Hi,
I'm at my wits end with this being somewhat of a beginner with networking.
Long story short; Helldivers 2 will work, and I can connect to other players, and they can join me if I use my ISP supplied router (BT HomeHub) and yet with my RB5009 I only get "failed to join game lobby" etc.
I've tried opening my firewall completely (temporarily) on both the router and Windows Firewall, disabling IPv6 on the PC and router, Enabling UPnP (only for testing purposes and confirmed UPnP itself does work) and various other things.
Is anyone able to have a quick look through my config to see whether I've erroneously included anything particularly in the firewall rules that could potentially cause connections issues (particularly with P2P game servers)?
My setup is as follows:
DrayTek Vigor 130 -> RB5009 (PPPoE) -> PC (Ethernet)
My PC itself has a static IP of 192.168.1.10 on vlan91 which is the most “trusted” within my firewall rules and should have access to any interface.
Code: Select all
# 2024-04-24 18:54:39 by RouterOS 7.14.2# software id = 46E2-14LJ## model = RB5009UG+S+# serial number = XXXXXXXXXXX/interface bridgeadd admin-mac=18:XX:XX:XX:XX:3B auto-mac=no comment=defconf name=bridge \ port-cost-mode=short vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] mac-address=18:XX:XX:XX:XX:3Aset [ find default-name=ether2 ] mac-address=18:XX:XX:XX:XX:3Bset [ find default-name=ether3 ] mac-address=18:XX:XX:XX:XX:3Cset [ find default-name=ether4 ] mac-address=18:XX:XX:XX:XX:3Dset [ find default-name=ether5 ] mac-address=18:XX:XX:XX:XX:3Eset [ find default-name=ether6 ] mac-address=18:XX:XX:XX:XX:3Fset [ find default-name=ether7 ] mac-address=18:XX:XX:XX:XX:40set [ find default-name=ether8 ] mac-address=18:XX:XX:XX:XX:41set [ find default-name=sfp-sfpplus1 ] mac-address=18:XX:XX:XX:XX:42/interface pppoe-clientadd add-default-route=yes disabled=no interface=ether1 name="ISP PPPoE" \ service-name=internet user=bthomehub@btbroadband.com/interface wireguardadd comment="External -> Home" listen-port=13231 mtu=1420 name=wg0add comment=Mullvad listen-port=61468 mtu=1420 name=wg1/interface vlanadd interface=bridge name=vlan91 vlan-id=91add interface=bridge name=vlan92 vlan-id=92add interface=bridge name=vlan95 vlan-id=95/interface listadd name=WANadd name=LANadd name=WG_VPN_Provider_Clientsadd name=LAN_UNTRUSTEDadd name=WG_WANadd name=WG_CHG_MSSadd name=LAN_TRUSTED/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip dhcp-server optionadd code=6 name="Mullvad DNS (Adblock)" value="'100.64.0.1'"/ip pooladd name=bridge ranges=192.168.88.100-192.168.88.199add name=vlan92 ranges=192.168.2.100-192.168.2.199add name=vlan95 ranges=192.168.5.100-192.168.5.199add name=vlan91 ranges=192.168.1.100-192.168.1.199add name=rescue ranges=192.168.89.100-192.168.89.199/ip dhcp-serveradd address-pool=bridge disabled=yes interface=bridge lease-time=10m name=\ bridgeadd address-pool=vlan95 interface=vlan95 lease-time=10m name=vlan95add address-pool=vlan92 interface=vlan92 lease-time=10m name=vlan92add address-pool=vlan91 interface=vlan91 lease-time=10m name=vlan91add address-pool=rescue interface=ether8 lease-time=10m name=rescue/ip smb usersset [ find default=yes ] disabled=yes/queue typeadd cake-diffserv=diffserv4 cake-nat=yes kind=cake name=cake-upadd cake-diffserv=diffserv4 kind=cake name=cake-down/queue treeadd limit-at=5M max-limit=19M name=QT_Upload packet-mark=no-mark parent=\ "ISP PPPoE" queue=cake-upadd limit-at=15M max-limit=74M name=QT_Download packet-mark=no-mark parent=\ bridge queue=cake-down/routing tableadd fib name=wg_mullvad/interface bridge portadd bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \ path-cost=10 pvid=91add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \ path-cost=10 pvid=91add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \ path-cost=10 pvid=91add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \ path-cost=10 pvid=91add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \ path-cost=10 pvid=91add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \ path-cost=10 pvid=95add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\ 10 path-cost=10 pvid=91/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=LAN/interface bridge vlanadd