I'm at my wits end with this being somewhat of a beginner with networking.
Long story short; Helldivers 2 will work, and I can connect to other players, and they can join me if I use my ISP supplied router (BT HomeHub) and yet with my RB5009 I only get "failed to join game lobby" etc.
I've tried opening my firewall completely (temporarily) on both the router and Windows Firewall, disabling IPv6 on the PC and router, Enabling UPnP (only for testing purposes and confirmed UPnP itself does work) and various other things.
Is anyone able to have a quick look through my config to see whether I've erroneously included anything particularly in the firewall rules that could potentially cause connections issues (particularly with P2P game servers)?
My setup is as follows:
DrayTek Vigor 130 -> RB5009 (PPPoE) -> PC (Ethernet)
My PC itself has a static IP of 192.168.1.10 on vlan91 which is the most “trusted” within my firewall rules and should have access to any interface.
Code: Select all
# 2024-04-24 18:54:39 by RouterOS 7.14.2
# software id = 46E2-14LJ
#
# model = RB5009UG+S+
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=18:XX:XX:XX:XX:3B auto-mac=no comment=defconf name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=18:XX:XX:XX:XX:3A
set [ find default-name=ether2 ] mac-address=18:XX:XX:XX:XX:3B
set [ find default-name=ether3 ] mac-address=18:XX:XX:XX:XX:3C
set [ find default-name=ether4 ] mac-address=18:XX:XX:XX:XX:3D
set [ find default-name=ether5 ] mac-address=18:XX:XX:XX:XX:3E
set [ find default-name=ether6 ] mac-address=18:XX:XX:XX:XX:3F
set [ find default-name=ether7 ] mac-address=18:XX:XX:XX:XX:40
set [ find default-name=ether8 ] mac-address=18:XX:XX:XX:XX:41
set [ find default-name=sfp-sfpplus1 ] mac-address=18:XX:XX:XX:XX:42
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name="ISP PPPoE" \
service-name=internet user=bthomehub@btbroadband.com
/interface wireguard
add comment="External -> Home" listen-port=13231 mtu=1420 name=wg0
add comment=Mullvad listen-port=61468 mtu=1420 name=wg1
/interface vlan
add interface=bridge name=vlan91 vlan-id=91
add interface=bridge name=vlan92 vlan-id=92
add interface=bridge name=vlan95 vlan-id=95
/interface list
add name=WAN
add name=LAN
add name=WG_VPN_Provider_Clients
add name=LAN_UNTRUSTED
add name=WG_WAN
add name=WG_CHG_MSS
add name=LAN_TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 name="Mullvad DNS (Adblock)" value="'100.64.0.1'"
/ip pool
add name=bridge ranges=192.168.88.100-192.168.88.199
add name=vlan92 ranges=192.168.2.100-192.168.2.199
add name=vlan95 ranges=192.168.5.100-192.168.5.199
add name=vlan91 ranges=192.168.1.100-192.168.1.199
add name=rescue ranges=192.168.89.100-192.168.89.199
/ip dhcp-server
add address-pool=bridge disabled=yes interface=bridge lease-time=10m name=\
bridge
add address-pool=vlan95 interface=vlan95 lease-time=10m name=vlan95
add address-pool=vlan92 interface=vlan92 lease-time=10m name=vlan92
add address-pool=vlan91 interface=vlan91 lease-time=10m name=vlan91
add address-pool=rescue interface=ether8 lease-time=10m name=rescue
/ip smb users
set [ find default=yes ] disabled=yes
/queue type
add cake-diffserv=diffserv4 cake-nat=yes kind=cake name=cake-up
add cake-diffserv=diffserv4 kind=cake name=cake-down
/queue tree
add limit-at=5M max-limit=19M name=QT_Upload packet-mark=no-mark parent=\
"ISP PPPoE" queue=cake-up
add limit-at=15M max-limit=74M name=QT_Download packet-mark=no-mark parent=\
bridge queue=cake-down
/routing table
add fib name=wg_mullvad
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
path-cost=10 pvid=91
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
path-cost=10 pvid=95
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10 pvid=91
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 untagged=ether7 vlan-ids=95
add bridge=bridge tagged=bridge,ether3 vlan-ids=92
add bridge=bridge tagged=bridge untagged=\
ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=91
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface="ISP PPPoE" list=WAN
add interface=vlan95 list=WG_VPN_Provider_Clients
add interface=vlan91 list=LAN
add interface=vlan92 list=LAN_UNTRUSTED
add interface=wg0 list=LAN
add interface=ether8 list=LAN
add interface=wg1 list=WG_WAN
add interface=bridge list=LAN_TRUSTED
add interface=vlan91 list=LAN_TRUSTED
add interface=wg0 list=LAN_TRUSTED
add interface=ether8 list=LAN_TRUSTED
add interface=vlan92 list=LAN
add interface=vlan95 list=LAN
/interface wireguard peers
add allowed-address=192.168.10.10/32 interface=wg0 public-key=\
"XXXXXXXXXX"
add allowed-address=0.0.0.0/0,::/0 endpoint-address=\
xxxxx.mullvad.net endpoint-port=51820 interface=wg1 \
public-key="XXXXXXXXXX"
/ip address
add address=192.168.88.1/24 comment="bridge default" interface=bridge \
network=192.168.88.0
add address=192.168.5.1/24 interface=vlan95 network=192.168.5.0
add address=192.168.2.1/24 interface=vlan92 network=192.168.2.0
add address=192.168.10.1/24 interface=wg0 network=192.168.10.0
add address=10.xxx.xxx.xxx interface=wg1 network=10.xxx.xxx.xxx
add address=192.168.0.1/24 interface=ether1 network=192.168.0.0
add address=192.168.1.1/24 interface=vlan91 network=192.168.1.0
add address=192.168.89.1/24 comment="rescue port" interface=ether8 network=\
192.168.89.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.2.50 mac-address=1C:XX:XX:XX:XX:A2 server=vlan92
add address=192.168.5.199 client-id=1:1c:XX:XX:XX:XX:44 dhcp-option=\
"Mullvad DNS (Adblock)" mac-address=1C:XX:XX:XX:XX:44 server=vlan95
add address=192.168.1.10 client-id=1:2c:XX:XX:XX:XX:7d mac-address=\
2C:XX:XX:XX:XX:7D server=vlan91
add address=192.168.1.198 client-id=1:f0:XX:XX:XX:XX:3f mac-address=\
F0:XX:XX:XX:XX:3F server=vlan91
add address=192.168.2.198 client-id=1:f0:XX:XX:XX:XX:3f mac-address=\
F0:XX:XX:XX:XX:3F server=vlan92
/ip dhcp-server network
add address=192.168.1.0/24 comment=vlan91 dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=vlan92 dns-server=192.168.2.1 gateway=\
192.168.2.1
add address=192.168.5.0/24 comment=vlan95 dns-server=10.64.0.1 gateway=\
192.168.5.1 netmask=24
add address=192.168.88.0/24 comment=bridge dns-server=192.168.88.1 gateway=\
192.168.88.1 netmask=24
add address=192.168.89.0/24 comment=rescue dns-server=192.168.89.1 gateway=\
192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.10 comment="Reservation address for my machine" list=\
"Main PC"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard (Home)" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=\
"allow unrestricted access to the input chain from trusted LANs" \
in-interface-list=LAN_TRUSTED
add action=accept chain=input comment="allow LAN DNS queries (UDP)" dst-port=\
53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="allow LAN DNS queries (TCP)" dst-port=\
53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop remaining traffic on input chain"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="VPN Safety Net" in-interface-list=\
WG_VPN_Provider_Clients out-interface-list=WAN
add action=accept chain=forward comment=\
"allow trusted LAN to forward to all interface lists" in-interface-list=\
LAN_TRUSTED out-interface-list=all
add action=accept chain=forward comment=\
"allow untrusted LAN to forward only to WAN" in-interface-list=\
LAN_UNTRUSTED out-interface-list=WAN
add action=accept chain=forward comment=\
"allow specific clients through the WG provider tunnels" \
in-interface-list=WG_VPN_Provider_Clients out-interface-list=WG_WAN
add action=accept chain=forward comment="allow Remote Play UDP from vlan95" \
dst-address-list="Main PC" dst-port=27031,27036 in-interface=vlan95 \
