The thing I suspect is that the DNS is not working - should be using local (French) DNS, or remote (UK) DNS?
It would be great if someone could have a look at the French config here:
Code: Select all
# 2024-04-05 09:18:50 by RouterOS 7.14.1
#
# model = C52iG-5HaxD2HaxD
/interface bridge add name=bridge_guest_67
/interface bridge add admin-mac=48:A9:8A:C7:F6:8E auto-mac=no comment=defconf name=bridge_main_65
/interface ethernet set [ find default-name=ether1 ] mac-address=CC:2D:E0:EB:1D:79 poe-out=off
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=athome datapath.bridge=bridge_main_65 disabled=no name=wifi1_athome_5GHz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wifi set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=athome datapath.bridge=bridge_main_65 disabled=no name=wifi2_athome_2GHz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wireguard add listen-port=xx mtu=1420 name=Wireguard
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no name=security_athome
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=security_athome_guest
/interface wifi configuration add disabled=no name=cfg_athome security=security_athome ssid=athome
/interface wifi configuration add disabled=no name=cfg_athome_guest security=security_athome_guest ssid=athome_guest
/interface wifi add configuration=cfg_athome_guest configuration.mode=ap datapath.bridge=bridge_guest_67 disabled=no mac-address=4A:A9:8A:C7:F6:92 master-interface=wifi1_athome_5GHz name=wifi3_athome_guest_5GHz
/ip pool add name=default-dhcp ranges=192.168.65.10-192.168.65.254
/ip pool add name=pool_guest_67 ranges=192.168.67.10-192.168.67.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge_main_65 lease-time=2m name=defconf
/ip dhcp-server add address-pool=pool_guest_67 interface=bridge_guest_67 lease-time=10m name=dhcp_guest
/routing table add disabled=no fib name=use-WG
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=ether2
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=ether3
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=ether4
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=ether5
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=wifi1_athome_5GHz
/interface bridge port add bridge=bridge_main_65 comment=defconf interface=wifi2_athome_2GHz
/interface bridge port add bridge=bridge_guest_67 interface=wifi3_athome_guest_5GHz
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge_main_65 list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=Wireguard list=LAN
/interface list member add interface=bridge_guest_67 list=LAN
/interface wifi access-list add action=accept comment="Pixel 7" disabled=no mac-address=24:95:2F:4F:6D:DE signal-range=0 time=0s-0s
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=xxx endpoint-port=xx interface=Wireguard persistent-keepalive=25s public-key=""
/ip address add address=192.168.65.1/24 comment=defconf interface=bridge_main_65 network=192.168.65.0
/ip address add address=10.64.0.3/24 interface=Wireguard network=10.64.0.0
/ip address add address=192.168.67.1/24 interface=bridge_guest_67 network=192.168.67.0
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server lease add address=192.168.65.23 client-id=1:10:3d:1c:e8:5f:d0 comment="T14" mac-address=10:3D:1C:E8:5F:D0 server=defconf
/ip dhcp-server lease add address=192.168.65.30 client-id=1:24:95:2f:4f:6d:de comment="Pixel-7 " mac-address=24:95:2F:4F:6D:DE server=defconf
/ip dhcp-server lease add address=192.168.65.240 client-id=1:cc:2d:e0:eb:1d:79 mac-address=CC:2D:E0:EB:1D:79 server=defconf
/ip dhcp-server network add address=192.168.65.0/24 comment=defconf dns-server=192.168.65.1,9.9.9.9,149.112.112.112 gateway=192.168.65.1
/ip dhcp-server network add address=192.168.67.0/24 dns-server=9.9.9.9,149.112.112.112 gateway=192.168.67.1
/ip dns set allow-remote-requests=yes servers=8.8.8.8,149.112.112.112
/ip firewall address-list add address=192.168.65.28 comment="E1 PTZ" list=Camera
/ip firewall address-list add address=192.168.65.7 comment=R4 list=Camera
/ip firewall address-list add address=192.168.65.12 comment="Back Door" list=Camera
/ip firewall address-list add address=8.8.8.8 list=CameraAllowed
/ip firewall address-list add address=9.9.9.9 list=CameraAllowed
/ip firewall address-list add address=8.8.4.4 list=CameraAllowed
/ip firewall address-list add address=149.112.112.112 list=CameraAllowed
/ip firewall address-list add address=192.168.64.0/24 list=AllowedToRouter
/ip firewall address-list add address=192.168.65.0/24 list=AllowedToRouter
/ip firewall address-list add address=10.64.0.0/24 list=AllowedToRouter
/ip firewall address-list add address=10.200.0.0/24 list=AllowedToRouter
/ip firewall address-list add address=chazoopa-h.synology.me list=AllowedToRouter
/ip firewall address-list add address=192.168.10.0/24 list=AllowedToRouter
/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall address-list add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
/ip firewall address-list add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall address-list add address=192.168.65.0/24 list=WireguardTraffic
/ip firewall address-list add address=192.168.10.0/24 list=WireguardTraffic
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Accept DNS, NTP for udp" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Accept DNS for tcp" dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="Allow from nice IPs from Wireguard" in-interface=Wireguard src-address-list=AllowedToRouter
/ip firewall filter add action=drop chain=input comment="drop from guest bridge" src-address=192.168.67.0/24
/ip firewall filter add action=accept chain=input comment="Accept all from LAN" in-interface-list=LAN
/ip firewall filter add action=drop chain=input comment="drop all else"
/ip firewall filter add action=log chain=forward disabled=yes log-prefix=xxx src-address=192.168.65.23
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Drop guests to locals" out-interface-list=!WAN src-address=192.168.67.0/24
/ip firewall filter add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN
/ip firewall filter add action=drop chain=forward comment="Drop Cameras" dst-address-list=!CameraAllowed log-prefix=Camera out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" log=yes src-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4 log=yes
/ip firewall filter add action=accept chain=forward comment="Allow internet access" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Allow wireguard traffic" out-interface=Wireguard src-address-list=WireguardTraffic
/ip firewall filter add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward comment="drop all else"
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat out-interface=Wireguard
/ip route add disabled=no distance=1 dst-address=192.168.64.0/24 gateway=Wireguard pref-src=0.0.0.0 routing-table=main suppress-hw-offload=no
/ip route add comment="So certain source IPs go through the WG VPN - look in Routing Rules" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Wireguard pref-src="" routing-table=use-WG scope=10 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=10.200.0.0/24 gateway=Wireguard routing-table=main suppress-hw-offload=no
/ip route add disabled=no dst-address=10.100.0.0/24 gateway=Wireguard routing-table=main suppress-hw-offload=no
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set always-allow-password-login=yes
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall address-list add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
/ipv6 firewall address-list add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule add action=lookup-only-in-table comment="Pixel-7 " disabled=no src-address=192.168.65.30/32 table=use-WG
/routing rule add action=lookup-only-in-table comment=TV disabled=no src-address=192.168.65.26/32 table=use-WG
/routing rule add action=lookup-only-in-table comment="Surface" disabled=yes src-address=192.168.65.27/32 table=use-WG
/routing rule add action=lookup-only-in-table comment="T14" disabled=no src-address=192.168.65.23/32 table=use-WG
/routing rule add action=lookup-only-in-table comment=T480 disabled=no src-address=192.168.65.18/32 table=use-WG
/system clock set time-zone-name=Europe/Paris
/system identity set name="France HAP ax2"
/system logging set 0 topics=info,!dhcp,!wireless
/system note set show-at-login=no
/tool graphing interface add interface=ether1
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN