# model: RB5009UG+S+ # serial-number: HE408NJSJR7 # firmware-type: 70x0 # current-firmware: 7.12.1 # installed-version: 7.15.2 # # software id = IZCK-IWM2 # # model = RB5009UG+S+ # serial number = HE408NJSJR7 /interface bridge add admin-mac=48:A9:8A:59:90:7A auto-mac=no comment=defconf name=bridge port-cost-mode=short /interface ovpn-client add certificate="vpnmsk (1).crt_0" cipher=aes256-cbc connect-to=vpn.tages.ru disabled=yes mac-address=02:4D:EF:F8:24:11 name=ovpn-office-msk port=1195 user=vpnmsk add certificate=vpn_msk_hetzner.crt_0 cipher=aes128-cbc connect-to=195.201.93.92 disabled=yes mac-address=02:19:A2:33:B7:CC name=vpn-msk-hetzner password=705976151506 port=18176 route-nopull=yes user=vpn_msk add certificate=vpn-office-msk.crt_0 cipher=aes256-cbc connect-to=vpn.tages.ru mac-address=02:E9:A8:AC:67:C9 name=vpn-office-msk password="hZ%C\\\$awS7%S~" port=1200 route-nopull=yes user=vpn-office-msk /interface gre add allow-fast-path=no local-address=185.165.162.143 name=gre-miran remote-address=185.73.214.42 /interface vlan add interface=bridge name=vlan20-buh vlan-id=20 /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip firewall layer7-protocol add name=corp.tages.ru regexp=corp.tages.ru /ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256,aes-128 name=profile1 /ip ipsec peer add address=185.73.214.42/32 local-address=185.165.162.143 name=miran-gre profile=profile1 /ip ipsec proposal add name=proposal1 pfs-group=modp2048 /ip pool add name=dhcp ranges=192.168.1.20-192.168.1.253 add name=buh-hidden ranges=172.21.20.5-172.21.20.50 /ip dhcp-server add address-pool=dhcp interface=bridge lease-time=10m name=dhcp-msk add address-pool=buh-hidden interface=vlan20-buh lease-time=10m name=dhcp-vlan20-buh /ip smb users set [ find default=yes ] disabled=yes /interface sstp-client add authentication=mschap2 connect-to=94.158.52.89 disabled=no name=vpn-uz password="U{K54wKesq\$T" profile=default-encryption user=office-msk verify-server-address-from-certificate=no /queue simple add disabled=yes max-limit=15M/15M name=192.168.1.3 target=192.168.1.3/32 add disabled=yes name=google-meet-priority packet-marks=google-meet-packet priority=1/1 target="" /queue tree add max-limit=125M name=WAN parent=global add limit-at=10M max-limit=100M name=RDP packet-mark=rdp parent=WAN priority=3 add name=google-meet packet-mark=google-meet-packet parent=WAN priority=2 /queue simple add disabled=yes dst=sfp-sfpplus1 max-limit=125M/125M name=internet-speed-limit priority=5/5 queue=pcq-upload-default/pcq-download-default target=192.168.1.0/24 add disabled=yes limit-at=5M/5M max-limit=20M/20M name=rdp packet-marks=rdp parent=internet-speed-limit priority=3/3 target=192.168.1.0/24 /routing table add disabled=no fib name=vpn-hetzner add disabled=no fib name=AllToVpn /snmp community set [ find default=yes ] disabled=yes add addresses=213.21.63.22/32 authentication-password="kNTT5o&e\$ca%" encryption-password=M8fsEMy%BJwd name=tages-snmp security=authorized /system logging action set 3 bsd-syslog=yes remote=178.154.206.90 syslog-facility=syslog /interface bridge port add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10 /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=LAN /interface bridge vlan add bridge=bridge tagged=ether2,bridge vlan-ids=20 /interface l2tp-server server set authentication=mschap1,mschap2 ipsec-secret=gRyiAtKoDiKPPH50M3F7 use-ipsec=required /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=sfp-sfpplus1 list=WAN /ip address add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0 add address=192.168.1.1/24 interface=bridge network=192.168.1.0 add address=192.168.99.1/24 interface=bridge network=192.168.99.0 add address=185.165.162.143/27 interface=sfp-sfpplus1 network=185.165.162.128 add address=172.16.10.2/29 interface=*15 network=172.16.10.0 add address=10.10.0.1/30 interface=gre-miran network=10.10.0.0 add address=172.21.20.1/24 interface=vlan20-buh network=172.21.20.0 /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server lease add address=192.168.1.108 client-id=1:c:dd:24:11:36:13 mac-address=0C:DD:24:11:36:13 server=dhcp-msk add address=192.168.1.192 client-id=1:62:33:28:ab:d:93 mac-address=62:33:28:AB:0D:93 server=dhcp-msk add address=192.168.1.103 client-id=1:2c:26:17:52:5f:2e comment=oculus mac-address=2C:26:17:52:5F:2E server=dhcp-msk add address=192.168.1.61 client-id=1:f0:18:98:74:d5:be mac-address=F0:18:98:74:D5:BE server=dhcp-msk /ip dhcp-server network add address=172.21.20.0/24 dns-server=172.21.20.1 gateway=172.21.20.1 add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24 /ip dns set allow-remote-requests=yes servers=89.207.94.34,89.207.95.18,77.88.8.8,77.88.8.1 /ip dns static add address=192.168.88.1 comment=defconf name=router.lan add forward-to=10.0.10.10 regexp=".*\\.ufa\\.corp.tages.ru" type=FWD add forward-to=10.0.10.10 regexp=".*\\.corp\\.tages.ru" type=FWD /ip firewall address-list add address=mattermost.com list=vpn-hetzner add address=my.mehnat.uz list=vpn-uz add address=mehnat.uz list=vpn-uz add address=medium.com list=vpn-hetzner add address=192.168.1.103 comment=AllTrafficToVpn list=AllToVpn add address=192.168.1.61 disabled=yes list=AllToVpn add address=software.cisco.com list=vpn-hetzner add address=74.125.250.0/24 comment=Google-meet list=Google-meet add address=142.250.82.0/24 comment=Google-meet list=Google-meet add address=91.108.56.0/22 list=Telegram add address=91.108.4.0/22 list=Telegram add address=91.108.8.0/22 list=Telegram add address=91.108.16.0/22 list=Telegram add address=91.108.12.0/22 list=Telegram add address=149.154.160.0/20 list=Telegram add address=91.105.192.0/23 list=Telegram add address=91.108.20.0/22 list=Telegram add address=185.76.151.0/24 list=Telegram add address=54.0.0.0/8 comment=docker list=vpn-hetzner add address=52.0.0.0/8 comment=docker list=vpn-hetzner add address=44.0.0.0/8 comment=docker list=vpn-hetzner add address=178.140.194.75 list=Bruteforce add address=89.175.196.15 list=Bruteforce /ip firewall filter add action=accept chain=input src-address=185.73.214.42 add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input comment=wireguard dst-port=12321 in-interface-list=WAN protocol=udp add action=accept chain=input comment="PERMIT SSH OXID" dst-port=11209 protocol=tcp add action=accept chain=input comment="PERMIT API" dst-port=8728 protocol=tcp add action=accept chain=forward in-interface=ovpn-office-msk add action=accept chain=forward in-interface=vpn-office-msk protocol=icmp add action=accept chain=forward dst-port=80 in-interface=vpn-office-msk protocol=tcp add action=accept chain=input in-interface=ovpn-office-msk add action=accept chain=input in-interface=vpn-office-msk protocol=icmp add action=accept chain=input dst-port=80 in-interface=vpn-office-msk protocol=tcp add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input dst-port=8291 protocol=tcp add action=accept chain=input dst-port=443 protocol=tcp add action=accept chain=input comment="accept winbox" dst-port=9100 in-interface-list=WAN protocol=tcp src-port="" add action=accept chain=input dst-port=53 in-interface-list=!WAN protocol=udp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=drop chain=output disabled=yes protocol=icmp /ip firewall mangle add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.1.1 dst-port=53 layer7-protocol=corp.tages.ru new-connection-mark=mycompany.ru-forward passthrough=yes protocol=udp add action=mark-connection chain=prerouting dst-address-list=Google-meet new-connection-mark=google-meet passthrough=yes add action=mark-packet chain=prerouting connection-mark=google-meet new-packet-mark=google-meet-packet passthrough=no add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.1.1 dst-port=53 layer7-protocol=corp.tages.ru new-connection-mark=mycompany.ru-forward passthrough=yes protocol=tcp add action=mark-packet chain=forward comment="RDP TCP MARK" dst-port=3389 new-packet-mark=rdp passthrough=yes protocol=tcp add action=mark-packet chain=forward comment="UDP TCP MARK" dst-port=3389 new-packet-mark=rdp passthrough=yes protocol=udp add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.1.1 dst-port=53 layer7-protocol=corp.tages.ru new-connection-mark=mycompany.ru-forward passthrough=yes protocol=udp add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.1.1 dst-port=53 layer7-protocol=corp.tages.ru new-connection-mark=mycompany.ru-forward passthrough=yes protocol=tcp add action=mark-packet chain=forward dst-port=3389 new-packet-mark=rdp