Files

107 lines
4.6 KiB
Markdown

# Home Router Reference — CCR2004-16G-2S+
Validated onboarding target for the IT Pro Partner WireGuard tunnel pattern.
## Hardware
| Field | Value |
|---|---|
| Board | CCR2004-16G-2S+ |
| Architecture | ARM64 (4 cores @ 1700MHz) |
| RAM | 4 GB |
| Storage | 128 MB NAND |
| RouterOS | 7.18.2 (stable) |
| ISP | AT&T residential fiber (CGNAT) |
## WireGuard Tunnel (Multi-Peer Topology)
The router has **two WireGuard peers** — one for Core (active Hermes) and one for app1-bu (warm standby). Both peers use the same interface `wg-itpp` on the router.
### Peer 1 — Core (netcup)
- **Interface:** wg-itpp
- **Listen port:** 13231 (same interface for both peers)
- **Local IP:** 10.77.0.2/24
- **Peer:** 10.77.0.1 (Core)
- **Router public key (CURRENT):** `1fPwdGQ20CxlZCQZQV134olDcE91hfp78yNDeaKJZzg=`
- **Core public key:** `WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=`
- **Endpoint:** 152.53.192.33:51821
- **Keepalive:** 25s
- **MTU:** 1420
### Peer 2 — app1-bu (Hetzner standby)
- **Peer:** 10.77.0.3 (app1-bu)
- **app1-bu public key:** `aEDfY/XzE5m6van/NkvMnYZoYuhptvs1GGkbqmaFKBQ=`
- **Endpoint:** 5.161.114.8:51821
- **Keepalive:** 25s
**Latency:** 37ms (Ashburn → Savannah) for Core, 87ms for app1-bu (Hetzner → Savannah)
**Firewall rules (cleaned, no duplicates):**
- `Allow established/related input` — chain=input, connection-state=established,related, action=accept, place-before=1
- `IPsec IKE` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=500
- `allow WG (ITPP)` — chain=input, protocol=udp, dst-port=13231, action=accept
- `IPsec NAT-T` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=4500
- `L2TP` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=1701
- `IPsec ESP` — chain=input, protocol=ipsec-esp, in-interface-list=WAN
Total firewall rules: 26 (cleaned from 31)
## SSH Access
- **Through WG tunnel (Core):** `ssh -i ~/.ssh/wisp_rsa shonuff@10.77.0.2`
- **SSH restricted to:** 10.1.0.0/24, 10.1.1.0/24, 192.168.88.0/24, 10.77.0.0/24
- **API restricted to:** 10.1.0.0/24, 10.1.1.0/24
- **API-SSL:** disabled
- **Winbox:** unrestricted (user requirement)
## SMTP Configuration (Status: Working)
**Applied settings:**
- Server: `mail.germainebrown.com`
- Port: `2525` (NOT 465 — times out from netcup infra)
- TLS: `starttls` (NOT yes/SSL)
- From/user: `g@germainebrown.com`
- Password: `LoveMyBoys1520!`
- Last status: **succeeded**
**DNS resolvers:** 10.1.1.14 (AdGuard primary), 10.1.1.10 (AdGuard backup)
**Previously on:** 192.168.1.254 (AT&T DHCP) — could not resolve `mail.germainebrown.com`
**Scheduled email jobs (daily at 4 AM, run-count was 0 until SMTP fixes):**
1. Email - Router Logs (`/log print file=home-rtr-logs`, sends `home-rtr-logs.txt`)
2. Email - Router Config (`/export file=home-rtr-config`, sends `home-rtr-config.rsc`)
3. Email - Router Backup (`/system backup save name=home-rtr`, sends `home-rtr.backup`)
**File naming fixed Jul 9:** All three scripts were using mismatched file names (created as `logs.txt` but emailed as `home-rtr-logs.txt`, etc.). Corrected to use consistent naming.
## DNS Logging
```
/ip/dns/set allow-remote-requests=yes log-queries=yes log-fwd-queries=yes
```
System logging outputs are set to `action=remote topics=dns remote=10.77.0.1:514 remote-log-prefix="home-rtr"`.
Note: Server-side syslog receiver on 10.77.0.1:514 is NOT yet configured (UDP 514 is not listening). This is a known gap — DNS logs are stored locally on the router but not yet shipped to the portal.
## Router Security Cleanup (Jul 9, 2026)
Removed:
- 6 duplicate firewall rules (WG rules pasted multiple times during troubleshooting)
- Remote Winbox SSTP client + scheduler + script (RWB_IP_RESOLVER)
- Stale user `52a95oKcepCRctu` (last login March 2026)
- shonuff L2TP PPP secret (WG covers server access now)
- PAP/MSCHAP1 L2TP auth (hardened to CHAP+MSCHAP2 only)
- API-SSL service (disabled)
- SSH/API address restrictions added
Added:
- Established/related INPUT chain rule (required for SMTP, outbound DNS)
## Notes
- The router is behind AT&T residential fiber with CGNAT. WireGuard tunnel with 25s keepalive survives NAT rebinds.
- The wisp_rsa SSH key (comment "wisp-backup") is the key with tunnel access.
- WireGuard keys: server private is `KkXVsdKyiYQVBbA5HbC9sF4dMX16WSmVOkVPYTq8mh8=` (pub: `WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=`). Router private key may have been regenerated since initial setup — always verify actual public key via `/interface/wireguard/print detail where name=wg-itpp`, never trust an old config export.
- L2TP client `to-core` is still configured but disabled since WG handles it. Remove if/when L2TP is fully decommissioned.