# sep/18/2021 20:54:56 by RouterOS 6.48.4
# software id = 86CU-YT4V
#
# model = RB4011iGS+
# serial number =
/interface bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=CENSORED
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment="temp meraki" disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
/interface vlan
add disabled=yes interface=sfp-sfpplus1 name="VLAN12_Hikvision VLAN" vlan-id=\
12
add interface=sfp-sfpplus1 name=VLAN20 vlan-id=20
add disabled=yes interface=sfp-sfpplus1 name=VLAN40 vlan-id=40
add interface=sfp-sfpplus1 name=VLAN45 vlan-id=45
add interface=sfp-sfpplus1 name=VLAN50 vlan-id=50
add interface=sfp-sfpplus1 name=VLAN70 vlan-id=70
add disabled=yes interface=sfp-sfpplus1 name=VLAN99 vlan-id=99
add interface=sfp-sfpplus1 name=VLAN100 vlan-id=100
add disabled=yes interface=sfp-sfpplus1 name=VLAN200_mgmt vlan-id=200
add disabled=yes interface=sfp-sfpplus1 name=VLAN500 vlan-id=500
add disabled=yes interface=ether6 name=vlan20_temp vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
add name=No-InterVLAN
add name=m-InterVLAN
add include=none name=DMZ-IPCAMs
add include=none name=TrueDMZ
add name=mgmt
add name=noWAN_IOT
add name=DNS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
/ip ipsec policy group
add name=ike2-policies
add name=ike2-rw
/ip ipsec profile
add name=ike2-rw
/ip ipsec peer
add address=0.0.0.0/32 disabled=yes exchange-mode=ike2 name=\
ike2-rw-client profile=ike2-rw
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 disabled=yes \
enc-algorithms=3des
add disabled=yes name=ike2-rw pfs-group=none
/ip pool
add name=vlan20_guest ranges=10.10.10.11-10.10.10.250
add name=vlan70_ipcams ranges=192.168.70.11-192.168.70.254
add name=vlan100_lan ranges=10.1.1.11-10.1.1.250
add name=vlan40 ranges=10.4.1.2-10.4.1.6
add name=vlan45 ranges=10.5.1.2-10.5.1.6
add name=vlan50_work ranges=192.168.50.2-192.168.50.6
add name=ether10_mgmt ranges=192.168.18.2-192.168.18.6
add name=VLAN777 ranges=10.6.0.2-10.6.0.254
add name=VLAN88 ranges=192.168.0.2-192.168.0.254
add name=vlan12 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool21 ranges=172.20.120.20-172.20.120.240
add name=dhcp_pool22 ranges=10.200.200.2-10.200.200.254
add name=dhcp_pool23 ranges=10.0.0.99-10.0.0.250
add name=dhcp_pool24 ranges=172.16.0.11-172.16.0.254
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
add name=sstp-pool ranges=10.3.1.2-10.3.1.150
add name=dhcp_pool27 ranges=10.2.1.2-10.2.1.254
add name=dhcp_pool28 ranges=10.9.9.2-10.9.9.254
add name=dhcp_pool29 ranges=192.168.1.21-192.168.1.253
add name=dhcp_pool30 ranges=192.168.50.2-192.168.50.6
/ip dhcp-server
add add-arp=yes address-pool=vlan20_guest always-broadcast=yes disabled=no \
interface=VLAN20 lease-time=6h name=vlan20
add add-arp=yes address-pool=vlan70_ipcams disabled=no interface=VLAN70 \
lease-time=6h name=vlan70
add add-arp=yes address-pool=vlan100_lan disabled=no interface=VLAN100 \
lease-time=6h name=vlan100_LAN
add add-arp=yes address-pool=vlan40 interface=VLAN40 lease-time=2d name=\
vlan40
add add-arp=yes address-pool=vlan45 disabled=no interface=VLAN45 lease-time=\
6h name=vlan45
