#              model: RBD53iG-5HacD2HnD
#      serial-number: F34E0F317008
#      firmware-type: ipq4000
#   current-firmware: 7.6
#   installed-version: 7.6
# 
# software id = FJPX-DLS0
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0F317008
/interface bridge
add admin-mac=DC:2C:6E:EF:10:A7 auto-mac=no comment=defconf name=bridge
/interface sstp-server
add name=sstp-in-miran user=dc-miran
add name=sstp-in-msk user=office-msk
add name=sstp-in-spb user=office-spb
add name=sstp-in-ufa user=office-ufa
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-EF10AB wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united states" distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=Tages wireless-protocol=802.11
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1 private-key="YJ/I+Ia/W1wPrE6zAJhMgcnO//26TfUI/T6bcY9VFmw="
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=1234567s use-peer-dns=yes user=fttb_jump
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key="Tage\$777wifi" wpa2-pre-shared-key="Tage\$777wifi"
/ip pool
add name=dhcp ranges=192.168.93.20-192.168.93.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/system logging action
set 3 bsd-syslog=yes remote=178.154.206.90 syslog-facility=syslog
/user group
add name=api_read policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set authentication=mschap2 enabled=yes
/interface wireguard peers
add allowed-address=10.13.13.0/24 disabled=yes endpoint-address=5.187.0.165 endpoint-port=51820 interface=wireguard1 preshared-key="6jbqRNJ6C6hyrH+iU0i8yVc83gzKdtzBY1oxxm2ijho=" public-key="0QB8ADcI0BbUld0sqD4DsPde1pPql5kxxBt2NkS//wY="
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
add address=192.168.93.1/24 interface=bridge network=192.168.93.0
add address=10.13.13.3/24 interface=wireguard1 network=10.13.13.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.93.0/24 gateway=192.168.93.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="PERMIT SSH OXID" dst-port=11209 protocol=tcp
add action=accept chain=input comment="winbox internet" dst-port=8291 protocol=tcp
add action=accept chain=input comment="PERMIT API" dst-port=8728 in-interface-list=WAN protocol=tcp src-address=178.154.206.90
add action=accept chain=input comment="sstp " dst-port=443 protocol=tcp
add action=accept chain=input comment="temp ap-1" disabled=yes dst-port=7443 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input comment=socks5 disabled=yes dst-port=1488 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="temp ap-1" disabled=yes dst-address=94.158.52.89 dst-port=7443 in-interface=pppoe-out1 log=yes protocol=tcp to-addresses=192.168.93.254 to-ports=443
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.93.254 dst-address-list=443 out-interface-list=WAN protocol=tcp
add action=masquerade chain=srcnat out-interface=sstp-in-miran
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=172.16.33.2 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.40.0/24 gateway=172.16.36.2 pref-src=192.168.93.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=11209
set api-ssl disabled=yes
/ip socks
set port=1488 version=5
/ip socks users
add name=tages password="pRFAc\$xk4Uq"
/ppp secret
add local-address=172.16.33.1 name=office-msk password="U{K54wKesq\$T" remote-address=172.16.33.2 service=sstp
add local-address=172.16.34.1 name=office-ufa password="U{K54wKesq\$Q" remote-address=172.16.34.2 service=sstp
add local-address=172.16.35.1 name=office-spb password="U{K54wKesq\$A" remote-address=172.16.35.2 service=sstp
add local-address=172.16.36.1 name=dc-miran password="d#7l4T5l\$Ud}" remote-address=172.16.36.2 service=sstp
/system clock
set time-zone-name=Asia/Tashkent
/system identity
set name=GW-UZ
/system logging
set 0 action=remote prefix=:Info
set 1 action=remote prefix=:Error
set 2 action=remote prefix=:Warning
set 3 action=remote prefix=:Critical
add action=remote prefix=:Firewall topics=firewall
add action=remote prefix=:Account topics=account
add prefix=:Info topics=info,!dhcp
add prefix=:Warning topics=warning
add prefix=:Error topics=error
add prefix=:Critical topics=critical
add prefix=:Account topics=account
/system routerboard settings
set cpu-frequency=716MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN