ještě třetí bod a navíc jeden (kde teď sedím) může být připojený přes 2 providery, takže u něj budu muset přidat i druhou adresu... teda, až to rozchodím aspoň 1:1 ...
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
Pb_main
/ip ipsec peer
add address=***.***.***.107/32 comment="Tunel LvG" \
exchange-mode=ike2 name=peer_LG profile=Pb_main \
send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=prop_LB \
pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.0.224/27
/ip settings
set send-redirects=no
/ip address
add address=192.168.0.1/20 comment=defconf interface=bridge network=\
192.168.0.0
add address=***.***.***.69/28 interface=p1_G network=***.***.***.64
add address=***.***.***.20/24 interface=p2_A network=***.***.***.0
/ip dhcp-client
add comment=defconf interface=p1_G
/ip dhcp-server network
add address=192.168.0.224/27 comment="wifi & unbound" gateway=192.168.0.1 \
netmask=27
add address=192.168.2.0/23 gateway=192.168.0.1 netmask=23
add address=192.168.10.0/24 comment="RFVE Ip Pool" gateway=192.168.0.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat comment="Tunel LB" dst-address=\
192.168.1.0/25 log=yes src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none log-prefix=GOut out-interface-list=WAN
/ip ipsec identity
add peer=peer_LG
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=peer_LG proposal=prop_LB \
src-address=192.168.3.0/24 tunnel=yes
/ip route
add distance=1 gateway=***.***.***.65
add distance=2 gateway=***.***.***.254
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN