eiJgBvm5

· 5 years ago · Jan 26, 2020, 08:12 PM
1/interface bridge
2add admin-mac=64:D1:54:B0:94:E8 auto-mac=no comment=defconf name=bridge
3/interface ethernet
4set [ find default-name=ether1 ] comment=ISP loop-protect=on
5set [ find default-name=ether2 ] loop-protect=on
6set [ find default-name=ether3 ] loop-protect=on
7set [ find default-name=ether4 ] loop-protect=on
8set [ find default-name=ether5 ] loop-protect=on
9/interface l2tp-server
10add name=L2TP-DeusEx user=DeusEx
11/interface ovpn-server
12add name=OVPN-DeusEx user=DeusEx
13/interface pptp-server
14add name=PPTP-DeusEx user=DeusEx
15/interface vlan
16add comment=ESXi interface=bridge name=vlan10 vlan-id=10
17add comment=Voice interface=bridge name=vlan11 vlan-id=11
18add comment=Site interface=bridge name=vlan12 vlan-id=12
19add comment=1C interface=bridge name=vlan13 vlan-id=13
20add comment=Video interface=bridge name=vlan14 vlan-id=14
21add comment=Radio interface=bridge name=vlan15 vlan-id=15
22add comment=Wi-Fi interface=bridge name=vlan16 vlan-id=16
23add comment=Management interface=bridge name=vlan20 vlan-id=20
24add comment=VPN interface=bridge name=vlan50 vlan-id=50
25/interface ethernet switch port
26set 1 vlan-header=add-if-missing vlan-mode=secure
27set 2 vlan-header=add-if-missing vlan-mode=secure
28set 3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
29set 4 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
30set 5 vlan-mode=secure
31/interface list
32add comment=defconf name=WAN
33add comment=defconf name=LAN
34add name=AccessRouter
35/interface wireless security-profiles
36set [ find default=yes ] supplicant-identity=MikroTik
37add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
38    management-protection=allowed mode=dynamic-keys name=DeusEx \
39    supplicant-identity="" unicast-ciphers=tkip,aes-ccm
40/interface wireless
41set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
42    country=no_country_set disabled=no distance=indoors frequency=auto \
43    frequency-mode=manual-txpower installation=indoor mode=ap-bridge \
44    security-profile=DeusEx ssid=DeusEx vlan-id=16 wireless-protocol=802.11 \
45    wps-mode=disabled
46add comment=Service disabled=no mac-address=66:D1:54:B0:94:EC \
47    master-interface=wlan1 name=wlan2 security-profile=DeusEx ssid=Service \
48    vlan-id=20 vlan-mode=use-tag wps-mode=disabled
49add comment=VideoControl disabled=no mac-address=66:D1:54:B0:94:ED \
50    master-interface=wlan1 name=wlan3 security-profile=DeusEx ssid=\
51    VideoControl vlan-id=14 vlan-mode=use-tag wps-mode=disabled
52/interface wireless manual-tx-power-table
53set wlan2 comment=Service
54set wlan3 comment=VideoControl
55/interface wireless nstreme
56set wlan2 comment=Service
57set wlan3 comment=VideoControl
58/ip dhcp-server option
59add code=66 name=option66 value="'192.168.20.1'"
60add code=67 name=option67 value="'pxeboot.n12'"
61/ip dhcp-server option sets
62add name="TFTP to 20" options=option66,option67
63/ip pool
64add name=Vlan1 ranges=192.168.1.2-192.168.1.254
65add name=Vlan10 ranges=192.168.10.2-192.168.10.254
66add name=Vlan11 ranges=192.168.11.2-192.168.11.254
67add name=Vlan12 ranges=192.168.12.2-192.168.12.254
68add name=Vlan13 ranges=192.168.13.2-192.168.13.254
69add name=Vlan14 ranges=192.168.14.2-192.168.14.254
70add name=Vlan15 ranges=192.168.15.2-192.168.15.254
71add name=Vlan16 ranges=192.168.16.2-192.168.16.254
72add name=Vlan20 ranges=192.168.20.2-192.168.20.254
73add name=Vlan50 ranges=192.168.50.2-192.168.50.254
74/ip dhcp-server
75add address-pool=Vlan1 disabled=no interface=bridge lease-time=15m name=vlan1
76add address-pool=Vlan10 disabled=no interface=vlan10 lease-time=15m name=\
77    vlan10
78add address-pool=Vlan11 disabled=no interface=vlan11 lease-time=15m name=\
79    vlan11
80add address-pool=Vlan12 disabled=no interface=vlan12 lease-time=15m name=\
81    vlan12
82add address-pool=Vlan13 disabled=no interface=vlan13 lease-time=15m name=\
83    vlan13
84add address-pool=Vlan14 disabled=no interface=vlan14 lease-time=15m name=\
85    vlan14
86add address-pool=Vlan15 disabled=no interface=vlan15 lease-time=15m name=\
87    vlan15
88add address-pool=Vlan16 disabled=no interface=vlan16 lease-time=15m name=\
89    vlan16
90add address-pool=Vlan20 disabled=no interface=vlan20 lease-time=15m name=\
91    vlan20
92add address-pool=Vlan50 disabled=no interface=vlan50 lease-time=15m name=\
93    vlan50
94/ppp profile
95add bridge=bridge local-address=Vlan50 name=VPN remote-address=Vlan50
96/caps-man manager
97set ca-certificate=auto certificate=auto upgrade-policy=require-same-version
98/interface bridge host
99add bridge=bridge interface=ether5 mac-address=80:FA:5B:0E:C5:E4
100/interface bridge port
101add auto-isolate=yes bridge=bridge comment=defconf interface=ether2
102add auto-isolate=yes bridge=bridge comment=defconf interface=ether3
103add auto-isolate=yes bridge=bridge comment=defconf interface=ether4 pvid=10
104add auto-isolate=yes bridge=bridge comment=defconf interface=ether5 learn=no
105add auto-isolate=yes bridge=bridge comment=defconf interface=wlan1
106add auto-isolate=yes bridge=bridge interface=wlan2
107add bridge=bridge interface=wlan3
108/ip neighbor discovery-settings
109set discover-interface-list=WAN
110/ip settings
111set tcp-syncookies=yes
112/interface bridge vlan
113add bridge=bridge untagged=bridge,ether4 vlan-ids=1
114add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=10
115add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=11
116add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=12
117add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=13
118add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=14
119add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=15
120add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=16
121add bridge=bridge tagged=bridge,ether2,ether3 untagged=ether4,ether5 \
122    vlan-ids=20
123add bridge=wlan2 tagged=wlan2,vlan20,ether4 vlan-ids=20
124/interface detect-internet
125set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
126    LAN wan-interface-list=WAN
127/interface ethernet switch vlan
128add independent-learning=no ports=switch1-cpu,ether2,ether3 switch=switch1 \
129    vlan-id=10
130add independent-learning=no ports=switch1-cpu,ether2,ether3 switch=switch1 \
131    vlan-id=11
132add independent-learning=no ports=switch1-cpu,ether2,ether3 switch=switch1 \
133    vlan-id=12
134add independent-learning=no ports=switch1-cpu,ether2,ether3 switch=switch1 \
135    vlan-id=13
136add independent-learning=no ports=switch1-cpu,ether2,ether3 switch=switch1 \
137    vlan-id=14
138add independent-learning=no ports=switch1-cpu,ether2,ether3 switch=switch1 \
139    vlan-id=15
140add independent-learning=no ports=switch1-cpu,ether2,ether3 switch=switch1 \
141    vlan-id=16
142add independent-learning=no ports=switch1-cpu,ether2,ether3,ether4,ether5 \
143    switch=switch1 vlan-id=20
144add independent-learning=no ports=switch1-cpu switch=switch1 vlan-id=50
145add independent-learning=no ports=\
146    switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=1
147/interface l2tp-server server
148set authentication=mschap2 default-profile=VPN enabled=yes use-ipsec=yes
149/interface list member
150add comment=defconf interface=bridge list=LAN
151add comment=defconf interface=ether1 list=WAN
152add interface=vlan10 list=LAN
153add interface=vlan11 list=LAN
154add interface=vlan12 list=LAN
155add interface=vlan13 list=LAN
156add interface=vlan14 list=LAN
157add interface=vlan15 list=LAN
158add interface=vlan16 list=LAN
159add interface=vlan20 list=LAN
160add interface=vlan50 list=LAN
161add interface=vlan20 list=AccessRouter
162add interface=vlan50 list=AccessRouter
163/interface ovpn-server server
164set auth=sha1 certificate=SRV cipher=blowfish128,aes128,aes192,aes256 \
165    default-profile=VPN enabled=yes
166/interface pptp-server server
167set authentication=mschap2 default-profile=VPN enabled=yes
168/ip address
169add address=192.168.1.1/24 comment=defconf interface=bridge network=\
170    192.168.1.0
171add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
172add address=192.168.11.1/24 interface=vlan11 network=192.168.11.0
173add address=192.168.12.1/24 interface=vlan12 network=192.168.12.0
174add address=192.168.13.1/24 interface=vlan13 network=192.168.13.0
