connectar-se al port 2 del mikrotik engegar winbox FORCE RESET /system reset-configuration no-defaults=yes skip-backup=no YES /system identity set name=Router-A /interface bridge add name=bridge-LAN Per activa el mode segur apretar control + X /interface bridge port add bridge=bridge-LAN interface=ether2 PAUSA copy.paste a saco !!! /interface bridge port add bridge=bridge-LAN interface=ether3 /interface bridge port add bridge=bridge-LAN interface=ether4 /interface bridge port add bridge=bridge-LAN interface=ether5 /ip address add address=10.1.202.1/24 interface=bridge-LAN comment="LAN Router-A" /ip address add address=192.168.90.1/24 interface=ether1 comment="WAN Router-A" /ip route add dst-address=192.168.80.0/24 gateway=192.168.90.254 comment="Ruta cap a WAN Router-B via NU-GAN5" /ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes /ip ipsec peer add name=peer-routerB address=192.168.80.1 exchange-mode=ike2 profile=perfil-vpn /ip ipsec identity add peer=peer-routerB auth-method=pre-shared-key secret="class" /ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h /ip ipsec policy add peer=peer-routerB tunnel=yes src-address=10.1.202.0/24 dst-address=10.1.101.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 proposal=proposta-vpn /ip firewall nat add chain=srcnat src-address=10.1.202.0/24 dst-address=10.1.101.0/24 action=accept comment="No NAT cap a LAN-B per IPsec" /ip route add dst-address=10.1.101.0/24 gateway=192.168.90.254 comment="Ruta cap a LAN-B per IPsec" TEST !! /ping 192.168.80.1 /ip ipsec active-peers print /ip ipsec installed-sa print detail /ping 10.1.101.1 src-address=10.1.202.1 I recordatori important: això reconstrueix Router-A. Perquè els clients funcionin sense rutes manuals, han de tenir com a gateway: Clients LAN A → 10.1.202.1 Clients LAN B → 10.1.101.1 Aquest seria el bloc net per reconstruir Router-B / xarxa B després d’un reset sense defaults: /system identity set name=Router-B /interface bridge add name=bridge-LAN /interface bridge port add bridge=bridge-LAN interface=ether2 /interface bridge port add bridge=bridge-LAN interface=ether3 /interface bridge port add bridge=bridge-LAN interface=ether4 /interface bridge port add bridge=bridge-LAN interface=ether5 /ip address add address=10.1.101.1/24 interface=bridge-LAN comment="LAN Router-B" /ip address add address=192.168.80.1/24 interface=ether1 comment="WAN Router-B" /ip route add dst-address=192.168.90.0/24 gateway=192.168.80.254 comment="Ruta cap a WAN Router-A via NU-GAN5" /ip ipsec profile add name=perfil-vpn hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=8h dpd-interval=120s dpd-maximum-failures=5 nat-traversal=yes /ip ipsec peer add name=peer-routerA address=192.168.90.1 exchange-mode=ike2 profile=perfil-vpn /ip ipsec identity add peer=peer-routerA auth-method=pre-shared-key secret="class" /ip ipsec proposal add name=proposta-vpn auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 lifetime=1h /ip ipsec policy add peer=peer-routerA tunnel=yes src-address=10.1.101.0/24 dst-address=10.1.202.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 proposal=proposta-vpn /ip firewall nat add chain=srcnat src-address=10.1.101.0/24 dst-address=10.1.202.0/24 action=accept comment="No NAT cap a LAN-A per IPsec" /ip route add dst-address=10.1.202.0/24 gateway=192.168.80.254 comment="Ruta cap a LAN-A per IPsec" Comprovació mínima des del Router-B: /ping 192.168.90.1 /ip ipsec active-peers print /ip ipsec installed-sa print detail /ping 10.1.202.1 src-address=10.1.101.1 I recordatori pels clients de la xarxa B: Clients LAN B → gateway 10.1.101.1 Si un client de LAN B té un altre gateway, llavors necessitarà ruta específica: sudo ip route add 10.1.202.0/24 via 10.1.101.1