add address-pool=ether10_mgmt interface=ether10 lease-time=12h name=mgmt-dhcp
add address-pool=vlan12 interface="VLAN12_Hikvision VLAN" lease-time=12h \
name=vlan12
add address-pool=dhcp_pool22 interface=VLAN200_mgmt name=dhcp2
add address-pool=dhcp_pool24 interface=VLAN500 lease-time=6h name=dhcp1
add address-pool=dhcp_pool27 interface=ether6 lease-time=6h name=dhcp3
add address-pool=dhcp_pool28 interface=vlan20_temp lease-time=6h name=dhcp4
add address-pool=dhcp_pool29 disabled=no interface=sfp-sfpplus1 name=dhcp5
add address-pool=dhcp_pool30 disabled=no interface=VLAN50 lease-time=12h \
name=dhcp6
/ipv6 dhcp-server option
add code=23 name=dnstest value="'2606:4700:4700::1111'"
/ppp profile
add change-tcp-mss=yes dns-server=10.3.1.1 name=sstpserver use-encryption=yes
/system logging action
add email-to=CENSORED name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add interface=ether10
add interface=ether9
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no
/interface dot1x client
add anon-identity=CENSORED certificate=\
Client_CENSORED.pem_0 eap-methods=eap-tls identity=\
CENSORED interface=ether1
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap2 enabled=yes max-mru=1460 \
max-mtu=1460 use-ipsec=required
/interface list member
add interface=VLAN50 list=LAN
add interface=VLAN70 list=LAN
add interface=VLAN100 list=LAN
add interface=VLAN20 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=ether1 list=WAN
add interface=VLAN100 list=No-InterVLAN
add interface=VLAN20 list=No-InterVLAN
add interface=VLAN70 list=No-InterVLAN
add interface=VLAN50 list=m-InterVLAN
add interface=VLAN100 list=m-InterVLAN
add interface=VLAN70 list=m-InterVLAN
add interface=VLAN20 list=TrueDMZ
add interface=VLAN40 list=LAN
add interface=VLAN45 list=LAN
add interface=VLAN45 list=TrueDMZ
add interface=VLAN50 list=TrueDMZ
add interface=VLAN70 list=TrueDMZ
add interface=VLAN100 list=TrueDMZ
add interface=VLAN20 list=DMZ-IPCAMs
add interface=VLAN40 list=DMZ-IPCAMs
add interface=VLAN50 list=DMZ-IPCAMs
add interface=VLAN100 list=DMZ-IPCAMs
add interface=VLAN40 list=m-InterVLAN
add interface=VLAN45 list=m-InterVLAN
add interface=VLAN45 list=No-InterVLAN
add interface=VLAN40 list=No-InterVLAN
add interface=ether10 list=LAN
add interface="VLAN12_Hikvision VLAN" list=LAN
add interface=VLAN200_mgmt list=mgmt
add interface=VLAN100 list=mgmt
add interface="VLAN12_Hikvision VLAN" list=noWAN_IOT
add interface=VLAN70 list=noWAN_IOT
add interface=VLAN99 list=noWAN_IOT
add interface=VLAN200_mgmt list=LAN
add interface=VLAN500 list=LAN
add list=LAN
add interface=ether10 list=mgmt
add list=DNS
add list=mgmt
add interface=vlan20_temp list=LAN
add interface=vlan20_temp list=No-InterVLAN
add interface=vlan20_temp list=TrueDMZ
add interface=ether6 list=LAN
add interface=ether6 list=mgmt
add interface=ether6 list=DMZ-IPCAMs
/interface sstp-server server
set authentication=mschap2 certificate=server1 enabled=yes force-aes=yes pfs=\
yes
/ip address
add address=10.10.10.1/24 interface=VLAN20 network=10.10.10.0
add address=192.168.50.1/29 interface=VLAN50 network=192.168.50.0
add address=10.1.1.1/24 interface=VLAN100 network=10.1.1.0
add address=10.5.1.1/29 interface=VLAN45 network=10.5.1.0
add address=10.4.1.1/29 disabled=yes interface=VLAN40 network=10.4.1.0
add address=192.168.18.1/29 disabled=yes interface=ether10 network=\
192.168.18.0
add address=10.200.200.1/24 disabled=yes interface=VLAN200_mgmt network=\
10.200.200.0
add address=45.23.16.173/29 disabled=yes network=45.23.16.168
add address=10.99.99.1/24 disabled=yes interface=VLAN99 network=10.99.99.0
add address=192.168.70.1/24 interface=VLAN70 network=192.168.70.0
add address=172.16.0.1/24 disabled=yes interface=VLAN500 network=172.16.0.0
add address=10.9.9.1/24 disabled=yes interface=vlan20_temp network=10.9.9.0
add address=10.2.1.1/24 disabled=yes interface=ether6 network=10.2.1.0
add address=192.168.1.1/24 interface=sfp-sfpplus1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.1.1.154 client-id=1:ce:ff:3b:dd:a4:b4 mac-address=\
CE:FF:3B:DD:A4:B4 server=vlan100_LAN
add address=10.1.1.183 client-id=1:c:e4:41:da:d7:b4 mac-address=\
0C:E4:41:DA:D7:B4 server=vlan100_LAN
add address=10.10.10.118 mac-address=48:E1:E9:48:8C:6E server=vlan20
add address=10.1.1.153 client-id=\
ff:54:36:e2:97:0:2:0:0:ab:11:4f:8c:a8:5c:9e:ad:44:30 mac-address=\
00:16:3E:C9:E2:6D server=vlan100_LAN
add address=10.1.1.44 client-id=1:0:2:c9:51:45:d6 mac-address=\
00:02:C9:51:45:D6 server=vlan100_LAN
add address=10.10.10.99 client-id=1:88:57:1d:36:39:a0 mac-address=\
88:57:1D:36:39:A0 server=vlan20
add address=10.10.10.46 mac-address=84:CC:A8:85:21:43 server=vlan20
add address=10.1.1.42 client-id=1:58:d3:49:3e:34:fb mac-address=\
58:D3:49:3E:34:FB server=vlan100_LAN
add address=10.10.10.45 client-id=1:14:a:c5:ad:45:93 mac-address=\
14:0A:C5:AD:45:93 server=vlan20
add address=10.10.10.155 client-id=1:78:e1:3:ba:83:53 mac-address=\
78:E1:03:BA:83:53 server=vlan20
add address=10.10.10.117 client-id=1:f0:ef:86:f3:4f:c5 mac-address=\
F0:EF:86:F3:4F:C5 server=vlan20
add address=10.1.1.40 client-id=1:c:8d:db:93:95:9b mac-address=\
0C:8D:DB:93:95:9B server=vlan100_LAN
add address=10.10.10.238 client-id=ff:32:13:5f:74:0:3:0:1:44:61:32:13:5f:74 \
mac-address=44:61:32:13:5F:74 server=vlan20
add address=10.10.10.242 mac-address=F0:F0:A4:07:12:8E server=vlan20
add address=10.1.1.200 client-id=\
ff:5f:d1:de:3d:0:2:0:0:ab:11:3c:6:22:3b:42:43:5b:ec mac-address=\
00:16:3E:0B:56:30 server=vlan100_LAN
add address=10.10.10.234 client-id=1:88:57:1d:32:14:8 mac-address=\
88:57:1D:32:14:08 server=vlan20
add address=10.1.1.39 client-id=1:38:21:c7:cd:67:c4 mac-address=\
38:21:C7:CD:67:C4 server=vlan100_LAN
add address=10.10.10.11 client-id=1:0:6:78:39:ed:58 mac-address=\
00:06:78:39:ED:58 server=vlan20
add address=10.1.1.209 client-id=1:0:16:3e:a0:e2:fc mac-address=\
00:16:3E:A0:E2:FC server=vlan100_LAN
add address=10.1.1.32 client-id=\
ff:23:e6:1a:91:0:1:0:1:28:b1:f6:c7:30:9c:23:e6:1a:91 mac-address=\
30:9C:23:E6:1A:91 server=vlan100_LAN
add address=10.10.10.185 client-id=1:ac:f1:8:3:be:48 mac-address=\
AC:F1:08:03:BE:48 server=vlan20
add address=10.1.1.160 client-id=\
ff:11:dd:1e:18:0:1:0:1:23:9b:17:51:e8:eb:11:dd:1e:18 mac-address=\
E8:EB:11:DD:1E:18 server=vlan100_LAN
add address=10.10.10.22 client-id=1:64:d2:c4:d0:2f:90 mac-address=\
64:D2:C4:D0:2F:90 server=vlan20
add address=192.168.70.28 client-id=1:30:5:5c:3d:19:e7 mac-address=\
30:05:5C:3D:19:E7 server=vlan70
add address=10.1.1.190 client-id=1:c:8d:db:93:50:6e mac-address=\
0C:8D:DB:93:50:6E server=vlan100_LAN
add address=10.10.10.175 client-id=1:54:e6:1b:f3:53:fd mac-address=\
54:E6:1B:F3:53:FD server=vlan20
add address=10.1.1.31 client-id=1:68:d7:9a:2d:41:d3 mac-address=\
68:D7:9A:2D:41:D3 server=vlan100_LAN
add address=10.1.1.128 client-id=\
ff:3e:c8:67:ec:0:1:0:1:28:2c:92:5b:0:16:3e:c8:67:ec mac-address=\
00:16:3E:C8:67:EC server=vlan100_LAN
add address=192.168.70.101 client-id=1:9c:8e:cd:2d:be:5c mac-address=\
9C:8E:CD:2D:BE:5C server=vlan70
add address=192.168.70.23 client-id=1:bc:ba:c2:94:1b:74 mac-address=\
BC:BA:C2:94:1B:74 server=vlan70
add address=192.168.70.27 client-id=1:bc:ba:c2:94:1b:8c mac-address=\
BC:BA:C2:94:1B:8C server=vlan70
add address=192.168.70.22 client-id=1:bc:ba:c2:94:1b:a8 mac-address=\
BC:BA:C2:94:1B:A8 server=vlan70
add address=10.10.10.54 client-id=1:4c:3b:df:c:4c:93 mac-address=\
4C:3B:DF:0C:4C:93 server=vlan20
add address=10.10.10.57 client-id=1:38:1a:52:12:a0:cc mac-address=\
38:1A:52:12:A0:CC server=vlan20
add address=10.10.10.15 client-id=1:a8:81:7e:9:2a:67 mac-address=\
A8:81:7E:09:2A:67 server=vlan20
add address=10.10.10.235 client-id=1:58:fd:b1:90:d2:4c mac-address=\
58:FD:B1:90:D2:4C server=vlan20
add address=192.168.50.6 client-id=1:18:7e:b9:8:b5:5 mac-address=\
18:7E:B9:08:B5:05 server=dhcp6
add address=10.10.10.20 client-id=1:44:cb:8b:ec:fa:10 mac-address=\
44:CB:8B:EC:FA:10 server=vlan20
add address=10.10.10.16 client-id=1:5a:1b:b4:61:61:11 mac-address=\
5A:1B:B4:61:61:11 server=vlan20
add address=10.1.1.41 client-id=1:98:18:88:be:3:26 mac-address=\
98:18:88:BE:03:26 server=vlan100_LAN
add address=10.10.10.13 client-id=1:1e:23:91:f6:7f:f9 mac-address=\
1E:23:91:F6:7F:F9 server=vlan20
add address=10.10.10.21 client-id=1:a2:fd:f:86:1d:52 mac-address=\
A2:FD:0F:86:1D:52 server=vlan20
add address=10.10.10.24 client-id=1:9e:a7:89:24:23:be mac-address=\
9E:A7:89:24:23:BE server=vlan20
add address=10.10.10.19 client-id=1:b6:55:4c:a2:ab:d7 mac-address=\
B6:55:4C:A2:AB:D7 server=vlan20
add address=10.10.10.25 client-id=1:8a:e8:76:40:5c:f mac-address=\
8A:E8:76:40:5C:0F server=vlan20
add address=10.10.10.29 mac-address=70:2C:09:83:D5:17 server=vlan20
add address=10.1.1.26 client-id=1:74:8f:3c:42:f9:61 mac-address=\
74:8F:3C:42:F9:61 server=vlan100_LAN
add address=10.10.10.137 client-id=1:ac:12:3:29:6b:d9 mac-address=\
AC:12:03:29:6B:D9 server=vlan20
add address=10.10.10.30 mac-address=94:44:44:EA:DB:C5 server=vlan20
add address=10.1.1.43 client-id=1:98:18:88:be:b4:e4 mac-address=\
98:18:88:BE:B4:E4 server=vlan100_LAN
add address=10.10.10.27 client-id=1:e8:61:7e:f8:10:5b mac-address=\
E8:61:7E:F8:10:5B server=vlan20
add address=10.10.10.33 client-id=1:4a:68:75:d5:b2:ad mac-address=\
4A:68:75:D5:B2:AD server=vlan20
add address=10.10.10.35 client-id=\
ff:76:de:30:a1:0:4:ac:f5:70:cc:2d:3f:11:b2:a8:5c:a6:5a:a3:4:f9:99 \
mac-address=C8:5B:76:DE:30:A1 server=vlan20
add address=10.10.10.36 client-id=1:c8:5b:76:de:30:a1 mac-address=\
C8:5B:76:DE:30:A1 server=vlan20
add address=10.10.10.32 client-id=1:ce:a8:22:ba:c:78 mac-address=\
CE:A8:22:BA:0C:78 server=vlan20
add address=10.10.10.39 client-id=1:78:c8:81:82:c0:24 mac-address=\
78:C8:81:82:C0:24 server=vlan20
add address=10.10.10.41 client-id=1:a0:4e:a7:8e:99:46 mac-address=\
A0:4E:A7:8E:99:46 server=vlan20
add address=10.10.10.37 client-id=1:ea:e2:e2:b6:2f:1a mac-address=\
EA:E2:E2:B6:2F:1A server=vlan20
add address=10.10.10.47 client-id=1:fa:51:7a:fe:e4:65 mac-address=\
FA:51:7A:FE:E4:65 server=vlan20
add address=10.1.1.24 client-id=1:ca:5a:b8:57:19:e4 mac-address=\
CA:5A:B8:57:19:E4 server=vlan100_LAN
add address=10.10.10.12 client-id=1:4c:bc:98:80:ad:42 mac-address=\
4C:BC:98:80:AD:42 server=vlan20
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.1 gateway=10.1.1.1
add address=10.2.1.0/24 dns-server=10.2.1.1,8.8.4.4 gateway=10.2.1.1
add address=10.4.1.0/29 dns-server=10.4.1.1 gateway=10.4.1.1
add address=10.5.1.0/29 dns-server=10.5.1.1 gateway=10.5.1.1
add address=10.9.9.0/24 dns-server=10.9.9.1,8.8.4.4 gateway=10.9.9.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.200.200.0/24 dns-server=1.1.1.1,208.67.222.222 gateway=\
10.200.200.1
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
add address=172.20.120.0/24 dns-server=172.20.120.1 gateway=172.20.120.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.10.0/28 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.18.0/24 dns-server=192.168.18.1 gateway=192.168.18.1
add address=192.168.50.0/29 gateway=192.168.50.1
add address=192.168.70.0/24 dns-server=192.168.70.1 gateway=192.168.70.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=100000 \
max-concurrent-tcp-sessions=20000 servers=\
8.8.8.8,1.1.1.1,2001:4860:4860::8888
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
add address=2606:4700::6810:f9f9 name=cloudflare-dns.com type=AAAA
add address=2606:4700::6810:f8f9 name=cloudflare-dns.com type=AAAA
add address=10.1.1.14 name=yt.home
add address=10.5.1.5 name=bitwarden.home
add address=10.5.1.5 name=bit.home
add address=10.1.1.60 name=b.home
add address=10.1.1.60 name=backup.home
add address=10.1.1.60 name=backups.home
add address=10.10.10.35 name=volumio.home
add address=10.10.10.35 name=volumio.local
add address=10.10.10.36 name=euphony.home
/ip firewall address-list
add address=b8f40b5fbc45.sn.mynetname.net list=WAN-IP
add address=216.218.206.78 list=IPSEC
add address=180.168.136.110 list=IPSEC
add address=216.218.206.118 list=IPSEC
add address=95.174.66.242 list=IPSEC
add address=202.96.99.84 list=IPSEC
add address=121.81.24.227 list=IPSEC
add address=181.129.42.188 list=IPSEC
add address=109.189.159.221 list=IPSEC
add address=45.23.16.169-45.23.16.173 list=static
add address=10.10.10.54 list=Plex-Bypass-Firewall
add address=10.10.10.48 list=Plex-Bypass-Firewall
add address=192.168.77.0/24 list=vpn
add address=10.3.1.0/24 list=vpn
add address=172.16.0.0/24 list=local
add address=10.9.9.245 list=Plex-Bypass-Firewall
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="allow established related" \
