diff --git a/mikrotik/base-config/README.md b/mikrotik/base-config/README.md
index 7d58bd9..f524287 100644
--- a/mikrotik/base-config/README.md
+++ b/mikrotik/base-config/README.md
@@ -78,12 +78,13 @@ Please always check these options for base config new device:
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside`
+`/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo`
`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`
`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable`
`/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""`
`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`
-`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable`
+`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new protocol=udp reject-with=icmp-port-unreachable`
`/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""`
6. For config bridge:
diff --git a/mikrotik/base-config/dc01-ccr01-terse.rsc b/mikrotik/base-config/dc01-ccr01-terse.rsc
index e0cd3ca..da51a06 100644
--- a/mikrotik/base-config/dc01-ccr01-terse.rsc
+++ b/mikrotik/base-config/dc01-ccr01-terse.rsc
@@ -90,9 +90,9 @@
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-inside dst-port=22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
-/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp
-/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp
-/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp
+/ip firewall filter add action=accept chain=allow-icmp-tcp-udp comment="Chain allow icmp-tcp-udp (allow all ICMP TCP UDP)" protocol=icmp
+/ip firewall filter add action=accept chain=allow-icmp-tcp-udp comment="Chain allow icmp-tcp-udp (allow all ICMP TCP UDP)" protocol=tcp
+/ip firewall filter add action=accept chain=allow-icmp-tcp-udp comment="Chain allow icmp-tcp-udp (allow all ICMP TCP UDP)" protocol=udp
/ip firewall filter add action=accept chain=allow-default-for-all protocol=icmp
/ip firewall filter add action=accept chain=allow-default-buh protocol=icmp
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSPORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new dst-address-list=!all-networks out-interface=sfp-sfpplus12 src-address-list=all-networks
@@ -103,8 +103,8 @@
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
-/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-adm-ALL
-/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
+/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002 jump-target=allow-icmp-tcp-udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-adm-ALL
+/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=allow-icmp-tcp-udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 protocol=icmp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=VLAN-0002 protocol=tcp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 protocol=icmp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
diff --git a/mikrotik/base-config/dc01-ccr01.rsc b/mikrotik/base-config/dc01-ccr01.rsc
deleted file mode 100644
index e507455..0000000
--- a/mikrotik/base-config/dc01-ccr01.rsc
+++ /dev/null
@@ -1,297 +0,0 @@
-# 2024-08-30 22:38:15 by RouterOS 7.15.3
-# software id = X2AJ-5BFT
-#
-# model = CCR2004-1G-12S+2XS
-# serial number = HEW095QA6AY
-/interface ethernet
-set [ find default-name=ether1 ] comment=\
- "Management interface for network devices (MAC server only)" name=\
- ether1-mac-mgmt
-set [ find default-name=sfp-sfpplus1 ] comment=\
- "Link to switch dc01-sw01 [ bond ]" l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus2 ] comment=\
- "Link to switch dc01-sw02 [ bond ]" l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus3 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus4 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus5 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus6 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus7 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus8 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus9 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus10 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus11 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp-sfpplus12 ] comment=\
- "Link to router dc01-gw01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE" \
- l2mtu=1600
-set [ find default-name=sfp28-1 ] l2mtu=9092 mtu=9000
-set [ find default-name=sfp28-2 ] l2mtu=9092 mtu=9000
-/interface bonding
-add mode=active-backup mtu=9000 name=bond_SW01_SW02 primary=sfp-sfpplus1 \
- slaves=sfp-sfpplus1,sfp-sfpplus2
-/interface vlan
-add comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi\
- \_hosts)" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0002 vlan-id=2
-add comment="VLAN-0003 for VMware vSphere vMotion" interface=bond_SW01_SW02 \
- mtu=9000 name=VLAN-0003 vlan-id=3
-add comment=\
- "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
- interface=bond_SW01_SW02 name=VLAN-0010 vlan-id=10
-add comment="VLAN-0011 for Management iLO IPMI" interface=bond_SW01_SW02 \
- name=VLAN-0011 vlan-id=11
-add comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=\
- bond_SW01_SW02 mtu=9000 name=VLAN-3222-DMZ vlan-id=3222
-/interface list
-add name=interfaces-MAC-MGMT
-/ip smb users
-set [ find default=yes ] disabled=yes
-/port
-set 0 name=serial0
-/ip smb
-set enabled=no
-/ip firewall connection tracking
-set udp-timeout=10s
-/ip neighbor discovery-settings
-set discover-interface-list=interfaces-MAC-MGMT
-/ip settings
-set tcp-syncookies=yes
-/ipv6 settings
-set disable-ipv6=yes
-/interface list member
-add interface=ether1-mac-mgmt list=interfaces-MAC-MGMT
-/ip address
-add address=10.12.90.254/24 comment=\
- "Transport for access outside <--> inside" interface=sfp-sfpplus12 \
- network=10.12.90.0
-add address=10.8.2.1/24 comment="VLAN-0002 for VMware vSphere infrastructure (\
