Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # feb/25/2023 09:38:36 by RouterOS 7.5
- # software id = E2VU-HLQW
- #
- # model = RB3011UiAS
- # serial number = XXX
- /interface bridge
- add admin-mac=XXX auto-mac=no comment=defconf name=bridge
- /interface wireguard
- add listen-port=13231 mtu=1420 name=wireguard1
- /interface vlan
- add interface=ether2 name=Guest100 vlan-id=100
- add interface=ether3 name=Guest101 vlan-id=101
- add interface=ether5 name=phone vlan-id=10
- /interface list
- add comment=defconf name=WAN
- add comment=defconf name=LAN
- /interface lte apn
- set [ find default=yes ] ip-type=ipv4 use-network-apn=no
- /interface wireless security-profiles
- set [ find default=yes ] supplicant-identity=MikroTik
- /ip ipsec profile
- set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
- sha256
- /ip ipsec proposal
- set [ find default=yes ] auth-algorithms=sha256,sha1
- /ip pool
- add name=dhcp ranges=192.168.2.3-192.168.2.254
- add name=dhcp_pool2 ranges=172.16.0.2-172.16.0.254
- /ip dhcp-server
- add address-pool=dhcp interface=bridge lease-time=23h name=defconf
- add address-pool=dhcp_pool2 interface=Guest100 lease-time=6h name=dhcp1
- /port
- set 0 name=serial0
- /routing ospf instance
- add disabled=no name=default-v2
- /routing ospf area
- add disabled=yes instance=default-v2 name=backbone-v2
- /interface bridge port
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
- add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
- add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
- /ip neighbor discovery-settings
- set discover-interface-list=LAN
- /ip settings
- set max-neighbor-entries=8192
- /ipv6 settings
- set disable-ipv6=yes max-neighbor-entries=8192
- /interface l2tp-server server
- set default-profile=*1 use-ipsec=yes
- /interface list member
- add comment=defconf interface=bridge list=LAN
- add comment=defconf interface=ether1 list=WAN
- add interface=ether5 list=LAN
- add interface=phone list=LAN
- add interface=wireguard1 list=LAN
- add interface=*10 list=LAN
- /interface ovpn-server server
- set auth=sha1,md5 certificate=OpenVpnServer enabled=yes
- /interface wireguard peers
- add allowed-address=192.168.4.0/24 comment=SUM endpoint-address="" \
- interface=wireguard1 public-key=\
- "XXX"
- add allowed-address=192.168.11.0/24,192.168.10.0/24 comment=FIN \
- endpoint-address="" interface=wireguard1 public-key=\
- "XXX"
- add comment=AdminPC endpoint-address="" interface=wireguard1 public-key=\
- "XXX"
- add allowed-address=192.168.20.0/24,192.168.30.0/24,192.168.31.0/24 comment=\
- JP endpoint-address="" interface=wireguard1 public-key=\
- "XXX"
- /ip address
- add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
- 192.168.2.0
- add address=PUBIP/30 interface=ether1 network=PUBGW
- add address=192.168.1.1/24 interface=ether5 network=192.168.1.0
- add address=192.168.98.1/24 interface=wireguard1 network=192.168.98.0
- add address=192.168.99.1/24 interface=wireguard1 network=192.168.99.0
- add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
- add address=192.168.101.1/24 interface=wireguard1 network=192.168.101.0
- add address=172.16.0.1/24 comment="Guest Temp" interface=Guest100 network=\
- 172.16.0.0
- /ip arp
- add address=192.168.2.251 interface=bridge mac-address=00:15:5D:02:FE:02
- add address=192.168.2.252 interface=bridge mac-address=00:15:5D:02:FE:01
- add address=192.168.2.253 interface=bridge mac-address=00:15:5D:02:FE:05
- add address=192.168.1.249 interface=ether5 mac-address=00:30:4D:F3:E5:56
- add address=192.168.1.250 interface=ether5 mac-address=00:30:4D:F3:E6:82
- add
- /ip dhcp-client
- add comment=defconf disabled=yes interface=ether1
- /ip dhcp-server lease
- add address=192.168.2.254 client-id=\
- ff:4b:7:61:2f:0:2:0:0:ab:11:b5:6c:70:b8:cd:34:2e:df mac-address=\
- 00:15:5D:02:FE:00 server=defconf
- add address=192.168.2.229 client-id=1:2c:a5:9c:c3:3c:b2 mac-address=\
- 2C:A5:9C:C3:3C:B2 server=defconf
- add address=192.168.2.230 client-id=1:2c:a5:9c:b8:95:e7 mac-address=\
- 2C:A5:9C:B8:95:E7 server=defconf
- add address=192.168.2.248 client-id=1:f0:1f:af:ce:34:34 mac-address=\
- F0:1F:AF:CE:34:34 server=defconf
- add address=192.168.2.250 client-id=1:0:15:5d:97:51:2 mac-address=\
- 00:15:5D:97:51:02 server=defconf
- /ip dhcp-server network
- add address=172.16.0.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=172.16.0.1
