# Home Router Reference — CCR2004-16G-2S+ Validated onboarding target for the IT Pro Partner WireGuard tunnel pattern. ## Hardware | Field | Value | |---|---| | Board | CCR2004-16G-2S+ | | Architecture | ARM64 (4 cores @ 1700MHz) | | RAM | 4 GB | | Storage | 128 MB NAND | | RouterOS | 7.18.2 (stable) | | ISP | AT&T residential fiber (CGNAT) | ## WireGuard Tunnel (Multi-Peer Topology) The router has **two WireGuard peers** — one for Core (active Hermes) and one for app1-bu (warm standby). Both peers use the same interface `wg-itpp` on the router. ### Peer 1 — Core (netcup) - **Interface:** wg-itpp - **Listen port:** 13231 (same interface for both peers) - **Local IP:** 10.77.0.2/24 - **Peer:** 10.77.0.1 (Core) - **Router public key (CURRENT):** `1fPwdGQ20CxlZCQZQV134olDcE91hfp78yNDeaKJZzg=` - **Core public key:** `WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=` - **Endpoint:** 152.53.192.33:51821 - **Keepalive:** 25s - **MTU:** 1420 ### Peer 2 — app1-bu (Hetzner standby) - **Peer:** 10.77.0.3 (app1-bu) - **app1-bu public key:** `aEDfY/XzE5m6van/NkvMnYZoYuhptvs1GGkbqmaFKBQ=` - **Endpoint:** 5.161.114.8:51821 - **Keepalive:** 25s **Latency:** 37ms (Ashburn → Savannah) for Core, 87ms for app1-bu (Hetzner → Savannah) **Firewall rules (cleaned, no duplicates):** - `Allow established/related input` — chain=input, connection-state=established,related, action=accept, place-before=1 - `IPsec IKE` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=500 - `allow WG (ITPP)` — chain=input, protocol=udp, dst-port=13231, action=accept - `IPsec NAT-T` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=4500 - `L2TP` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=1701 - `IPsec ESP` — chain=input, protocol=ipsec-esp, in-interface-list=WAN Total firewall rules: 26 (cleaned from 31) ## SSH Access - **Through WG tunnel (Core):** `ssh -i ~/.ssh/wisp_rsa shonuff@10.77.0.2` - **SSH restricted to:** 10.1.0.0/24, 10.1.1.0/24, 192.168.88.0/24, 10.77.0.0/24 - **API restricted to:** 10.1.0.0/24, 10.1.1.0/24 - **API-SSL:** disabled - **Winbox:** unrestricted (user requirement) ## SMTP Configuration (Status: Working) **Applied settings:** - Server: `mail.germainebrown.com` - Port: `2525` (NOT 465 — times out from netcup infra) - TLS: `starttls` (NOT yes/SSL) - From/user: `g@germainebrown.com` - Password: `LoveMyBoys1520!` - Last status: **succeeded** **DNS resolvers:** 10.1.1.14 (AdGuard primary), 10.1.1.10 (AdGuard backup) **Previously on:** 192.168.1.254 (AT&T DHCP) — could not resolve `mail.germainebrown.com` **Scheduled email jobs (daily at 4 AM, run-count was 0 until SMTP fixes):** 1. Email - Router Logs (`/log print file=home-rtr-logs`, sends `home-rtr-logs.txt`) 2. Email - Router Config (`/export file=home-rtr-config`, sends `home-rtr-config.rsc`) 3. Email - Router Backup (`/system backup save name=home-rtr`, sends `home-rtr.backup`) **File naming fixed Jul 9:** All three scripts were using mismatched file names (created as `logs.txt` but emailed as `home-rtr-logs.txt`, etc.). Corrected to use consistent naming. ## DNS Logging ``` /ip/dns/set allow-remote-requests=yes log-queries=yes log-fwd-queries=yes ``` System logging outputs are set to `action=remote topics=dns remote=10.77.0.1:514 remote-log-prefix="home-rtr"`. Note: Server-side syslog receiver on 10.77.0.1:514 is NOT yet configured (UDP 514 is not listening). This is a known gap — DNS logs are stored locally on the router but not yet shipped to the portal. ## Router Security Cleanup (Jul 9, 2026) Removed: - 6 duplicate firewall rules (WG rules pasted multiple times during troubleshooting) - Remote Winbox SSTP client + scheduler + script (RWB_IP_RESOLVER) - Stale user `52a95oKcepCRctu` (last login March 2026) - shonuff L2TP PPP secret (WG covers server access now) - PAP/MSCHAP1 L2TP auth (hardened to CHAP+MSCHAP2 only) - API-SSL service (disabled) - SSH/API address restrictions added Added: - Established/related INPUT chain rule (required for SMTP, outbound DNS) ## Notes - The router is behind AT&T residential fiber with CGNAT. WireGuard tunnel with 25s keepalive survives NAT rebinds. - The wisp_rsa SSH key (comment "wisp-backup") is the key with tunnel access. - WireGuard keys: server private is `KkXVsdKyiYQVBbA5HbC9sF4dMX16WSmVOkVPYTq8mh8=` (pub: `WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=`). Router private key may have been regenerated since initial setup — always verify actual public key via `/interface/wireguard/print detail where name=wg-itpp`, never trust an old config export. - L2TP client `to-core` is still configured but disabled since WG handles it. Remove if/when L2TP is fully decommissioned.