bridge=bridge tagged=bridge,ether3 untagged=ether7 vlan-ids=95add bridge=bridge tagged=bridge,ether3 vlan-ids=92add bridge=bridge tagged=bridge untagged=\ ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=91/interface list memberadd interface=bridge list=LANadd interface=ether1 list=WANadd interface="ISP PPPoE" list=WANadd interface=vlan95 list=WG_VPN_Provider_Clientsadd interface=vlan91 list=LANadd interface=vlan92 list=LAN_UNTRUSTEDadd interface=wg0 list=LANadd interface=ether8 list=LANadd interface=wg1 list=WG_WANadd interface=bridge list=LAN_TRUSTEDadd interface=vlan91 list=LAN_TRUSTEDadd interface=wg0 list=LAN_TRUSTEDadd interface=ether8 list=LAN_TRUSTEDadd interface=vlan92 list=LANadd interface=vlan95 list=LAN/interface wireguard peersadd allowed-address=192.168.10.10/32 interface=wg0 public-key=\ "XXXXXXXXXX"add allowed-address=0.0.0.0/0,::/0 endpoint-address=\ xxxxx.mullvad.net endpoint-port=51820 interface=wg1 \ public-key="XXXXXXXXXX"/ip addressadd address=192.168.88.1/24 comment="bridge default" interface=bridge \ network=192.168.88.0add address=192.168.5.1/24 interface=vlan95 network=192.168.5.0add address=192.168.2.1/24 interface=vlan92 network=192.168.2.0add address=192.168.10.1/24 interface=wg0 network=192.168.10.0add address=10.xxx.xxx.xxx interface=wg1 network=10.xxx.xxx.xxxadd address=192.168.0.1/24 interface=ether1 network=192.168.0.0add address=192.168.1.1/24 interface=vlan91 network=192.168.1.0add address=192.168.89.1/24 comment="rescue port" interface=ether8 network=\ 192.168.89.0/ip cloudset ddns-enabled=yes update-time=no/ip dhcp-clientadd comment=defconf disabled=yes interface=ether1/ip dhcp-server leaseadd address=192.168.2.50 mac-address=1C:XX:XX:XX:XX:A2 server=vlan92add address=192.168.5.199 client-id=1:1c:XX:XX:XX:XX:44 dhcp-option=\ "Mullvad DNS (Adblock)" mac-address=1C:XX:XX:XX:XX:44 server=vlan95add address=192.168.1.10 client-id=1:2c:XX:XX:XX:XX:7d mac-address=\ 2C:XX:XX:XX:XX:7D server=vlan91add address=192.168.1.198 client-id=1:f0:XX:XX:XX:XX:3f mac-address=\ F0:XX:XX:XX:XX:3F server=vlan91add address=192.168.2.198 client-id=1:f0:XX:XX:XX:XX:3f mac-address=\ F0:XX:XX:XX:XX:3F server=vlan92/ip dhcp-server networkadd address=192.168.1.0/24 comment=vlan91 dns-server=192.168.1.1 gateway=\ 192.168.1.1 netmask=24add address=192.168.2.0/24 comment=vlan92 dns-server=192.168.2.1 gateway=\ 192.168.2.1add address=192.168.5.0/24 comment=vlan95 dns-server=10.64.0.1 gateway=\ 192.168.5.1 netmask=24add address=192.168.88.0/24 comment=bridge dns-server=192.168.88.1 gateway=\ 192.168.88.1 netmask=24add address=192.168.89.0/24 comment=rescue dns-server=192.168.89.1 gateway=\ 192.168.89.1 netmask=24/ip dnsset allow-remote-requests=yes servers=\ 1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001/ip dns staticadd address=192.168.1.1 comment=defconf name=router.lan/ip firewall address-listadd address=192.168.1.10 comment="Reservation address for my machine" list=\ "Main PC"/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment="allow WireGuard (Home)" dst-port=13231 \ protocol=udpadd action=accept chain=input comment=\ "allow unrestricted access to the input chain from trusted LANs" \ in-interface-list=LAN_TRUSTEDadd action=accept chain=input comment="allow LAN DNS queries (UDP)" dst-port=\ 53 in-interface-list=LAN protocol=udpadd action=accept chain=input comment="allow LAN DNS queries (TCP)" dst-port=\ 53 in-interface-list=LAN protocol=tcpadd action=drop chain=input comment="drop remaining traffic on input chain"add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WANadd action=drop chain=forward comment="VPN Safety Net" in-interface-list=\ WG_VPN_Provider_Clients out-interface-list=WANadd action=accept chain=forward comment=\ "allow trusted LAN to forward to all interface lists" in-interface-list=\ LAN_TRUSTED out-interface-list=alladd action=accept chain=forward comment=\ "allow untrusted LAN to forward only to WAN" in-interface-list=\ LAN_UNTRUSTED out-interface-list=WANadd action=accept chain=forward comment=\ "allow specific clients through the WG provider tunnels" \ in-interface-list=WG_VPN_Provider_Clients out-interface-list=WG_WANadd action=accept chain=forward comment="allow Remote Play UDP from vlan95" \ dst-address-list="Main PC" dst-port=27031,27036 in-interface=vlan95 \ protocol=udpadd action=accept chain=forward comment="allow Remote Play TCP from vlan95" \ dst-address-list="Main PC" dst-port=27036,27037 in-interface=vlan95 \ protocol=tcpadd action=drop chain=forward comment=\ "drop remaining traffic on the forward chain"/ip firewall mangleadd action=change-mss chain=forward comment="WireGuard EXT. MSS Change - OUT" \ disabled=yes new-mss=1380 out-interface-list=WG_CHG_MSS passthrough=yes \ protocol=tcp tcp-flags=syn tcp-mss=1381-65535add action=change-mss chain=forward comment="WireGuard EXT. MSS Change - IN" \ disabled=yes in-interface-list=WG_CHG_MSS new-mss=1380 passthrough=yes \ protocol=tcp tcp-flags=syn tcp-mss=1381-65535/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WANadd action=masquerade chain=srcnat comment="wg masquerade" ipsec-policy=\ out,none out-interface-list=WG_WAN/ip routeadd dst-address=0.0.0.0/0 gateway=wg1 routing-table=wg_mullvad/ipv6 routeadd disabled=no distance=1 dst-address=::/0 gateway=wg1 routing-table=\ wg_mullvad scope=30 target-scope=10/ip smb sharesset [ find default=yes ] directory=/pub/ip upnp interfacesadd interface="ISP PPPoE" type=externaladd interface=vlan91 type=internal/ipv6 addressadd address=fc00:XXXX:XXXX:XXXX::X:XXXX/128 advertise=no interface=wg1add address=::1 from-pool=IPv6_ISP_Prefix interface=bridgeadd address=::1 from-pool=IPv6_ISP_Prefix interface=vlan91add address=::1 from-pool=IPv6_ISP_Prefix interface=vlan92add address=::1 from-pool=IPv6_ISP_Prefix interface=vlan95/ipv6 dhcp-clientadd interface="ISP PPPoE" pool-name=IPv6_ISP_Prefix prefix-hint=\ XXXX:XXXX:XXXX:XXXX::/56 request=prefix use-peer-dns=no/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=input comment=\ "Allow full access to the LAN input chain from trusted LANs" disabled=yes \ in-interface-list=LAN_TRUSTEDadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=input comment="Allow LAN multicast (UDP)" disabled=\ yes dst-address=ff00::/8 in-interface-list=LAN protocol=udpadd action=accept chain=input comment="Allow LAN DNS queries (UDP)" disabled=\ yes dst-port=53 in-interface-list=LAN protocol=udpadd action=accept chain=input comment="Allow LAN DNS queries (TCP)" disabled=\ yes dst-port=53 in-interface-list=LAN protocol=tcpadd action=drop chain=input comment=\ "Drop remaining traffic on the input chain" disabled=yesadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment="VPN Safety Net" in-interface-list=\ WG_VPN_Provider_Clients out-interface-list=WANadd action=accept chain=forward comment=\ "Allow trusted LAN to forward to all interface lists" in-interface-list=\ LAN_TRUSTED out-interface-list=alladd action=accept chain=forward comment=\ "Allow untrusted LAN to forward only to WAN" in-interface-list=\ LAN_UNTRUSTED out-interface-list=WANadd action=accept chain=forward comment=\ "Allow specific clients through the WG provider tunnels" \ in-interface-list=WG_VPN_Provider_Clients out-interface-list=WG_WANadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" disabled=yes \ in-interface-list=!LANadd action=drop chain=forward comment=\ "Drop remaining traffic on the forward chain"/ipv6 firewall natadd action=masquerade chain=srcnat out-interface-list=WG_WAN/ipv6 ndset [ find default=yes ] disabled=yesadd disabled=yes interface=bridgeadd interface=vlan91add advertise-dns=no disabled=yes interface=vlan92add advertise-dns=no disabled=yes interface=vlan95/routing ruleadd action=lookup-only-in-table comment=\ "Default routing table to be used for the path back to the main subnet" \ disabled=no dst-address=192.168.1.0/24 table=mainadd action=lookup-only-in-table comment=\ "All IPv4 traffic on vlan95 must only use the wg_mullvad table" disabled=\ no dst-address=0.0.0.0/0 interface=vlan95 table=wg_mullvadadd action=lookup-only-in-table comment=\ "All IPv6 traffic on vlan95 must only use the wg_mullvad table" disabled=\ no dst-address=::/0 interface=vlan95 table=wg_mullvad/system clockset time-zone-name=Europe/London/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp client serversadd address=0.uk.pool.ntp.orgadd address=1.uk.pool.ntp.orgadd address=2.uk.pool.ntp.orgadd address=3.uk.pool.ntp.org/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN
