Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # jun/01/2023 01:03:48 by RouterOS 7.7
- # software id =
- #
- /interface bridge
- add ingress-filtering=no name=bridge1 priority=0x1000 vlan-filtering=yes
- /interface ethernet
- set [ find default-name=ether1 ] name=ether1-LACP-RT1
- set [ find default-name=ether2 ] name=ether2-LACP-RT1
- set [ find default-name=ether3 ] name=ether3-LACP-SW1
- set [ find default-name=ether4 ] name=ether4-LACP-SW1
- set [ find default-name=ether5 ] name=ether5-LACP-SW2
- set [ find default-name=ether6 ] name=ether6-LACP-SW2
- set [ find default-name=ether7 ] name=ether7-VLAN10-Servers
- set [ find default-name=ether8 ] name=ether8-VLAN10-Servers
- set [ find default-name=ether9 ] name=ether9-VLAN10-Servers
- set [ find default-name=ether10 ] name=ether10-Management
- set [ find default-name=ether11 ] name=sfp-sfpplus1-WAN
- /interface vlan
- add interface=bridge1 mtu=1496 name=Cameras vlan-id=30
- add interface=bridge1 mtu=1496 name=Guest vlan-id=50
- add interface=bridge1 mtu=1496 name=Hosts vlan-id=20
- add interface=bridge1 mtu=1496 name=Management vlan-id=99
- add interface=bridge1 mtu=1496 name=Servers vlan-id=10
- add interface=bridge1 mtu=1496 name=WiFi vlan-id=40
- /interface bonding
- add mode=802.3ad name=LACP-RT1 slaves=ether1-LACP-RT1,ether2-LACP-RT1 \
- transmit-hash-policy=layer-2-and-3
- add mode=802.3ad name=LACP-SW1 slaves=ether3-LACP-SW1,ether4-LACP-SW1 \
- transmit-hash-policy=layer-2-and-3
- add mode=802.3ad name=LACP-SW2 slaves=ether5-LACP-SW2,ether6-LACP-SW2 \
- transmit-hash-policy=layer-2-and-3
- /interface vrrp
- add interface=Cameras mtu=1496 name="VRRP Cameras" priority=101 vrid=30
- add interface=Guest mtu=1496 name="VRRP Guest" priority=101 vrid=50
- add interface=Hosts mtu=1496 name="VRRP Hosts" priority=99 vrid=20
- add interface=Management mtu=1496 name="VRRP Management" priority=99 vrid=99
- add interface=Servers mtu=1496 name="VRRP Servers" priority=99 vrid=10
- add interface=WiFi mtu=1496 name="VRRP WiFi" priority=101 vrid=40
- /interface list
- add name=LAN
- add name=WAN
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /port
- set 0 name=serial0
- /interface bridge port
- add bridge=bridge1 interface=LACP-RT1
- add bridge=bridge1 interface=LACP-SW1
- add bridge=bridge1 interface=LACP-SW2
- add bridge=bridge1 interface=ether7-VLAN10-Servers pvid=10
- add bridge=bridge1 interface=ether8-VLAN10-Servers pvid=10
- add bridge=bridge1 interface=ether9-VLAN10-Servers pvid=10
- add bridge=bridge1 interface=ether10-Management pvid=99
- /interface bridge vlan
- add bridge=bridge1 tagged=LACP-RT1,LACP-SW1,LACP-SW2,bridge1 vlan-ids=20
- add bridge=bridge1 tagged=LACP-RT1,LACP-SW1,LACP-SW2,bridge1 vlan-ids=30
- add bridge=bridge1 tagged=LACP-RT1,LACP-SW1,LACP-SW2,bridge1 vlan-ids=40
- add bridge=bridge1 tagged=LACP-RT1,LACP-SW1,LACP-SW2,bridge1 vlan-ids=50
- add bridge=bridge1 tagged=LACP-RT1,LACP-SW1,LACP-SW2,bridge1 untagged=\
- ether10-Management vlan-ids=99
- add bridge=bridge1 tagged=LACP-RT1,LACP-SW1,LACP-SW2,bridge1 untagged=\
- ether7-VLAN10-Servers,ether8-VLAN10-Servers,ether9-VLAN10-Servers \
- vlan-ids=10
- /interface list member
- add interface=sfp-sfpplus1-WAN list=WAN
- add interface=bridge1 list=LAN
- add interface="VRRP Hosts" list=LAN
- add interface="VRRP Servers" list=LAN
- add interface="VRRP Cameras" list=LAN
- add interface="VRRP Guest" list=LAN
- add interface="VRRP WiFi" list=LAN
- add interface=Hosts list=LAN
- add interface=Servers list=LAN
- add interface=Cameras list=LAN
- add interface=Guest list=LAN
- add interface=WiFi list=LAN
- add interface="VRRP Management" list=LAN
- add interface=Management list=LAN
- /ip address
- add address=192.168.10.20/24 interface=sfp-sfpplus1-WAN network=192.168.10.0
- add address=172.16.10.253/24 interface=Servers network=172.16.10.0
- add address=172.16.20.253/24 interface=Hosts network=172.16.20.0
- add address=172.16.30.253/24 interface=Cameras network=172.16.30.0
- add address=172.16.40.253/24 interface=WiFi network=172.16.40.0
- add address=172.16.50.253/24 interface=Guest network=172.16.50.0
- add address=172.16.99.253/24 interface=Management network=172.16.99.0
- add address=172.16.10.1 interface="VRRP Servers" network=172.16.10.1
- add address=172.16.20.1 interface="VRRP Hosts" network=172.16.20.1
- add address=172.16.30.1 interface="VRRP Cameras" network=172.16.30.1
- add address=172.16.40.1 interface="VRRP WiFi" network=172.16.40.1
- add address=172.16.50.1 interface="VRRP Guest" network=172.16.50.1
- add address=172.16.99.1 interface="VRRP Management" network=172.16.99.1
- /ip dhcp-relay
- add dhcp-server=172.16.10.12 disabled=no interface=Hosts name=Hosts
- add dhcp-server=172.16.10.12 disabled=no interface=WiFi name=Wifi
- add dhcp-server=172.16.10.12 disabled=no interface=Guest name=Guest
- /ip firewall address-list
- add address=192.168.10.150 list=Allowed
- add address=192.168.10.1 list=Allowed
- add address=172.16.50.0/24 list=Guest
- add address=172.16.20.0/24 list=Hosts
- add address=172.16.10.0/24 list=Servers
- add address=172.16.30.0/24 list=Cameras
- add address=172.16.40.0/24 list=Wifi
- add address=172.16.99.0/24 list=Management
- /ip firewall filter
- add action=accept chain=input comment=\
- "defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=drop chain=input comment="defconf: drop invalid" connection-state=\
- invalid
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input comment=\
- "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
- add action=accept chain=input comment=\
- "Winbox toelaten van WAN via specifiek IP adress" dst-port=8291 protocol=\
- tcp src-address-list=Allowed
- add action=accept chain=input comment=\
- "SNMP toelaten van WAN via specifiek IP adress" dst-port=161 protocol=udp \
- src-address-list=Allowed
- add action=drop chain=input comment="defconf: drop all not coming from LAN" \
- in-interface-list=!LAN
- add action=accept chain=forward comment="defconf: accept in ipsec policy" \
- ipsec-policy=in,ipsec
- add action=accept chain=forward comment="defconf: accept out ipsec policy" \
- ipsec-policy=out,ipsec
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
- connection-state=established,related hw-offload=yes
- add action=accept chain=forward comment=\
- "defconf: accept established,related, untracked" connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" \
- connection-state=invalid
- add action=accept chain=forward comment="accept hosts to servers" \
- dst-address-list=Servers src-address-list=Hosts
- add action=accept chain=forward comment="accept servers to hosts" \
- dst-address-list=Hosts src-address-list=Servers
- add action=accept chain=forward comment="accept wifi to servers" \
- dst-address-list=Servers src-address-list=Wifi
- add action=accept chain=forward comment="accept servers to wifi" \
- dst-address-list=Wifi src-address-list=Servers
- add action=accept chain=forward comment="accept wifi to hosts" \
- dst-address-list=Hosts src-address-list=Wifi
- add action=accept chain=forward comment="accept host to wifi" \
- dst-address-list=Wifi src-address-list=Hosts
- add action=accept chain=forward comment="accept management to LAN" \
- out-interface-list=LAN src-address-list=Management
- add action=reject chain=forward comment="drop cameras to WAN" \
- out-interface-list=WAN reject-with=icmp-admin-prohibited \
- src-address-list=Cameras
- add action=accept chain=forward comment="Accept LAN to WAN" \
- in-interface-list=LAN out-interface-list=WAN
- add action=accept chain=forward comment=\
- "defconf: accept all from WAN that is DSTNATed" connection-nat-state=\
- dstnat connection-state=new in-interface-list=WAN
- add action=reject chain=forward comment="drop all" reject-with=\
- icmp-admin-prohibited
- /ip firewall nat
- add action=masquerade chain=srcnat out-interface=sfp-sfpplus1-WAN
- add action=dst-nat chain=dstnat dst-port=5030 in-interface=sfp-sfpplus1-WAN \
- protocol=tcp to-addresses=172.16.99.30 to-ports=8291
- add action=dst-nat chain=dstnat dst-port=5040 in-interface=sfp-sfpplus1-WAN \
- protocol=tcp to-addresses=172.16.99.40 to-ports=8291
- add action=dst-nat chain=dstnat dst-port=30161 in-interface=sfp-sfpplus1-WAN \
- protocol=udp to-addresses=172.16.99.30 to-ports=161
- add action=dst-nat chain=dstnat dst-port=40161 in-interface=sfp-sfpplus1-WAN \
- protocol=udp to-addresses=172.16.99.40 to-ports=161
- /ip route
- add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.2 \
- pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
- target-scope=10
- /snmp
- set enabled=yes
- /system identity
- set name=MKT-RT2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement