Initial skills documentation — 25 categories, all SKILL.md + references + scripts
This commit is contained in:
@@ -0,0 +1,106 @@
|
||||
# Home Router Reference — CCR2004-16G-2S+
|
||||
|
||||
Validated onboarding target for the IT Pro Partner WireGuard tunnel pattern.
|
||||
|
||||
## Hardware
|
||||
|
||||
| Field | Value |
|
||||
|---|---|
|
||||
| Board | CCR2004-16G-2S+ |
|
||||
| Architecture | ARM64 (4 cores @ 1700MHz) |
|
||||
| RAM | 4 GB |
|
||||
| Storage | 128 MB NAND |
|
||||
| RouterOS | 7.18.2 (stable) |
|
||||
| ISP | AT&T residential fiber (CGNAT) |
|
||||
|
||||
## WireGuard Tunnel (Multi-Peer Topology)
|
||||
|
||||
The router has **two WireGuard peers** — one for Core (active Hermes) and one for app1-bu (warm standby). Both peers use the same interface `wg-itpp` on the router.
|
||||
|
||||
### Peer 1 — Core (netcup)
|
||||
- **Interface:** wg-itpp
|
||||
- **Listen port:** 13231 (same interface for both peers)
|
||||
- **Local IP:** 10.77.0.2/24
|
||||
- **Peer:** 10.77.0.1 (Core)
|
||||
- **Router public key (CURRENT):** `1fPwdGQ20CxlZCQZQV134olDcE91hfp78yNDeaKJZzg=`
|
||||
- **Core public key:** `WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=`
|
||||
- **Endpoint:** 152.53.192.33:51821
|
||||
- **Keepalive:** 25s
|
||||
- **MTU:** 1420
|
||||
|
||||
### Peer 2 — app1-bu (Hetzner standby)
|
||||
- **Peer:** 10.77.0.3 (app1-bu)
|
||||
- **app1-bu public key:** `aEDfY/XzE5m6van/NkvMnYZoYuhptvs1GGkbqmaFKBQ=`
|
||||
- **Endpoint:** 5.161.114.8:51821
|
||||
- **Keepalive:** 25s
|
||||
|
||||
**Latency:** 37ms (Ashburn → Savannah) for Core, 87ms for app1-bu (Hetzner → Savannah)
|
||||
|
||||
**Firewall rules (cleaned, no duplicates):**
|
||||
- `Allow established/related input` — chain=input, connection-state=established,related, action=accept, place-before=1
|
||||
- `IPsec IKE` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=500
|
||||
- `allow WG (ITPP)` — chain=input, protocol=udp, dst-port=13231, action=accept
|
||||
- `IPsec NAT-T` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=4500
|
||||
- `L2TP` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=1701
|
||||
- `IPsec ESP` — chain=input, protocol=ipsec-esp, in-interface-list=WAN
|
||||
|
||||
Total firewall rules: 26 (cleaned from 31)
|
||||
|
||||
## SSH Access
|
||||
|
||||
- **Through WG tunnel (Core):** `ssh -i ~/.ssh/wisp_rsa shonuff@10.77.0.2`
|
||||
- **SSH restricted to:** 10.1.0.0/24, 10.1.1.0/24, 192.168.88.0/24, 10.77.0.0/24
|
||||
- **API restricted to:** 10.1.0.0/24, 10.1.1.0/24
|
||||
- **API-SSL:** disabled
|
||||
- **Winbox:** unrestricted (user requirement)
|
||||
|
||||
## SMTP Configuration (Status: Working)
|
||||
|
||||
**Applied settings:**
|
||||
- Server: `mail.germainebrown.com`
|
||||
- Port: `2525` (NOT 465 — times out from netcup infra)
|
||||
- TLS: `starttls` (NOT yes/SSL)
|
||||
- From/user: `g@germainebrown.com`
|
||||
- Password: `LoveMyBoys1520!`
|
||||
- Last status: **succeeded**
|
||||
|
||||
**DNS resolvers:** 10.1.1.14 (AdGuard primary), 10.1.1.10 (AdGuard backup)
|
||||
**Previously on:** 192.168.1.254 (AT&T DHCP) — could not resolve `mail.germainebrown.com`
|
||||
|
||||
**Scheduled email jobs (daily at 4 AM, run-count was 0 until SMTP fixes):**
|
||||
1. Email - Router Logs (`/log print file=home-rtr-logs`, sends `home-rtr-logs.txt`)
|
||||
2. Email - Router Config (`/export file=home-rtr-config`, sends `home-rtr-config.rsc`)
|
||||
3. Email - Router Backup (`/system backup save name=home-rtr`, sends `home-rtr.backup`)
|
||||
|
||||
**File naming fixed Jul 9:** All three scripts were using mismatched file names (created as `logs.txt` but emailed as `home-rtr-logs.txt`, etc.). Corrected to use consistent naming.
|
||||
|
||||
## DNS Logging
|
||||
|
||||
```
|
||||
/ip/dns/set allow-remote-requests=yes log-queries=yes log-fwd-queries=yes
|
||||
```
|
||||
|
||||
System logging outputs are set to `action=remote topics=dns remote=10.77.0.1:514 remote-log-prefix="home-rtr"`.
|
||||
|
||||
Note: Server-side syslog receiver on 10.77.0.1:514 is NOT yet configured (UDP 514 is not listening). This is a known gap — DNS logs are stored locally on the router but not yet shipped to the portal.
|
||||
|
||||
## Router Security Cleanup (Jul 9, 2026)
|
||||
|
||||
Removed:
|
||||
- 6 duplicate firewall rules (WG rules pasted multiple times during troubleshooting)
|
||||
- Remote Winbox SSTP client + scheduler + script (RWB_IP_RESOLVER)
|
||||
- Stale user `52a95oKcepCRctu` (last login March 2026)
|
||||
- shonuff L2TP PPP secret (WG covers server access now)
|
||||
- PAP/MSCHAP1 L2TP auth (hardened to CHAP+MSCHAP2 only)
|
||||
- API-SSL service (disabled)
|
||||
- SSH/API address restrictions added
|
||||
|
||||
Added:
|
||||
- Established/related INPUT chain rule (required for SMTP, outbound DNS)
|
||||
|
||||
## Notes
|
||||
|
||||
- The router is behind AT&T residential fiber with CGNAT. WireGuard tunnel with 25s keepalive survives NAT rebinds.
|
||||
- The wisp_rsa SSH key (comment "wisp-backup") is the key with tunnel access.
|
||||
- WireGuard keys: server private is `KkXVsdKyiYQVBbA5HbC9sF4dMX16WSmVOkVPYTq8mh8=` (pub: `WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=`). Router private key may have been regenerated since initial setup — always verify actual public key via `/interface/wireguard/print detail where name=wg-itpp`, never trust an old config export.
|
||||
- L2TP client `to-core` is still configured but disabled since WG handles it. Remove if/when L2TP is fully decommissioned.
|
||||
Reference in New Issue
Block a user