connectar-se al port 2 del mikrotik
engegar winbox

FORCE RESET
/system reset-configuration no-defaults=yes skip-backup=no
YES

/system identity set name=Router-A
/interface bridge add name=bridge-LAN

Per activa el mode segur 

apretar control + X

/interface bridge port add bridge=bridge-LAN interface=ether2

PAUSA
copy.paste a saco !!!

/interface bridge port add bridge=bridge-LAN interface=ether3
/interface bridge port add bridge=bridge-LAN interface=ether4
/interface bridge port add bridge=bridge-LAN interface=ether5
/ip address add address=10.1.202.1/24 interface=bridge-LAN comment="LAN Router-A"
/ip address add address=192.168.90.1/24 interface=ether1 comment="WAN Router-A"
/ip route add dst-address=192.168.80.0/24 gateway=192.168.90.254 comment="Ruta cap a WAN Router-B via NU-GAN5"
/ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes
/ip ipsec peer add name=peer-routerB address=192.168.80.1 exchange-mode=ike2 profile=perfil-vpn
/ip ipsec identity add peer=peer-routerB auth-method=pre-shared-key secret="class"
/ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h
/ip ipsec policy add peer=peer-routerB tunnel=yes src-address=10.1.202.0/24 dst-address=10.1.101.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 proposal=proposta-vpn
/ip firewall nat add chain=srcnat src-address=10.1.202.0/24 dst-address=10.1.101.0/24 action=accept comment="No NAT cap a LAN-B per IPsec"
/ip route add dst-address=10.1.101.0/24 gateway=192.168.90.254 comment="Ruta cap a LAN-B per IPsec"


TEST !!
/ping 192.168.80.1
/ip ipsec active-peers print
/ip ipsec installed-sa print detail
/ping 10.1.101.1 src-address=10.1.202.1



I recordatori important: això reconstrueix Router-A. Perquè els clients funcionin sense rutes manuals, han de tenir com a gateway:

Clients LAN A → 10.1.202.1
Clients LAN B → 10.1.101.1


Aquest seria el bloc net per reconstruir Router-B / xarxa B després d’un reset sense defaults:

/system identity set name=Router-B

/interface bridge add name=bridge-LAN

/interface bridge port add bridge=bridge-LAN interface=ether2
/interface bridge port add bridge=bridge-LAN interface=ether3
/interface bridge port add bridge=bridge-LAN interface=ether4
/interface bridge port add bridge=bridge-LAN interface=ether5

/ip address add address=10.1.101.1/24 interface=bridge-LAN comment="LAN Router-B"
/ip address add address=192.168.80.1/24 interface=ether1 comment="WAN Router-B"

/ip route add dst-address=192.168.90.0/24 gateway=192.168.80.254 comment="Ruta cap a WAN Router-A via NU-GAN5"

/ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes

/ip ipsec peer add name=peer-routerA address=192.168.90.1 exchange-mode=ike2 profile=perfil-vpn

/ip ipsec identity add peer=peer-routerA auth-method=pre-shared-key secret="class"

/ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h

/ip ipsec policy add peer=peer-routerA tunnel=yes src-address=10.1.101.0/24 dst-address=10.1.202.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 proposal=proposta-vpn

/ip firewall nat add chain=srcnat src-address=10.1.101.0/24 dst-address=10.1.202.0/24 action=accept comment="No NAT cap a LAN-A per IPsec"

/ip route add dst-address=10.1.202.0/24 gateway=192.168.80.254 comment="Ruta cap a LAN-A per IPsec"

Comprovació mínima des del Router-B:

/ping 192.168.90.1
/ip ipsec active-peers print
/ip ipsec installed-sa print detail
/ping 10.1.202.1 src-address=10.1.101.1

I recordatori pels clients de la xarxa B:

Clients LAN B → gateway 10.1.101.1

Si un client de LAN B té un altre gateway, llavors necessitarà ruta específica:

sudo ip route add 10.1.202.0/24 via 10.1.101.1