- vCenter server, ESXi hosts)" interface=VLAN-0002 network=10.8.2.0
-add address=10.8.3.1/24 comment="VLAN-0003 for VMware vSphere vMotion" \
- interface=VLAN-0003 network=10.8.3.0
-add address=10.8.10.251/24 comment=\
- "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
- interface=VLAN-0010 network=10.8.10.0
-add address=10.8.10.1/24 comment=\
- "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
- interface=VLAN-0010 network=10.8.10.0
-add address=10.8.11.1/24 comment="VLAN-0011 for Management iLO IPMI" \
- interface=VLAN-0011 network=10.8.11.0
-add address=10.11.222.1/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \
- interface=VLAN-3222-DMZ network=10.11.222.0
-/ip cloud
-set update-time=no
-/ip dns
-set servers=77.88.8.8,77.88.8.1
-/ip firewall address-list
-add address=10.8.10.0/24 comment="List addr for Management network devices FID\
- =admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
-add address=192.168.24.0/24 comment="List addr OpenVPN FID=ovp8nkdb4cxkq1ms" \
- list=all-ovpn
-add address=10.8.0.0/13 comment=\
- "all-all network dmz + inside + transport + ovpn + l2pt etc" list=\
- all-networks
-add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
- ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
-add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
- s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
-add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" \
- list=all-dmz
-add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \
- list=all-inside
-add address=10.12.90.0/24 comment=\
- "List subnetwork transport VLAN-4090 for access outside <--> inside" \
- list=transport-sfp-sfpplus12
-add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
-add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \
- list=all-inside
-add address=10.10.0.0/16 comment=\
- "all INSIDE networks (VLANs range 2000-2255)" list=all-inside
-add address=10.8.2.0/24 comment="VLAN-0002 for VMware vSphere infrastructure (\
- vCenter server, ESXi hosts)" list=inside-VLAN-0002
-add address=10.8.3.0/24 comment="VLAN-0003 for VMware vSphere vMotion" list=\
- inside-VLAN-0003
-add address=127.0.0.1 list=allow-default-for-all
-add address=127.0.0.1 list=allow-default-buh
-add address=10.8.10.0/24 comment=\
- "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
- list=inside-VLAN-0010
-add address=10.8.11.0/24 comment="VLAN-0011 for Management iLO IPMI" list=\
- inside-VLAN-0011
-add address=10.8.2.5 comment="VLAN-0002 [ dc01-vcsrv01-infr.comp.loc ]" list=\
- inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc
-add address=10.8.2.11 comment=\
- "VLAN-0002 [ host01.cluster01.esxi.comp.loc ] ESXI" list=\
- inside-VLAN-0002-ESXi-Cluster01-hosts
-add address=10.8.2.12 comment=\
- "VLAN-0002 [ host02.cluster01.esxi.comp.loc ] ESXI" list=\
- inside-VLAN-0002-ESXi-Cluster01-hosts
-add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-IT
-add address=127.0.0.1 comment="allow [All ICMP,TCP,UDP] [ivanov_ovpn]" list=\
- allow-to-VLAN-0002-adm-ALL
-add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [All ICMP,T\
- CP,UDP] [ivanov_ovpn] [VPN]" list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
-add address=127.0.0.1 list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-IT
-add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:8\
- 0,443] [ivanov_ovpn] [VPN] FID=1234567890" list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
-add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-SEC
-add address=127.0.0.1 list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-SEC
-add address=127.0.0.1 comment=\
- "allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:22] [ivanov_ovpn] [VPN]" \
- list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
-add address=10.11.222.0/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \
- list=dmz-VLAN-3222
-/ip firewall filter
-add action=fasttrack-connection chain=forward connection-state=\
- established,related hw-offload=yes protocol=tcp
-add action=fasttrack-connection chain=forward connection-state=\
- established,related hw-offload=yes protocol=udp
-add action=accept chain=input comment="allow INPUT established,related" \
- connection-state=established,related
-add action=accept chain=forward comment="allow FORWARD established,related" \
- connection-state=established,related
-add action=drop chain=input comment="deny INPUT Invalid connections" \
- connection-state=invalid
-add action=drop chain=forward comment="deny FORWARD Invalid connections" \
- connection-state=invalid
-add action=accept chain=input comment="allow INPUT from VLAN-0002 -->> ME [ICM\
- P] for VMware vSphere infrastructure (vCenter server, ESXi hosts)" \
- connection-state=new dst-address-list=inside-VLAN-0002 in-interface=\
- VLAN-0002 protocol=icmp src-address-list=inside-VLAN-0002
-add action=accept chain=input comment=\
- "allow INPUT from VLAN-0003 -->> ME [ICMP] for VMware vSphere vMotion" \
- connection-state=new dst-address-list=inside-VLAN-0003 in-interface=\
- VLAN-0003 protocol=icmp src-address-list=inside-VLAN-0003
-add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICM\
- P] for Management interface for network devices (TCP/IP connect)" \
- connection-state=new dst-address-list=inside-VLAN-0010 in-interface=\
- VLAN-0010 protocol=icmp src-address-list=inside-VLAN-0010
-add action=accept chain=input comment=\
- "allow INPUT from VLAN-0003 -->> ME [ICMP] for Management iLO IPMI" \
- connection-state=new dst-address-list=inside-VLAN-0011 in-interface=\
- VLAN-0011 protocol=icmp src-address-list=inside-VLAN-0011
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
- admin-mgm-net
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
- admin-L2TP-VPN-mgm
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- in-interface=sfp-sfpplus12 protocol=icmp src-address-list=\