passthrough=yes protocol=tcp add action=mark-routing chain=prerouting disabled=yes dst-address-list=vpn-hetzner new-routing-mark=vpn-hetzner passthrough=yes add action=mark-routing chain=prerouting comment=AllTrafficToVpn new-routing-mark=AllToVpn passthrough=yes src-address-list=AllToVpn add action=mark-routing chain=prerouting disabled=yes dst-address-list=Telegram new-routing-mark=vpn-hetzner passthrough=yes /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat out-interface-list=WAN add action=dst-nat chain=dstnat dst-address=89.207.91.188 dst-port=9100 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.1.11 to-ports=9100 add action=dst-nat chain=dstnat connection-mark=mycompany.ru-forward disabled=yes to-addresses=10.0.10.10 add action=masquerade chain=srcnat connection-mark=mycompany.ru-forward disabled=yes add action=masquerade chain=srcnat disabled=yes out-interface=vpn-uz add action=masquerade chain=srcnat out-interface=vpn-office-msk add action=masquerade chain=srcnat out-interface=vpn-msk-hetzner add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=vpn-msk-hetzner src-address-list=AllToVpn add action=dst-nat chain=dstnat comment="WEB ACCESS TO SWITCH" disabled=yes dst-port=11211 protocol=tcp to-addresses=192.168.1.19 to-ports=22 add action=dst-nat chain=dstnat comment="WEB ACCESS TO SWITCH" dst-port=11212 protocol=tcp src-address=217.195.93.246 to-addresses=192.168.1.19 to-ports=80 /ip firewall raw add action=drop chain=prerouting src-address-list=Bruteforce /ip ipsec identity add peer=miran-gre secret=gRyiAtKoDiKPPH50M3F7 /ip ipsec policy add dst-address=185.73.214.42/32 peer=miran-gre proposal=proposal1 src-address=185.165.162.143/32 /ip route add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=89.207.91.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add distance=1 dst-address=192.168.93.0/24 gateway=172.16.33.1 pref-src=192.168.1.1 add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=vpn-office-msk pref-src=192.168.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no dst-address=10.10.14.0/24 gateway=vpn-office-msk routing-table=main suppress-hw-offload=no add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=vpn-msk-hetzner pref-src="" routing-table=vpn-hetzner scope=30 suppress-hw-offload=no target-scope=10 add comment=AllTrafficToVpn disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=vpn-msk-hetzner pref-src=0.0.0.0 routing-table=AllToVpn scope=30 suppress-hw-offload=no target-scope=10 add disabled=no dst-address=0.0.0.0/0 gateway=185.165.162.129 routing-table=main suppress-hw-offload=no add disabled=no distance=1 dst-address=10.0.10.0/24 gateway=10.10.0.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=10.0.40.0/24 gateway=10.10.13.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 vrf-interface=vpn-office-msk add disabled=no distance=1 dst-address=10.8.10.0/24 gateway=10.10.0.2 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add comment="1C OVPN" disabled=no distance=1 dst-address=10.8.8.0/24 gateway=10.10.0.2 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh port=11209 /ip smb shares set [ find default=yes ] directory=/pub /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ppp secret add disabled=yes local-address=10.10.1.1 name=msk_l2tp password=gRyiAtKoDiKPPH50M3F7 remote-address=10.10.1.2 /system clock set time-zone-name=Europe/Moscow /system identity set name=MSK-GW /system logging set 0 action=remote prefix=:Info topics=info,!dhcp set 1 action=remote prefix=:Error set 2 action=remote prefix=:Warning set 3 action=remote prefix=:Critical add disabled=yes topics=wireguard add topics=script add action=remote prefix=:Firewall topics=firewall add action=remote prefix=:Account topics=account add prefix=:Info topics=info,!dhcp add prefix=:Warning topics=warning add prefix=:Error topics=error add prefix=:Critical topics=critical add prefix=:Account topics=account /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=0.ru.pool.ntp.org add address=1.ru.pool.ntp.org /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN /user group add name=prometeus policy="read,test,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!rest-api" add name=api_read policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"