protocol=udp
add action=accept chain=forward comment="allow Remote Play TCP from vlan95" \
dst-address-list="Main PC" dst-port=27036,27037 in-interface=vlan95 \
protocol=tcp
add action=drop chain=forward comment=\
"drop remaining traffic on the forward chain"
/ip firewall mangle
add action=change-mss chain=forward comment="WireGuard EXT. MSS Change - OUT" \
disabled=yes new-mss=1380 out-interface-list=WG_CHG_MSS passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=change-mss chain=forward comment="WireGuard EXT. MSS Change - IN" \
disabled=yes in-interface-list=WG_CHG_MSS new-mss=1380 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="wg masquerade" ipsec-policy=\
out,none out-interface-list=WG_WAN
/ip route
add dst-address=0.0.0.0/0 gateway=wg1 routing-table=wg_mullvad
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=wg1 routing-table=\
wg_mullvad scope=30 target-scope=10
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp interfaces
add interface="ISP PPPoE" type=external
add interface=vlan91 type=internal
/ipv6 address
add address=fc00:XXXX:XXXX:XXXX::X:XXXX/128 advertise=no interface=wg1
add address=::1 from-pool=IPv6_ISP_Prefix interface=bridge
add address=::1 from-pool=IPv6_ISP_Prefix interface=vlan91
add address=::1 from-pool=IPv6_ISP_Prefix interface=vlan92
add address=::1 from-pool=IPv6_ISP_Prefix interface=vlan95
/ipv6 dhcp-client
add interface="ISP PPPoE" pool-name=IPv6_ISP_Prefix prefix-hint=\
XXXX:XXXX:XXXX:XXXX::/56 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment=\
"Allow full access to the LAN input chain from trusted LANs" disabled=yes \
in-interface-list=LAN_TRUSTED
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=input comment="Allow LAN multicast (UDP)" disabled=\
yes dst-address=ff00::/8 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (UDP)" disabled=\
yes dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (TCP)" disabled=\
yes dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=\
"Drop remaining traffic on the input chain" disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="VPN Safety Net" in-interface-list=\
WG_VPN_Provider_Clients out-interface-list=WAN
add action=accept chain=forward comment=\
"Allow trusted LAN to forward to all interface lists" in-interface-list=\
LAN_TRUSTED out-interface-list=all
add action=accept chain=forward comment=\
"Allow untrusted LAN to forward only to WAN" in-interface-list=\
LAN_UNTRUSTED out-interface-list=WAN
add action=accept chain=forward comment=\
"Allow specific clients through the WG provider tunnels" \
in-interface-list=WG_VPN_Provider_Clients out-interface-list=WG_WAN
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" disabled=yes \
in-interface-list=!LAN
add action=drop chain=forward comment=\
"Drop remaining traffic on the forward chain"
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface-list=WG_WAN
/ipv6 nd
set [ find default=yes ] disabled=yes
add disabled=yes interface=bridge
add interface=vlan91
add advertise-dns=no disabled=yes interface=vlan92
add advertise-dns=no disabled=yes interface=vlan95
/routing rule
add action=lookup-only-in-table comment=\
"Default routing table to be used for the path back to the main subnet" \
disabled=no dst-address=192.168.1.0/24 table=main
add action=lookup-only-in-table comment=\
"All IPv4 traffic on vlan95 must only use the wg_mullvad table" disabled=\
no dst-address=0.0.0.0/0 interface=vlan95 table=wg_mullvad
add action=lookup-only-in-table comment=\
"All IPv6 traffic on vlan95 must only use the wg_mullvad table" disabled=\
no dst-address=::/0 interface=vlan95 table=wg_mullvad
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
add address=2.uk.pool.ntp.org
add address=3.uk.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN