# 2025-05-16 RouterOS 7.19.1# software id = 2ELI-QXJ6## model = L009UiGS

1. # 2025-05-16 RouterOS 7.19.1
2. # software id = 2ELI-QXJ6
3. #
4. # model = L009UiGS
5. /interface bridge
6. add admin-mac=D4:01:C3:CF:91:A5 arp=proxy-arp auto-mac=no comment=defconf \
7. name=bridge port-cost-mode=short
8. /interface l2tp-client
9. add add-default-route=yes comment="ISP1 l2tp client" connect-to=\
10. vpnserver.prov1.ru disabled=no name=l2tp-out1 user=username
11. /interface pppoe-client
12. add add-default-route=yes comment="ISP2 pppoe client" \
13. default-route-distance=7 disabled=no interface=ether2 name=pppoe-out1 \
14. user=username
15. /interface wireguard
16. add listen-port=12953 mtu=1420 name=wireguardint1
17. /interface list
18. add comment=defconf name=WAN
19. add comment=defconf name=LAN
20. /ip pool
21. add name=dhcp ranges=192.168.1.2-192.168.1.140
22. /ip dhcp-server
23. add address-pool=dhcp interface=bridge lease-time=10m name=defconf
24. /port
25. set 0 name=serial0
26. /ppp profile
27. add local-address=192.168.1.197 name=l2tp_profile remote-address=dhcp
28. /routing table
29. add disabled=no fib name=RT-ISP1
30. add disabled=no fib name=RT-ISP2
31. /system logging action
32. set 0 memory-lines=10000
33. /interface bridge port
34. add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
35. path-cost=10
36. add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
37. path-cost=10
38. add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
39. path-cost=10
40. add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
41. path-cost=10
42. add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
43. path-cost=10
44. add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
45. path-cost=10
46. add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 \
47. path-cost=10
48. /ip firewall connection tracking
49. set udp-timeout=10s
50. /ip neighbor discovery-settings
51. set discover-interface-list=LAN
52. /ip settings
53. set max-neighbor-entries=14336
54. /ipv6 settings
55. set max-neighbor-entries=7168
56. /interface l2tp-server server
57. set authentication=mschap2 default-profile=l2tp_profile enabled=yes \
58. use-ipsec=yes
59. /interface list member
60. add comment=defconf interface=bridge list=LAN
61. add comment=defconf interface=ether1 list=WAN
62. /interface ovpn-server server
63. add mac-address=FE:38:9D:D6:B9:F1 name=ovpn-server1
64. /interface wireguard peers
65. add allowed-address=10.0.0.2/32,192.168.1.0/24 interface=wireguardint1 \
66. name=moinotebooktest persistent-keepalive=25s public-key=\
67. "0-0-0-0-0-0-0-0-0"
68. /ip address
69. add address=192.168.1.1/24 comment=defconf interface=bridge network=\
70. 192.168.1.0
71. add address=10.0.0.1/24 interface=wireguardint1 network=10.0.0.0
72. /ip dhcp-client
73. add comment=defconf default-route-distance=5 default-route-tables=main \
74. interface=ether1
75. /ip dhcp-server network
76. add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
77. 192.168.1.1 netmask=24
78. /ip dns
79. set allow-remote-requests=yes servers=8.8.8.8,77.88.8.8
80. /ip dns static
81. add address=192.168.1.1 comment=defconf name=router.lan type=A
82. /ip firewall address-list
83.  
84. /ip firewall filter
85. add action=accept chain=input comment=\
86. "defconf: accept established,related,untracked" connection-state=\
87. established,related,untracked
88. add action=accept chain=input comment=WIREGUARD dst-port=0000 protocol=udp
89.  
90. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
91. invalid
92. add action=drop chain=input comment="defconf: drop ICMP" protocol=icmp
93. add action=accept chain=input comment=\
94. "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
95. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
96. in-interface-list=!LAN
97. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
98. ipsec-policy=in,ipsec
99. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
100. ipsec-policy=out,ipsec
101. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
102. connection-state=established,related hw-offload=yes
103. add action=accept chain=forward comment=\
104. "defconf: accept established,related, untracked" connection-state=\
105. established,related,untracked
106. add action=drop chain=forward comment="defconf: drop invalid" \
107. connection-state=invalid
108. add action=drop chain=forward comment=\
109. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
110. connection-state=new in-interface-list=WAN
111. /ip firewall mangle
112. add action=accept chain=prerouting comment="1 prerouting ISP1" dst-address=\
113. 10.21.1.0/24
114. add action=accept chain=prerouting comment="2 prerouting ISP2" dst-address=\
115. 193.5.5.0/24
116. add action=accept chain=prerouting comment="3 prerouting LOCAL NETWORK" \
117. dst-address=192.168.1.0/24
118. add action=mark-connection chain=prerouting comment=\
119. "3 marc connetion ISP1 " connection-mark=no-mark in-interface=\
120. l2tp-out1 new-connection-mark="ISP-1 "
121. add action=mark-connection chain=prerouting comment=\
122. "4 marc connetion ISP2 " connection-mark=no-mark in-interface=\
123. pppoe-out1 new-connection-mark="ISP-2 "
124. add action=mark-connection chain=prerouting comment=\
125. "5 marc to brige ISP1 " connection-mark="ISP-1 " \
126. dst-address-type=!local in-interface=bridge new-connection-mark=\
127. "ISP-1 " per-connection-classifier=both-addresses:2/0
128. add action=mark-connection chain=prerouting comment=\
129. "6 marc to brige ISP2 " connection-mark="ISP-2 " \
130. dst-address-type=!local in-interface=bridge new-connection-mark=\
131. "ISP-2 " per-connection-classifier=both-addresses:2/1
132. add action=mark-routing chain=prerouting comment=\
133. "7 routing marc ISP 1 " connection-mark="ISP-1 " \
134. in-interface=bridge new-routing-mark=RT-ISP1 passthrough=no
135. add action=mark-routing chain=prerouting comment="8 routing marc ISP 2" \
136. connection-mark="ISP-2 " in-interface=bridge new-routing-mark=\
137. RT-ISP2 passthrough=no
138. add action=mark-routing chain=output comment="9 marc output ISP1 " \
139. connection-mark="ISP-1 " new-routing-mark=RT-ISP1 \
140. passthrough=no
141. add action=mark-routing chain=output comment="10 marc output ISP2" \
142. connection-mark="ISP-2 " new-routing-mark=RT-ISP2 passthrough=\
143. no
144. /ip firewall nat
145. add action=masquerade chain=srcnat comment="ISP1 masquerade" ipsec-policy=\
146. out,none out-interface=l2tp-out1
147. add action=masquerade chain=srcnat comment="ISP2 masquerade" ipsec-policy=\
148. out,none out-interface=pppoe-out1
149.  
150. /ip firewall service-port
151. set ftp disabled=yes
152. set tftp disabled=yes
153. set h323 disabled=yes
154. set sip disabled=yes
155. set pptp disabled=yes
156. /ip ipsec profile
157. set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
158. /ip route
159. add comment=ISP1 disabled=yes distance=10 dst-address=0.0.0.0/0 gateway=\
160. 10.21.1.2 routing-table=RT-ISP1 scope=30 suppress-hw-offload=no \
161. target-scope=10
162. add comment=ISP2 disabled=yes distance=15 dst-address=0.0.0.0/0 gateway=\
163. 193.5.5.5 routing-table=RT-ISP2 scope=30 suppress-hw-offload=no \
164. target-scope=10
165. /ip service
166. set ftp disabled=yes
167. set ssh disabled=yes
168. set telnet disabled=yes
169. /ipv6 firewall address-list
170.  
171. /ipv6 firewall filter
172.  
173. /ppp secret
174.  
175. /system clock
176. set time-zone-name=Asia/Novosibirsk
177. /system logging
178. set 0 topics=info,!wireguard
179. /system routerboard settings
180. set enter-setup-on=delete-key
181. /tool mac-server
182. set allowed-interface-list=LAN
183. /tool mac-server mac-winbox
184. set allowed-interface-list=LAN
185.