connection-state=established,related in-interface=all-vlan out-interface=\
VLAN100
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" disabled=\
yes in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
disabled=yes dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input disabled=yes dst-port=443 in-interface=ether1 \
protocol=tcp
add action=accept chain=forward disabled=yes src-address=10.3.1.0/24
add action=accept chain=forward comment="Allow VPN to internet" disabled=yes \
out-interface-list=WAN src-address-list=vpn
add action=accept chain=input comment="Allow established related untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all other input"
add action=accept chain=forward comment=\
"Allow static /29 from AT&T to receive traffic from the public/clearweb!" \
disabled=yes in-interface-list=WAN out-interface=*20
add action=accept chain=forward comment="Allow DNS for all" \
out-interface-list=DNS
add action=drop chain=forward comment=\
"no WAN for VLAN70 (ipcameras), VLAN12, and VLAN99" in-interface-list=\
noWAN_IOT out-interface-list=WAN
add action=accept chain=forward disabled=yes out-interface=VLAN100 \
src-address-list=Plex-Bypass-Firewall
add action=accept chain=forward disabled=yes dst-address-list=\
Plex-Bypass-Firewall in-interface=VLAN100
add action=accept chain=forward comment="Allow established related untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="no inter-vlan for Sutherland VLAN50" \
in-interface=VLAN50 out-interface-list=No-InterVLAN
add action=drop chain=forward comment="no intervlan for m's network" \
in-interface=VLAN20 out-interface-list=m-InterVLAN
add action=drop chain=forward comment=dmz disabled=yes in-interface=VLAN45 \
out-interface-list=DMZ-IPCAMs
add action=drop chain=forward comment=truedmz disabled=yes in-interface=\
VLAN40 out-interface-list=TrueDMZ
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow LAN" in-interface-list=LAN
add action=accept chain=forward comment="Allow port forwards (dst nat)" \
connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=forward disabled=yes out-interface-list=mgmt
add action=drop chain=forward comment="drop all other forward"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=to_vpn \
passthrough=yes src-address-list=local
add action=change-mss chain=forward disabled=yes new-mss=1360 passthrough=yes \
protocol=tcp src-address-list=local tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes src-address=10.3.1.0/24
add action=masquerade chain=srcnat comment="Default masq" out-interface-list=\
WAN
add action=dst-nat chain=dstnat comment="OVPN Portfoward" disabled=yes \
dst-address=CENSORED dst-port=1194 in-interface-list=WAN protocol=\
udp to-addresses=10.5.1.3
add action=dst-nat chain=dstnat comment=wireguard dst-address=CENSORED \
dst-port=51820 in-interface-list=WAN protocol=udp to-addresses=10.5.1.2
add action=dst-nat chain=dstnat comment=apache2 disabled=yes dst-address=\
CENSORED dst-port=80 in-interface-list=WAN protocol=tcp \
to-addresses=10.4.1.4
add action=dst-nat chain=dstnat comment=ssh disabled=yes dst-address=\
