Code: Select all
# 2024-03-23 10:05:45 by RouterOS 7.14.1
# software id = 5WSQ-IVBW
#
# model = RB4011iGS+
# serial number =
/interface bridge
add arp=proxy-arp ingress-filtering=no name=bridge port-cost-mode=short \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] name=sfp1
/interface l2tp-server
add name=L2TP-VPN user=
/interface vlan
add interface=bridge mtu=1480 name=vlan21 vlan-id=21
add interface=bridge name=vlan50 vlan-id=50
add interface=bridge name=vlan99 vlan-id=99
add interface=bridge name=vlan100 vlan-id=100
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=60 \
max-mtu=1480 name=pppoe-out1 user=
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.5-192.168.88.148
add name=dhcp-pool99 ranges=192.168.99.2-192.168.99.22
add name=dhcp-pool100 ranges=192.168.100.2-192.168.100.10
add name=L2TP ranges=192.168.88.150-192.168.88.160
add name=dhcp-pool21 ranges=192.168.21.2-192.168.21.6
/ip dhcp-server
add address-pool=dhcp-pool99 authoritative=after-2sec-delay interface=\
vlan99 lease-time=1d name=dhcp-vlan99
add address-pool=dhcp-pool100 interface=vlan100 lease-time=1w3d name=\
dhcp-vlan100
add address-pool=dhcp-pool21 authoritative=after-2sec-delay bootp-support=\
none interface=vlan21 name=dhcp-vlan21
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge disabled=yes interface=\
ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge interface=sfp1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 \
path-cost=10 pvid=100
add bridge=bridge interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether9 \
internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=30m
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=4096 rp-filter=loose
/interface bridge vlan
add bridge=bridge vlan-ids=1
add bridge=bridge tagged=ether2,sfp1,bridge vlan-ids=99
add bridge=bridge tagged=ether2,sfp1,bridge vlan-ids=100
add bridge=bridge tagged=bridge,ether2,sfp1 vlan-ids=50
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
add address=192.168.21.1/29 interface=vlan21 network=192.168.21.0
/ip dhcp-client
add disabled=yes interface=ether1
add comment=defconf disabled=yes interface=ether1
/ip firewall address-list
add address=192.168.88.0/24 list=internal
add address=xx.yyy.zz.aaa list=Whitelist
add address=198.199.104.26 list=banned
add address=118.123.105.90 list=banned
/ip firewall filter
add action=log chain=- comment=\
----------------------input--------------------------------
add action=drop chain=input comment="Drop VPN attempts" src-address-list=\
banned
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="Allow L2TP VPN" in-interface=\
pppoe-out1 log=yes log-prefix=--vpn-in-1st-- port=500,1701,4500 protocol=\
udp
add action=accept chain=input comment="Allow IPsec ESP" in-interface=\
pppoe-out1 log=yes log-prefix=--vpn-in-esp-- protocol=ipsec-esp
add action=accept chain=input comment=\
"Remote access to SSL Mikrotik webif & WinBox" dst-port=443,8291 log=yes \
protocol=tcp src-address-list=Whitelist
add action=accept chain=input comment=\
"VPN access to SSL Mikrotik webif & WinBox" dst-port=443,8291 log=yes \
log-prefix=--VPN-remote-access-- protocol=tcp src-address=192.168.88.161
add action=accept chain=input comment="defconf: accept ICMP (internal)" \
disabled=yes protocol=icmp src-address-list=internal
add action=accept chain=input comment="Local access to SSH" disabled=yes \
dst-port=22 protocol=tcp src-address=192.168.88.98
add action=accept chain=input comment="Requests to Mikrotik DNS server (LAN)" \
disabled=yes dst-port=53 in-interface-list=LAN log=yes log-prefix=--DNS-- \
protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix="--not lan--"
add action=log chain=- comment=\
-----------------------forward-------------------------------
add action=accept chain=forward log=yes log-prefix=--Yealink-- src-address=\
192.168.21.2
# L2TP-VPN not ready
add action=accept chain=forward comment="VPN to LAN" in-interface=L2TP-VPN \
log=yes log-prefix=--vpn-to-lan-- out-interface=bridge
# L2TP-VPN not ready
add action=accept chain=forward comment="LAN to VPN" in-interface=bridge log=\
yes log-prefix=--lan-to-vpn-- out-interface=L2TP-VPN
# L2TP-VPN not ready
add action=accept chain=forward comment="VPN to Internet" in-interface=\
L2TP-VPN log=yes log-prefix=--vpn-out-- out-interface=pppoe-out1
# L2TP-VPN not ready
add action=accept chain=forward comment="Internet to VPN" in-interface=\
pppoe-out1 log=yes log-prefix=--vpn-in-- out-interface=L2TP-VPN
add action=log chain=- comment=\
------------------------------------------------------
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=log chain=- comment=\
------------------------------------------------------
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"--WAN drop--"
add action=drop chain=forward comment=\
"Disable Guest VLAN to anywhere but Internet" in-interface=\
vlan99 out-interface=!pppoe-out1
add action=drop chain=forward comment="Drop all other" disabled=yes \
log-prefix="--Drop all other--" out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=pppoe-out1 out-interface-list=WAN
add action=dst-nat chain=dstnat comment="VNC" dst-port=5900 log=yes \
protocol=tcp src-address-list=Whitelist to-addresses=192.168.88.25 \
to-ports=5900
add action=dst-nat chain=dstnat comment="Z web" dst-port=9001 protocol=\
tcp src-address-list=Whitelist to-addresses=192.168.88.11 to-ports=80
add action=dst-nat chain=dstnat comment="Z stream" dst-port=8082 \
protocol=tcp src-address-list=Whitelist to-addresses=192.168.88.11 \
to-ports=8001
add action=dst-nat chain=dstnat comment="VM Minecraft Server" dst-port=\
27165 log=yes log-prefix=--mc- protocol=tcp to-addresses=192.168.88.50 \
to-ports=25565
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.2.10/32 gateway=ether1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=sc_WC disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=***** profile=default-encryption remote-address=192.168.88.161 \
service=l2tp
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=xx.xx.xx.xx
add address=yy.yy.yy.y
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
- external traffic to the router itself?? aka VPN LT2P
- external traffic to the LAN?? aka port forwarding to LAN server(s)
- traffic entering/leaving the router by VPN
I will get ISP2 (also PPPoE client) added and temporary requirements are:
- external traffic to the router itself?? aka VPN to stay on ISP1 (unchanged)
- traffic entering/leaving the router by VPN to stay on ISP1 (unchanged)
- external traffic to the LAN?? aka port forwarding to LAN server(s) be split between ISP1 & ISP2 (depending on inbound WAN / NAT)
No need for lout oad balancing, most traffic to go out on IPS2 with only a couple of clients to go out on IPS1 (via Policy Routing with src-address I assume)
I am trying to pre-prepare the config, as I will not want much downtime when the second line gets connected
So far I think that these are really helpful:
viewtopic.php?t=179853
viewtopic.php?t=203165
viewtopic.php?t=189520
But if somebody has good pointers on config with ISP2 added to the mix, it would be most appreciated
Thanks
sebus