- add address=192.168.2.0/24 comment=defconf dns-server=\
- 192.168.2.252,192.168.2.253,1.1.1.1 domain=mb.echomeless.org gateway=\
- 192.168.2.1 netmask=24
- /ip dns
- set allow-remote-requests=yes servers=192.168.2.252,192.168.2.253,1.1.1.1
- /ip dns static
- add address=192.168.2.1 comment=defconf name=router.lan
- /ip firewall filter
- add action=accept chain=input comment="Accept Wireguard" dst-port=13231 \
- protocol=udp
- add action=accept chain=input dst-port=80 protocol=tcp
- add action=accept chain=input dst-port=3478 protocol=udp
- add action=accept chain=input dst-port=50443 protocol=tcp
- add action=accept chain=input dst-port=443 protocol=tcp
- add action=accept chain=input comment=\
- "defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input comment=\
- "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
- add action=accept chain=forward disabled=yes in-interface=wireguard1 \
- out-interface=*10
- add action=drop chain=input comment="defconf: drop invalid" connection-state=\
- invalid
- add action=drop chain=input comment="defconf: drop all not coming from LAN" \
- in-interface-list=!LAN
- add action=accept chain=forward comment="defconf: accept in ipsec policy" \
- ipsec-policy=in,ipsec
- add action=accept chain=forward comment="defconf: accept out ipsec policy" \
- ipsec-policy=out,ipsec
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
- connection-state=established,related hw-offload=yes
- add action=accept chain=forward comment=\
- "defconf: accept established,related, untracked" connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" \
- connection-state=invalid
- add action=drop chain=forward comment=\
- "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
- connection-state=new in-interface-list=WAN
- /ip firewall nat
- add action=masquerade chain=srcnat comment="defconf: masquerade" \
- ipsec-policy=out,none out-interface-list=WAN
- add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=59002 \
- protocol=tcp to-addresses=192.168.1.250 to-ports=59002
- add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=59001 \
- protocol=udp to-addresses=192.168.1.249 to-ports=59001
- add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=59002 \
- protocol=udp to-addresses=192.168.1.249 to-ports=59002
- add action=dst-nat chain=dstnat disabled=yes dst-address=PUBIP \
- dst-port=8022 log=yes log-prefix=SSHD protocol=tcp to-addresses=\
- 192.168.2.250 to-ports=8022
- add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=80 \
- protocol=tcp to-addresses=192.168.2.249 to-ports=80
- add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=443 \
- protocol=tcp to-addresses=192.168.2.249 to-ports=443
- add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=3478 \
- protocol=udp to-addresses=192.168.2.249 to-ports=3478
- add action=dst-nat chain=dstnat dst-address=PUBIP dst-port=50443 \
- protocol=tcp to-addresses=192.168.2.249 to-ports=50443
- /ip firewall service-port
- set sip disabled=yes
- /ip route
- add disabled=no dst-address=0.0.0.0/0 gateway=PUBGW
- add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=wireguard1 \
- pref-src="" routing-table=main suppress-hw-offload=no
- add disabled=no dst-address=192.168.11.0/24 gateway=wireguard1 routing-table=\
- main suppress-hw-offload=no
- add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=wireguard1 \
- pref-src="" routing-table=main suppress-hw-offload=no
- add disabled=no distance=1 dst-address=192.168.30.0/24 gateway=wireguard1 \
- pref-src="" routing-table=main suppress-hw-offload=no
- add disabled=no distance=1 dst-address=192.168.31.0/24 gateway=wireguard1 \
- pref-src="" routing-table=main suppress-hw-offload=no
- add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=wireguard1 \
- pref-src="" routing-table=main suppress-hw-offload=no
- /ip traffic-flow target
- add dst-address=XXX port=1234 version=5
- /system clock
- set time-zone-name=America/New_York
- /system scheduler
- add name=schedule1 on-event="/system reboot" policy=\
- ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
- start-date=jan/11/2022 start-time=00:01:20
- /tool mac-server
- set allowed-interface-list=LAN
- /tool mac-server mac-winbox
- set allowed-interface-list=LAN
- /tool sniffer
- set filter-interface=ether5 filter-ip-address=PUBIP/32 filter-port=\
- 59001,59002
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement