Files
hermes-skills/skills/devops/mikrotik-onboarding/references/home-router-reference.md
T

4.6 KiB

Home Router Reference — CCR2004-16G-2S+

Validated onboarding target for the IT Pro Partner WireGuard tunnel pattern.

Hardware

Field Value
Board CCR2004-16G-2S+
Architecture ARM64 (4 cores @ 1700MHz)
RAM 4 GB
Storage 128 MB NAND
RouterOS 7.18.2 (stable)
ISP AT&T residential fiber (CGNAT)

WireGuard Tunnel (Multi-Peer Topology)

The router has two WireGuard peers — one for Core (active Hermes) and one for app1-bu (warm standby). Both peers use the same interface wg-itpp on the router.

Peer 1 — Core (netcup)

  • Interface: wg-itpp
  • Listen port: 13231 (same interface for both peers)
  • Local IP: 10.77.0.2/24
  • Peer: 10.77.0.1 (Core)
  • Router public key (CURRENT): 1fPwdGQ20CxlZCQZQV134olDcE91hfp78yNDeaKJZzg=
  • Core public key: WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=
  • Endpoint: 152.53.192.33:51821
  • Keepalive: 25s
  • MTU: 1420

Peer 2 — app1-bu (Hetzner standby)

  • Peer: 10.77.0.3 (app1-bu)
  • app1-bu public key: aEDfY/XzE5m6van/NkvMnYZoYuhptvs1GGkbqmaFKBQ=
  • Endpoint: 5.161.114.8:51821
  • Keepalive: 25s

Latency: 37ms (Ashburn → Savannah) for Core, 87ms for app1-bu (Hetzner → Savannah)

Firewall rules (cleaned, no duplicates):

  • Allow established/related input — chain=input, connection-state=established,related, action=accept, place-before=1
  • IPsec IKE — chain=input, protocol=udp, in-interface-list=WAN, dst-port=500
  • allow WG (ITPP) — chain=input, protocol=udp, dst-port=13231, action=accept
  • IPsec NAT-T — chain=input, protocol=udp, in-interface-list=WAN, dst-port=4500
  • L2TP — chain=input, protocol=udp, in-interface-list=WAN, dst-port=1701
  • IPsec ESP — chain=input, protocol=ipsec-esp, in-interface-list=WAN

Total firewall rules: 26 (cleaned from 31)

SSH Access

  • Through WG tunnel (Core): ssh -i ~/.ssh/wisp_rsa shonuff@10.77.0.2
  • SSH restricted to: 10.1.0.0/24, 10.1.1.0/24, 192.168.88.0/24, 10.77.0.0/24
  • API restricted to: 10.1.0.0/24, 10.1.1.0/24
  • API-SSL: disabled
  • Winbox: unrestricted (user requirement)

SMTP Configuration (Status: Working)

Applied settings:

  • Server: mail.germainebrown.com
  • Port: 2525 (NOT 465 — times out from netcup infra)
  • TLS: starttls (NOT yes/SSL)
  • From/user: g@germainebrown.com
  • Password: LoveMyBoys1520!
  • Last status: succeeded

DNS resolvers: 10.1.1.14 (AdGuard primary), 10.1.1.10 (AdGuard backup) Previously on: 192.168.1.254 (AT&T DHCP) — could not resolve mail.germainebrown.com

Scheduled email jobs (daily at 4 AM, run-count was 0 until SMTP fixes):

  1. Email - Router Logs (/log print file=home-rtr-logs, sends home-rtr-logs.txt)
  2. Email - Router Config (/export file=home-rtr-config, sends home-rtr-config.rsc)
  3. Email - Router Backup (/system backup save name=home-rtr, sends home-rtr.backup)

File naming fixed Jul 9: All three scripts were using mismatched file names (created as logs.txt but emailed as home-rtr-logs.txt, etc.). Corrected to use consistent naming.

DNS Logging

/ip/dns/set allow-remote-requests=yes log-queries=yes log-fwd-queries=yes

System logging outputs are set to action=remote topics=dns remote=10.77.0.1:514 remote-log-prefix="home-rtr".

Note: Server-side syslog receiver on 10.77.0.1:514 is NOT yet configured (UDP 514 is not listening). This is a known gap — DNS logs are stored locally on the router but not yet shipped to the portal.

Router Security Cleanup (Jul 9, 2026)

Removed:

  • 6 duplicate firewall rules (WG rules pasted multiple times during troubleshooting)
  • Remote Winbox SSTP client + scheduler + script (RWB_IP_RESOLVER)
  • Stale user 52a95oKcepCRctu (last login March 2026)
  • shonuff L2TP PPP secret (WG covers server access now)
  • PAP/MSCHAP1 L2TP auth (hardened to CHAP+MSCHAP2 only)
  • API-SSL service (disabled)
  • SSH/API address restrictions added

Added:

  • Established/related INPUT chain rule (required for SMTP, outbound DNS)

Notes

  • The router is behind AT&T residential fiber with CGNAT. WireGuard tunnel with 25s keepalive survives NAT rebinds.
  • The wisp_rsa SSH key (comment "wisp-backup") is the key with tunnel access.
  • WireGuard keys: server private is KkXVsdKyiYQVBbA5HbC9sF4dMX16WSmVOkVPYTq8mh8= (pub: WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=). Router private key may have been regenerated since initial setup — always verify actual public key via /interface/wireguard/print detail where name=wg-itpp, never trust an old config export.
  • L2TP client to-core is still configured but disabled since WG handles it. Remove if/when L2TP is fully decommissioned.