175add address=192.168.14.1/24 interface=vlan14 network=192.168.14.0
176add address=192.168.15.1/24 interface=vlan15 network=192.168.15.0
177add address=192.168.16.1/24 interface=vlan16 network=192.168.16.0
178add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
179add address=192.168.50.1/24 comment=VPN interface=vlan50 network=192.168.50.0
180/ip cloud
181set ddns-update-interval=10m
182/ip dhcp-client
183add comment=defconf disabled=no interface=ether1
184/ip dhcp-server lease
185add address=192.168.20.3 client-id=1:bc:ae:c5:3:dc:fe comment=KVM \
186    mac-address=BC:AE:C5:03:DC:FE server=vlan20
187add address=192.168.16.3 client-id=1:a8:9c:ed:3b:7f:3 comment="DeusEx Phone" \
188    disabled=yes mac-address=A8:9C:ED:3B:7F:03 server=vlan16
189add address=192.168.14.2 client-id=1:2c:7:3c:0:1b:eb comment=Registrator \
190    mac-address=2C:07:3C:00:1B:EB server=vlan14
191add address=192.168.14.3 client-id=1:9c:14:63:c9:64:e1 comment=Camera1 \
192    mac-address=9C:14:63:C9:64:E1 server=vlan14
193add address=192.168.10.2 client-id=1:0:24:8c:e:e1:c8 comment="ESXi 1" \
194    mac-address=00:24:8C:0E:E1:C8 server=vlan10
195add address=192.168.20.4 client-id=1:0:c:29:b2:5c:10 comment=VCSA \
196    mac-address=00:0C:29:B2:5C:10 server=vlan20
197add address=192.168.11.5 comment=A510-IP mac-address=7C:2F:80:5F:E2:18 \
198    server=vlan11
199add address=192.168.11.3 client-id=1:38:3f:10:0:bd:cc comment=Goip-4 \
200    mac-address=38:3F:10:00:BD:CC server=vlan11
201add address=192.168.11.4 client-id=1:0:15:65:3f:52:e comment=SIP-T26P \
202    mac-address=00:15:65:3F:52:0E server=vlan11
203add address=192.168.13.2 client-id=1:0:50:56:8d:d0:8f comment=DC mac-address=\
204    00:50:56:8D:D0:8F server=vlan13
205add address=192.168.13.3 client-id=1:0:50:56:8d:e2:8b comment=SQL \
206    mac-address=00:50:56:8D:E2:8B server=vlan13
207add address=192.168.13.4 client-id=1:0:50:56:8d:fb:c2 comment=FS mac-address=\
208    00:50:56:8D:FB:C2 server=vlan13
209add address=192.168.20.5 client-id=1:0:c0:b7:96:51:f7 comment=APC \
210    mac-address=00:C0:B7:96:51:F7 server=vlan20
211add address=192.168.13.5 client-id=1:0:50:56:9c:7:50 comment=1C mac-address=\
212    00:50:56:9C:07:50 server=vlan13
213add address=192.168.20.6 comment=PCNS mac-address=00:50:56:9C:7B:9F server=\
214    vlan20
215add address=192.168.12.2 comment=Site mac-address=00:50:56:9C:01:A4 server=\
216    vlan12
217add address=192.168.16.5 client-id=1:ec:5c:68:7b:7a:85 comment=\
218    "Sony KDL-32WD603" mac-address=EC:5C:68:7B:7A:85 server=vlan16
219add address=192.168.11.2 comment=SIP mac-address=00:50:56:2E:A6:BD server=\
220    vlan11
221add address=192.168.20.7 client-id=1:88:5a:92:a7:6c:a5 comment=\
222    AIR-SAP2602E-R-K9 mac-address=88:5A:92:A7:6C:A5 server=vlan20
223add address=192.168.20.254 client-id=1:80:fa:5b:e:c5:e4 comment=\
224    "NoteBook Lan" disabled=yes mac-address=80:FA:5B:0E:C5:E4 server=vlan20
225add address=192.168.20.2 client-id=cisco-58bf.ea91.60b9-Fa0 comment=Switch \
226    mac-address=58:BF:EA:91:60:B9 server=vlan20
227add address=192.168.20.253 client-id=1:ac:b5:7d:28:32:51 comment=\
228    "NoteBook Wi-Fi" disabled=yes mac-address=AC:B5:7D:28:32:51 server=vlan20
229add address=192.168.15.2 comment=IceCast disabled=yes mac-address=\
230    00:50:56:8D:96:14 server=vlan15
231add address=192.168.15.3 client-id=1:0:50:56:8d:b8:fa comment=Radio \
232    mac-address=00:50:56:8D:B8:FA server=vlan15
233add address=192.168.20.8 comment=Zabbix mac-address=00:0C:29:EE:A4:92 server=\
234    vlan20
235add address=192.168.16.4 client-id=1:48:fd:a3:b1:ae:da comment=\
236    RedmiNote7-Redmi mac-address=48:FD:A3:B1:AE:DA server=vlan16
237add address=192.168.15.2 comment="IceCast NEW" mac-address=00:50:56:9F:D7:55 \
238    server=vlan15
239/ip dhcp-server network
240add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
241    192.168.1.1 netmask=24
242add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
243    netmask=24
244add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1 \
245    netmask=24
246add address=192.168.12.0/24 dns-server=192.168.12.1 gateway=192.168.12.1 \
247    netmask=24
248add address=192.168.13.0/24 dns-server=192.168.13.2,192.168.13.1 domain=\
249    office.it-sis.ru gateway=192.168.13.1 netmask=24 wins-server=192.168.13.2
250add address=192.168.14.0/24 dns-server=192.168.14.1 gateway=192.168.14.1 \
251    netmask=24
252add address=192.168.15.0/24 dns-server=192.168.15.1 gateway=192.168.15.1 \
253    netmask=24
254add address=192.168.16.0/24 dns-server=192.168.16.1 gateway=192.168.16.1 \
255    netmask=24 ntp-server=129.6.15.26
256add address=192.168.20.0/24 dhcp-option-set="TFTP to 20" dns-server=\
257    192.168.20.1 gateway=192.168.20.1 netmask=24
258add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1 \
259    netmask=24
260/ip dns
261set allow-remote-requests=yes cache-size=20480KiB servers=8.8.8.8,8.8.4.4
262/ip dns static
263add address=192.168.20.1 comment=defconf name=router.lan
264add address=192.168.20.4 name=vcsa.office.it-sis.ru
265add address=192.168.10.2 name=esxi.office.it-sis.ru
266add address=192.168.13.2 name=dc.office.it-sis.ru
267add address=192.168.13.3 name=sql.office.it-sis.ru
268add address=192.168.13.4 name=fs.office.it-sis.ru
269add address=192.168.13.5 name=1c.office.it-sis.ru
270/ip firewall filter
271add action=accept chain=input comment=\
272    "defconf: accept established,related,untracked" connection-state=\
273    established,related,untracked
274add action=drop chain=input comment="defconf: drop invalid" connection-state=\
275    invalid
276add action=drop chain=forward comment="Drop BlackList" in-interface-list=WAN \
277    src-address-list=BlackList
278add action=drop chain=forward comment="drop SIP brute forcers" \
279    in-interface-list=WAN src-address-list=SIP_blacklist
280add action=add-src-to-address-list address-list=SIP_blacklist \
281    address-list-timeout=none-dynamic chain=forward connection-state=new \
282    dst-address=192.168.11.2 in-interface-list=WAN protocol=udp \
283    src-address-list=SIP_stage3
284add action=add-src-to-address-list address-list=SIP_stage3 \
285    address-list-timeout=30m chain=forward connection-state=new dst-address=\
286    192.168.11.2 in-interface-list=WAN protocol=udp src-address-list=\
287    SIP_stage2
288add action=add-src-to-address-list address-list=SIP_stage2 \
289    address-list-timeout=30m chain=forward connection-state=new dst-address=\
290    192.168.11.2 in-interface-list=WAN protocol=udp src-address-list=\
291    SIP_stage1
292add action=add-src-to-address-list address-list=SIP_stage1 \
293    address-list-timeout=30m chain=forward connection-state=new dst-address=\
294    192.168.11.2 in-interface-list=WAN protocol=udp src-address=0.0.0.0/0
295add action=drop chain=input comment="drop ssh brute forcers" \
296    in-interface-list=WAN protocol=tcp src-address-list=SSH_blacklist
297add action=add-src-to-address-list address-list=SSH_blacklist \
298    address-list-timeout=none-dynamic chain=input connection-state=new \
299    dst-port=22,9999 in-interface-list=WAN protocol=tcp src-address-list=\
300    SSH_stage3
301add action=add-src-to-address-list address-list=SSH_stage3 \
302    address-list-timeout=30m chain=input connection-state=new dst-port=\
303    22,9999 in-interface-list=WAN protocol=tcp src-address-list=SSH_stage2
304add action=add-src-to-address-list address-list=SSH_stage2 \
305    address-list-timeout=30m chain=input connection-state=new dst-port=\
306    22,9999 in-interface-list=WAN protocol=tcp src-address-list=SSH_stage1
307add action=add-src-to-address-list address-list=SSH_stage1 \
308    address-list-timeout=30m chain=input connection-state=new dst-port=\
309    22,9999 in-interface-list=WAN protocol=tcp
310add action=add-src-to-address-list address-list=ddos-blacklist \
311    address-list-timeout=30m chain=input comment=\
312    "DDoS - Limit incoming connections, add IP to Blacklist" \
313    connection-limit=100,32 in-interface=ether1 protocol=tcp
314add action=tarpit chain=input comment=\
315    "DDoS - capture and hold connections, try to slow the attacker " \
316    connection-limit=3,32 protocol=tcp src-address-list=ddos-blacklist
317add action=jump chain=forward comment="DDoS - SYN Flood protect" \
318    connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
319add action=jump chain=input connection-state=new in-interface=ether1 \
320    jump-target=SYN-Protect protocol=tcp tcp-flags=syn
321add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
322    protocol=tcp tcp-flags=syn
323add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
324    tcp-flags=syn
325add action=add-src-to-address-list address-list="port scanners" \
326    address-list-timeout=14w2d chain=input comment="Port scanners to list " \
327    protocol=tcp psd=21,3s,3,1
328add action=add-src-to-address-list address-list="port scanners" \
329    address-list-timeout=14w2d chain=input comment="NMAP FIN Stealth scan" \
330    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
331add action=add-src-to-address-list address-list="port scanners" \
332    address-list-timeout=14w2d chain=input comment="SYN/FIN scan" protocol=\
333    tcp tcp-flags=fin,syn
334add action=add-src-to-address-list address-list="port scanners" \
335    address-list-timeout=14w2d chain=input comment="SYN/RST scan" protocol=\
336    tcp tcp-flags=syn,rst
337add action=add-src-to-address-list address-list="port scanners" \
338    address-list-timeout=14w2d chain=input comment="FIN/PSH/URG scan" \
339    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
340add action=add-src-to-address-list address-list="port scanners" \
341    address-list-timeout=14w2d chain=input comment="ALL/ALL scan" protocol=\
342    tcp tcp-flags=fin,syn,rst,psh,ack,urg
343add action=add-src-to-address-list address-list="port scanners" \
344    address-list-timeout=14w2d chain=input comment="NMAP NULL scan" protocol=\
345    tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
346add action=drop chain=input comment="dropping port scanners" \
347    src-address-list="port scanners"
348add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
349add action=accept chain=input comment=\
350    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
351add action=accept chain=input comment=DNS dst-port=53 protocol=udp
352add action=accept chain=input comment=PPTP dst-port=1723 protocol=tcp
353add action=accept chain=input protocol=gre
354add action=accept chain=input comment=L2TP port=1701,500,4500 protocol=udp
355add action=accept chain=input protocol=ipsec-esp
356add action=accept chain=input comment=OVPN dst-port=1194 protocol=tcp
357add action=accept chain=input comment="Access to Router" dst-port=22,80,8291 \
358    protocol=tcp
359add action=accept chain=forward comment=DevLine dst-port=9786 protocol=tcp
360add action=accept chain=forward comment="Camera RTSP" dst-port=554 protocol=\
361    tcp
362add action=accept chain=input comment=SIP dst-port=5004-5082,10000-20000 \
363    in-interface=ether1 protocol=udp
364add action=accept chain=forward dst-port=5004-5082,10000-20000 protocol=udp
365add action=accept chain=forward comment="SSH to 192.168.11.2 > 22" dst-port=\
366    9999 in-interface=ether1 protocol=tcp
367add action=accept chain=forward comment="SSH to 192.168.12.2 >> 22" dst-port=\
368    9998 in-interface=ether1 protocol=tcp
369add action=accept chain=forward comment="IceCast Radio" dst-port=8000 \
370    in-interface=ether1 protocol=tcp
371add action=drop chain=input comment="defconf: drop all not coming from LAN" \
372    in-interface-list=!LAN
373add action=accept chain=forward comment="defconf: accept in ipsec policy" \
374    ipsec-policy=in,ipsec
375add action=accept chain=forward comment="defconf: accept out ipsec policy" \
376    ipsec-policy=out,ipsec
377add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
378    connection-state=established,related
379add action=accept chain=forward comment=\
380    "defconf: accept established,related, untracked" connection-state=\
381    established,related,untracked
382add action=drop chain=forward comment="defconf: drop invalid" \
383    connection-state=invalid
384add action=drop chain=forward comment=\
385    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
386    connection-state=new in-interface-list=WAN
387add action=accept chain=input comment="Accept port`s WAN TCP" disabled=yes \
388    dst-port=53 in-interface=ether1 protocol=tcp
389add action=accept chain=input disabled=yes dst-port=80 in-interface=ether1 \
390    protocol=tcp
391add action=accept chain=input disabled=yes dst-port=443 in-interface=ether1 \
392    protocol=tcp
393add action=accept chain=input disabled=yes dst-port=873 in-interface=ether1 \
394    protocol=tcp
395add action=accept chain=input disabled=yes dst-port=2221 in-interface=ether1 \
396    protocol=tcp
397add action=accept chain=input disabled=yes dst-port=8887 in-interface=ether1 \
398    protocol=tcp
399add action=accept chain=input disabled=yes dst-port=8888 in-interface=ether1 \
400    protocol=tcp
401add action=accept chain=input disabled=yes dst-port=9090 in-interface=ether1 \
402    protocol=tcp
403add action=accept chain=input disabled=yes dst-port=9998 in-interface=ether1 \
404    protocol=tcp
405add action=accept chain=input disabled=yes dst-port=9999 in-interface=ether1 \
406    protocol=tcp
407add action=accept chain=input disabled=yes dst-port=50000 in-interface=ether1 \
408    protocol=tcp
409add action=accept chain=input disabled=yes dst-port=50001 in-interface=ether1 \
410    protocol=tcp
411add action=accept chain=input disabled=yes dst-port=80 in-interface=ether1 \
412    protocol=udp
413add action=accept chain=input disabled=yes dst-port=443 in-interface=ether1 \
414    protocol=udp
415add action=accept chain=input disabled=yes dst-port=873 in-interface=ether1 \
416    protocol=udp
417add action=accept chain=input disabled=yes dst-port=2221 in-interface=ether1 \
418    protocol=udp
419add action=accept chain=input disabled=yes dst-port=8887 in-interface=ether1 \
420    protocol=udp
421add action=accept chain=input disabled=yes dst-port=8888 in-interface=ether1 \
422    protocol=udp
423add action=accept chain=input disabled=yes dst-port=9999 in-interface=ether1 \
424    protocol=udp
425add action=accept chain=input disabled=yes dst-port=50000 in-interface=ether1 \
426    protocol=udp
427add action=accept chain=input disabled=yes dst-port=50001 in-interface=ether1 \
428    protocol=udp
429add action=accept chain=forward comment="Accept port`s WAN TCP" disabled=yes \
430    dst-port=53 in-interface=ether1 protocol=tcp
431add action=accept chain=forward disabled=yes dst-port=80 in-interface=ether1 \
432    protocol=tcp
433add action=accept chain=forward disabled=yes dst-port=443 in-interface=ether1 \
434    protocol=tcp
435add action=accept chain=forward disabled=yes dst-port=873 in-interface=ether1 \
436    protocol=tcp
437add action=accept chain=forward disabled=yes dst-port=2221 in-interface=\
438    ether1 protocol=tcp
439add action=accept chain=forward disabled=yes dst-port=8887 in-interface=\
440    ether1 protocol=tcp
441add action=accept chain=forward disabled=yes dst-port=8888 in-interface=\
442    ether1 protocol=tcp
443add action=accept chain=forward disabled=yes dst-port=9090 in-interface=\
444    ether1 protocol=tcp
445add action=accept chain=forward disabled=yes dst-port=50000 in-interface=\
446    ether1 protocol=tcp
447add action=accept chain=forward disabled=yes dst-port=50001 in-interface=\
448    ether1 protocol=tcp
449add action=accept chain=forward comment="Accept port`s WAN UDP" disabled=yes \
450    dst-port=53 in-interface=ether1 protocol=udp
451add action=accept chain=forward disabled=yes dst-port=80 in-interface=ether1 \
452    protocol=udp
453add action=accept chain=forward disabled=yes dst-port=443 in-interface=ether1 \
454    protocol=udp
455add action=accept chain=forward disabled=yes dst-port=873 in-interface=ether1 \
456    protocol=udp
457add action=accept chain=forward disabled=yes dst-port=2221 in-interface=\
458    ether1 protocol=udp
459add action=accept chain=forward disabled=yes dst-port=8000 in-interface=\
460    ether1 protocol=udp
461add action=accept chain=forward disabled=yes dst-port=8887 in-interface=\
462    ether1 protocol=udp
463add action=accept chain=forward disabled=yes dst-port=8888 in-interface=\
464    ether1 protocol=udp
465add action=accept chain=forward disabled=yes dst-port=9999 in-interface=\
466    ether1 protocol=udp
467add action=accept chain=forward disabled=yes dst-port=50000 in-interface=\
468    ether1 protocol=udp
469add action=accept chain=forward disabled=yes dst-port=50001 in-interface=\
470    ether1 protocol=udp
471/ip firewall nat
472add action=masquerade chain=srcnat comment="defconf: masquerade" \
473    ipsec-policy=out,none
474add action=masquerade chain=srcnat comment="Loop To Local TCP" disabled=yes \
475    dst-address=78.29.44.39 dst-port=53 protocol=udp
476add action=dst-nat chain=dstnat comment=Site dst-address=78.29.44.39 \
477    dst-port=80 protocol=tcp to-addresses=192.168.12.2
478add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=443 \
479    protocol=tcp to-addresses=192.168.12.2
480add action=masquerade chain=srcnat comment=DevLine dst-address=78.29.44.39 \
481    dst-port=9786 protocol=tcp src-address=192.168.20.0/24
482add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=9786 \
483    protocol=tcp to-addresses=192.168.12.2
484add action=dst-nat chain=dstnat comment="Camera RTSP" dst-address=78.29.44.39 \
485    dst-port=554 protocol=tcp to-addresses=192.168.14.3
486add action=masquerade chain=srcnat comment="Client 1C" dst-port=9090 \
487    protocol=tcp
488add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=9090 \
489    protocol=tcp to-addresses=192.168.13.5
490add action=dst-nat chain=dstnat comment="DNS for DC" dst-address=78.29.44.39 \
491    dst-port=53 protocol=tcp to-addresses=192.168.13.2
492add action=masquerade chain=srcnat comment="Eset Rules" dst-address=\
493    78.29.44.39 dst-port=2221 protocol=tcp src-address=192.168.20.0/24
494add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=2221 \
495    protocol=tcp to-addresses=192.168.13.4
496add action=masquerade chain=srcnat comment="RDP ELENA" dst-address=\
497    78.29.44.39 dst-port=50001 protocol=tcp src-address=192.168.20.0/24
498add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=50001 \
499    protocol=tcp to-addresses=192.168.13.5 to-ports=3389
500add action=masquerade chain=srcnat comment="SSH to 192.168.11.2 > 22" \
501    dst-address=78.29.44.39 dst-port=9999 protocol=tcp src-address=\
502    192.168.20.0/24
503add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=9999 \
504    protocol=tcp to-addresses=192.168.11.2 to-ports=22
505add action=masquerade chain=srcnat comment=Rsync dst-address=78.29.44.39 \
506    dst-port=873 protocol=tcp src-address=192.168.20.0/24
507add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=873 \
508    protocol=tcp to-addresses=192.168.13.4 to-ports=873
509add action=masquerade chain=srcnat comment=SIP dst-address=78.29.44.39 \
510    dst-port=5004-5082,10000-20000 protocol=udp src-address=192.168.20.0/24
511add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=\
512    5004-5082,10000-20000 protocol=udp to-addresses=192.168.11.2
513add action=masquerade chain=srcnat comment="SSH to 192.168.12.2 >> 22" \
514    dst-address=78.29.44.39 dst-port=9998 protocol=tcp src-address=\
515    192.168.20.0/24
516add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=9998 \
517    protocol=tcp to-addresses=192.168.12.2 to-ports=22
518add action=masquerade chain=srcnat comment="IceCast Radio" dst-address=\
519    78.29.44.39 dst-port=8000 protocol=tcp src-address=192.168.1.0/24
520add action=dst-nat chain=dstnat dst-address=78.29.44.39 dst-port=8000 \
521    protocol=tcp to-addresses=192.168.15.2
522add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
523    dst-port=80 protocol=tcp src-address=192.168.1.0/24
524add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
525    dst-port=443 protocol=tcp src-address=192.168.1.0/24
526add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
527    dst-port=9090 protocol=tcp src-address=192.168.1.0/24
528add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
529    dst-port=50000 protocol=tcp src-address=192.168.1.0/24
530add action=masquerade chain=srcnat comment="Loop To Local UDP" disabled=yes \
531    dst-address=78.29.44.39 dst-port=53 protocol=udp src-address=\
532    192.168.1.0/24
533add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
534    dst-port=80 protocol=udp src-address=192.168.1.0/24
535add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
536    dst-port=443 protocol=udp src-address=192.168.1.0/24
537add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
538    dst-port=873 protocol=udp src-address=192.168.1.0/24
539add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
540    dst-port=2221 protocol=udp src-address=192.168.1.0/24
541add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
542    dst-port=9999 protocol=udp src-address=192.168.1.0/24
543add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
544    dst-port=50000 protocol=udp src-address=192.168.1.0/24
545add action=masquerade chain=srcnat disabled=yes dst-address=78.29.44.39 \
546    dst-port=50001 protocol=udp src-address=192.168.1.0/24
547add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
548    dst-port=5900 protocol=tcp to-addresses=192.168.100.10
549add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
550    dst-port=8000 protocol=tcp to-addresses=192.168.1.220
551add action=dst-nat chain=dstnat comment="UAH RDP" disabled=yes dst-address=\
552    78.29.44.39 dst-port=5000 protocol=tcp to-addresses=192.168.2.2 to-ports=\
553    3389
554add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
555    dst-port=9999 in-interface-list=WAN protocol=tcp to-addresses=\
556    192.168.1.100 to-ports=22
557add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
558    dst-port=50000 protocol=tcp to-addresses=192.168.1.150 to-ports=3389
559add action=dst-nat chain=dstnat comment="DST-NAT UDP" disabled=yes \
560    dst-address=78.29.44.39 dst-port=53 protocol=udp to-addresses=\
561    192.168.1.150
562add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
563    dst-port=80 protocol=udp to-addresses=192.168.1.154
564add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
565    dst-port=443 protocol=udp to-addresses=192.168.1.154
566add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
567    dst-port=873 protocol=udp to-addresses=192.168.1.152 to-ports=873
568add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
569    dst-port=2221 protocol=udp to-addresses=192.168.1.152
570add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
571    dst-port=5060 protocol=udp to-addresses=192.168.1.100
572add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
573    dst-port=50000 protocol=udp to-addresses=192.168.1.150 to-ports=3389
574add action=dst-nat chain=dstnat disabled=yes dst-address=78.29.44.39 \
575    dst-port=50001 protocol=udp to-addresses=192.168.1.153 to-ports=3389
576/ip firewall service-port
577set ftp disabled=yes
578set tftp disabled=yes
579set irc disabled=yes
580set h323 disabled=yes
581set sip sip-timeout=10m
582set udplite disabled=yes
583set dccp disabled=yes
584set sctp disabled=yes
585/ip service
586set telnet address=192.168.20.0/24 disabled=yes
587set ftp address=192.168.20.0/24 disabled=yes
588set www address=192.168.20.0/24,192.168.50.0/24
589set ssh address=192.168.20.0/24,192.168.50.0/24
590set www-ssl address=192.168.20.0/24
591set api address=192.168.20.0/24 disabled=yes
592set winbox address=192.168.20.0/24,192.168.50.0/24
593set api-ssl address=192.168.20.0/24 disabled=yes
594/ip smb
595set domain=WORKGROUP enabled=yes
596/ip smb shares
597set [ find default=yes ] directory=/disk1 max-sessions=50
598/ip smb users
599add name=DeusEx read-only=no
600/ip tftp
601add read-only=no real-filename=/disk1/tftp req-filename=.*
602/ppp secret
603add name=DeusEx profile=VPN
604/system clock
605set time-zone-name=Asia/Yekaterinburg
606/system identity
607set name="DeusEx Home"
608/system ntp client
609set primary-ntp=40.81.188.85 secondary-ntp=129.6.15.29
610/system ntp server
611set enabled=yes
612/tool graphing interface
613add interface=vlan50
614add interface=vlan20
615add interface=vlan16
616add interface=vlan15
617add interface=vlan14
618add interface=vlan13
619add interface=vlan12
620add interface=vlan11
621add interface=vlan10
622add interface=bridge
623add interface=ether1
624/tool graphing resource
625add
626/tool mac-server
627set allowed-interface-list=LAN
628/tool mac-server mac-winbox
629set allowed-interface-list=LAN
630/tool romon
631set enabled=yes