CENSORED dst-port=22 in-interface-list=WAN protocol=tcp \
to-addresses=10.4.1.4
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=vpnclient.p12_1 \
generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client \
policy-template-group=ike2-rw
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add group=ike2-rw proposal=ike2-rw template=yes
/ip route
add disabled=yes distance=1 gateway=vpn_blackhole routing-mark=to_vpn
/ip route vrf
add disabled=yes interfaces=VLAN500,*23 routing-mark=guestvpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.1.1.0/24 disabled=yes
set www-ssl address=10.1.1.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=VLAN20 type=internal
add interface=VLAN50 type=internal
add interface=VLAN100 type=internal
/ipv6 address
add address=2600:1700:48e8:1871:CENSORED eui-64=yes interface=\
ether1
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
VLAN20
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
VLAN100
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
VLAN45
add address=2600:1700:48e8:CENSORED:de9b eui-64=yes interface=\
VLAN50
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 \
pool-prefix-length=60 prefix-hint=::/64 request=prefix
/ipv6 firewall filter
add action=accept chain=input comment=\
"Accept (established, related untracked)" connection-state=\
established,related,untracked
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept DHCP (10/sec)" \
in-interface-list=WAN limit=10,20:packet protocol=udp src-port=547
add action=drop chain=input comment="Drop DHCP (>10/sec)" in-interface-list=\
WAN protocol=udp src-port=547
add action=accept chain=input comment="Accept external ICMP (10/sec)" \
in-interface-list=WAN limit=10,20:packet protocol=icmpv6
add action=drop chain=input comment="Drop external ICMP (>10/sec)" \
in-interface-list=WAN protocol=icmpv6
add action=accept chain=input comment="Accept internal ICMP" \
in-interface-list=!WAN protocol=icmpv6
add action=drop chain=input comment="Drop external" in-interface-list=WAN
add action=drop chain=input comment="Reject everything else"
add action=accept chain=output comment="Accept all"
add action=accept chain=forward comment=\
"Accept (established, related, untracked)" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop (invalid)" connection-state=\
invalid
add action=accept chain=forward comment="Accept external ICMP (20/sec)" \
in-interface-list=WAN limit=20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec)" \
in-interface-list=WAN protocol=icmpv6
add action=accept chain=forward comment="Accept internal" in-interface-list=\
!WAN
add action=accept chain=forward comment="Accept outgoing" out-interface-list=\
WAN
add action=drop chain=forward comment="Drop external" in-interface-list=WAN
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=VLAN100 other-configuration=yes ra-interval=20s-1m
add interface=VLAN50 other-configuration=yes ra-interval=20s-1m
add interface=VLAN20 other-configuration=yes ra-interval=20s-1m
add interface=ether1 other-configuration=yes ra-interval=20s-1m
add disabled=yes interface=VLAN40 other-configuration=yes ra-interval=20s-1m
