107 lines
4.6 KiB
Markdown
107 lines
4.6 KiB
Markdown
# Home Router Reference — CCR2004-16G-2S+
|
|
|
|
Validated onboarding target for the IT Pro Partner WireGuard tunnel pattern.
|
|
|
|
## Hardware
|
|
|
|
| Field | Value |
|
|
|---|---|
|
|
| Board | CCR2004-16G-2S+ |
|
|
| Architecture | ARM64 (4 cores @ 1700MHz) |
|
|
| RAM | 4 GB |
|
|
| Storage | 128 MB NAND |
|
|
| RouterOS | 7.18.2 (stable) |
|
|
| ISP | AT&T residential fiber (CGNAT) |
|
|
|
|
## WireGuard Tunnel (Multi-Peer Topology)
|
|
|
|
The router has **two WireGuard peers** — one for Core (active Hermes) and one for app1-bu (warm standby). Both peers use the same interface `wg-itpp` on the router.
|
|
|
|
### Peer 1 — Core (netcup)
|
|
- **Interface:** wg-itpp
|
|
- **Listen port:** 13231 (same interface for both peers)
|
|
- **Local IP:** 10.77.0.2/24
|
|
- **Peer:** 10.77.0.1 (Core)
|
|
- **Router public key (CURRENT):** `1fPwdGQ20CxlZCQZQV134olDcE91hfp78yNDeaKJZzg=`
|
|
- **Core public key:** `WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=`
|
|
- **Endpoint:** 152.53.192.33:51821
|
|
- **Keepalive:** 25s
|
|
- **MTU:** 1420
|
|
|
|
### Peer 2 — app1-bu (Hetzner standby)
|
|
- **Peer:** 10.77.0.3 (app1-bu)
|
|
- **app1-bu public key:** `aEDfY/XzE5m6van/NkvMnYZoYuhptvs1GGkbqmaFKBQ=`
|
|
- **Endpoint:** 5.161.114.8:51821
|
|
- **Keepalive:** 25s
|
|
|
|
**Latency:** 37ms (Ashburn → Savannah) for Core, 87ms for app1-bu (Hetzner → Savannah)
|
|
|
|
**Firewall rules (cleaned, no duplicates):**
|
|
- `Allow established/related input` — chain=input, connection-state=established,related, action=accept, place-before=1
|
|
- `IPsec IKE` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=500
|
|
- `allow WG (ITPP)` — chain=input, protocol=udp, dst-port=13231, action=accept
|
|
- `IPsec NAT-T` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=4500
|
|
- `L2TP` — chain=input, protocol=udp, in-interface-list=WAN, dst-port=1701
|
|
- `IPsec ESP` — chain=input, protocol=ipsec-esp, in-interface-list=WAN
|
|
|
|
Total firewall rules: 26 (cleaned from 31)
|
|
|
|
## SSH Access
|
|
|
|
- **Through WG tunnel (Core):** `ssh -i ~/.ssh/wisp_rsa shonuff@10.77.0.2`
|
|
- **SSH restricted to:** 10.1.0.0/24, 10.1.1.0/24, 192.168.88.0/24, 10.77.0.0/24
|
|
- **API restricted to:** 10.1.0.0/24, 10.1.1.0/24
|
|
- **API-SSL:** disabled
|
|
- **Winbox:** unrestricted (user requirement)
|
|
|
|
## SMTP Configuration (Status: Working)
|
|
|
|
**Applied settings:**
|
|
- Server: `mail.germainebrown.com`
|
|
- Port: `2525` (NOT 465 — times out from netcup infra)
|
|
- TLS: `starttls` (NOT yes/SSL)
|
|
- From/user: `g@germainebrown.com`
|
|
- Password: `LoveMyBoys1520!`
|
|
- Last status: **succeeded**
|
|
|
|
**DNS resolvers:** 10.1.1.14 (AdGuard primary), 10.1.1.10 (AdGuard backup)
|
|
**Previously on:** 192.168.1.254 (AT&T DHCP) — could not resolve `mail.germainebrown.com`
|
|
|
|
**Scheduled email jobs (daily at 4 AM, run-count was 0 until SMTP fixes):**
|
|
1. Email - Router Logs (`/log print file=home-rtr-logs`, sends `home-rtr-logs.txt`)
|
|
2. Email - Router Config (`/export file=home-rtr-config`, sends `home-rtr-config.rsc`)
|
|
3. Email - Router Backup (`/system backup save name=home-rtr`, sends `home-rtr.backup`)
|
|
|
|
**File naming fixed Jul 9:** All three scripts were using mismatched file names (created as `logs.txt` but emailed as `home-rtr-logs.txt`, etc.). Corrected to use consistent naming.
|
|
|
|
## DNS Logging
|
|
|
|
```
|
|
/ip/dns/set allow-remote-requests=yes log-queries=yes log-fwd-queries=yes
|
|
```
|
|
|
|
System logging outputs are set to `action=remote topics=dns remote=10.77.0.1:514 remote-log-prefix="home-rtr"`.
|
|
|
|
Note: Server-side syslog receiver on 10.77.0.1:514 is NOT yet configured (UDP 514 is not listening). This is a known gap — DNS logs are stored locally on the router but not yet shipped to the portal.
|
|
|
|
## Router Security Cleanup (Jul 9, 2026)
|
|
|
|
Removed:
|
|
- 6 duplicate firewall rules (WG rules pasted multiple times during troubleshooting)
|
|
- Remote Winbox SSTP client + scheduler + script (RWB_IP_RESOLVER)
|
|
- Stale user `52a95oKcepCRctu` (last login March 2026)
|
|
- shonuff L2TP PPP secret (WG covers server access now)
|
|
- PAP/MSCHAP1 L2TP auth (hardened to CHAP+MSCHAP2 only)
|
|
- API-SSL service (disabled)
|
|
- SSH/API address restrictions added
|
|
|
|
Added:
|
|
- Established/related INPUT chain rule (required for SMTP, outbound DNS)
|
|
|
|
## Notes
|
|
|
|
- The router is behind AT&T residential fiber with CGNAT. WireGuard tunnel with 25s keepalive survives NAT rebinds.
|
|
- The wisp_rsa SSH key (comment "wisp-backup") is the key with tunnel access.
|
|
- WireGuard keys: server private is `KkXVsdKyiYQVBbA5HbC9sF4dMX16WSmVOkVPYTq8mh8=` (pub: `WTwbuq3gwQDKaE8bdpBo/tFuO8fRcBlKX7ajSn5ry2k=`). Router private key may have been regenerated since initial setup — always verify actual public key via `/interface/wireguard/print detail where name=wg-itpp`, never trust an old config export.
|
|
- L2TP client `to-core` is still configured but disabled since WG handles it. Remove if/when L2TP is fully decommissioned.
|