add interface=VLAN45 other-configuration=yes ra-interval=20s-1m
add disabled=yes interface=VLAN200_mgmt ra-interval=20s-1m
add disabled=yes interface=VLAN500 other-configuration=yes ra-interval=20s-1m
/ipv6 nd prefix
add interface=VLAN20 prefix=2600:1700:48e8:1873::/64
add disabled=yes interface=VLAN40 prefix=2600:1700:48e8:1876::/64
add interface=ether1 prefix=2600:1700:48e8:1871::/64
add interface=VLAN100 prefix=2600:1700:48e8:1872::/64
add interface=VLAN50 prefix=2600:1700:48e8:1875::/64
add interface=VLAN45 prefix=2600:1700:48e8:1874::/64
add disabled=yes interface=VLAN500 prefix=2600:1700:48e8:1877::/64
/ppp secret
add local-address=10.3.1.1 name=Laptop profile=sstpserver remote-address=\
10.3.1.100 service=sstp
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=MikroTik-RB4011
/system scheduler
add interval=5m name="Find IPSEC" on-event=Find_IPSEC policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/24/2020 start-time=03:25:11
add disabled=yes interval=1h name=email_logs on-event="/log print file=logs\r\
\ndelay 10\r\
\n/tool e-mail send to=\"me@tlopez.cc\" subject=\"\$[/system identity get \
name] logs\" \\\r\
\nbody=\"\$[/system clock get date] log file\" file=logs.txt" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=apr/27/2020 start-time=08:51:35
/system script
add dont-require-permissions=no name=Find_IPSEC owner=kazuma policy=\
read,write,policy,test,password,sniff,sensitive,romon source="# Created Jo\
tne 2019 v1.2\r\
\n#\r\
\n# This script add ip of user who with \"IPSEC negotiation failed\" and \
\"SPI* not registered\" to a block list for 24hour\r\
\n# Schedule the script to run every 5 min\r\
\n# It should run on all routerOS version\r\
\n\r\
\n\r\
\n\r\
\n# Find all \"negotiation failed\" error last 5 min\r\
\n:local loglistN [:toarray [/log find time>([/system clock get time] - 5\
m) message~\"negotiation failed\"]]\r\
\n\r\
\n# for all error do\r\
\n:foreach i in=\$loglistN do={\r\
\n\r\
\n# find message\r\
\n\t:local logMessageN [/log get \$i message]\r\
\n# find ip\r\
\n\t:local ipN [:pick \$logMessageN 0 [:find \$logMessageN \" \"]]\r\
\n\r\
\n# Add ip to accesslist\t\r\
\n\t/ip firewall address-list add address=\$ipN list=IPSEC timeout=24h\r\
\n# Send a message to the log\t\r\
\n\t:log info message=\"script=IPSEC_failed src_ip=\$ipN why=negotiation_f\
ailed\"\r\
\n\t}\r\
\n\r\
\n\t\r\
\n\r\
\n# Find all \"SPI* not registered\"\" error last 5 min\r\
\n:local loglistS [:toarray [/log find time>([/system clock get time] - 5\
m) message~\"SPI.*not regist\"]]\r\
\n\r\
\n# for all error do\r\
\n:foreach j in=\$loglistS do={\r\
\n\r\
\n# find message\r\
\n\t:local logMessageS [/log get \$j message]\r\
\n# find ip\r\
\n\t:local ipS [:pick \$logMessageS ([:find \$logMessageS \"for \"]+4) [:f\
ind \$logMessageS \"[\"]]\r\
\n\r\
\n# Add ip to accesslist\t\r\
\n\t/ip firewall address-list add address=\$ipS list=IPSEC timeout=24h\r\
\n# Send a message to the log\t\r\
\n\t:log info message=\"script=IPSEC_failed src_ip=\$ipS why=SPI_not_regis\
tered\"\r\
\n\t}\r\
\n\t"
/tool e-mail
set address=smtp.gmail.com from=CENSORED port=587 start-tls=yes user=\
CENSORED