- admin-L2TP-VPN-mgm
-add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
- ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
- connection-state=new dst-address-list=all-inside in-interface=\
- sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
- ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
- connection-state=new dst-address-list=all-inside dst-port=\
- 22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp \
- src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
- ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\
- new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp \
- src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
- ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\
- new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 \
- in-interface=sfp-sfpplus12 protocol=tcp src-address-list=\
- admin-L2TP-VPN-mgm
-add action=accept chain=allow_icmp_tcp_udp comment=\
- "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp
-add action=accept chain=allow_icmp_tcp_udp comment=\
- "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp
-add action=accept chain=allow_icmp_tcp_udp comment=\
- "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp
-add action=accept chain=allow-default-for-all protocol=icmp
-add action=accept chain=allow-default-buh protocol=icmp
-add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSP\
- ORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new \
- dst-address-list=!all-networks out-interface=sfp-sfpplus12 \
- src-address-list=all-networks
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
- protocol=tcp reject-with=tcp-reset
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
- connection-state=new protocol=udp reject-with=icmp-port-unreachable
-add action=drop chain=input comment="deny INPUT all" connection-state=""
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \
- protocol=tcp reject-with=tcp-reset
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \
- connection-state=new protocol=udp reject-with=icmp-port-unreachable
-add action=drop chain=forward comment="deny FORWARD all" connection-state=""
-add action=jump chain=forward connection-state=new dst-address-list=\
- inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 \
- src-address-list=allow-to-VLAN-0002-adm-ALL
-add action=jump chain=forward connection-state=new dst-address-list=\
- inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=\
- allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
-add action=accept chain=forward connection-state=new dst-address-list=\
- inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \
- protocol=icmp src-address-list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
-add action=accept chain=forward connection-state=new dst-address-list=\
- inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=\
- VLAN-0002 protocol=tcp src-address-list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
-add action=accept chain=forward connection-state=new dst-address-list=\
- inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \
- protocol=icmp src-address-list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
-add action=accept chain=forward connection-state=new dst-address-list=\
- inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=80,443 \
- out-interface=VLAN-0002 protocol=tcp src-address-list=\
- allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
-/ip route
-add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.90.1 \
- routing-table=main scope=30 suppress-hw-offload=no target-scope=10
-add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\
- nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\
- 10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \
- target-scope=10
-/ip service
-set telnet disabled=yes
-set ftp disabled=yes
-set www disabled=yes
-set api disabled=yes
-set api-ssl disabled=yes
-/ip smb shares
-set [ find default=yes ] directory=/pub
-/ip ssh
-set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
- 4096 strong-crypto=yes
-/system clock
-set time-zone-name=Europe/Moscow
-/system identity
-set name=dc01-ccr01
-/system note
-set show-at-login=no
-/system ntp client
-set enabled=yes
-/system ntp client servers
-add address=80.240.216.155
-add address=185.232.69.65
-/system routerboard settings
-set enter-setup-on=delete-key
-/tool bandwidth-server
-set enabled=no
-/tool mac-server
-set allowed-interface-list=none
-/tool mac-server mac-winbox
-set allowed-interface-list=interfaces-MAC-MGMT
-/tool mac-server ping
-set enabled=no
diff --git a/mikrotik/base-config/dc01-emer01-terse.rsc b/mikrotik/base-config/dc01-emer01-terse.rsc
index c124835..557b96f 100644
--- a/mikrotik/base-config/dc01-emer01-terse.rsc
+++ b/mikrotik/base-config/dc01-emer01-terse.rsc
@@ -62,7 +62,7 @@
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
-/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=main suppress-hw-offload=no
diff --git a/mikrotik/base-config/dc01-emer01.rsc b/mikrotik/base-config/dc01-emer01.rsc
deleted file mode 100644
index 1f0fea8..0000000
--- a/mikrotik/base-config/dc01-emer01.rsc
+++ /dev/null
@@ -1,164 +0,0 @@
-# 2024-09-04 13:07:44 by RouterOS 7.15.3
-# software id = 73EZ-45GQ
-#
-# model = RB750Gr3
-# serial number = 6F380862DC41
-/interface bridge
-add name=bridge-local
-/interface ethernet
-set [ find default-name=ether1 ] name=ether1-outside
-/interface list
-add name=interfaces-MAC-MGMT
-add name=interfaces-outside
-/ppp profile
-add bridge=bridge-local change-tcp-mss=yes local-address=172.20.1.1 name=\
- emergency only-one=yes use-ipv6=no use-mpls=no use-upnp=no
-/ip smb
-set enabled=no
-/interface bridge port
-add bridge=bridge-local interface=ether2
-add bridge=bridge-local interface=ether3
-add bridge=bridge-local interface=ether4
-add bridge=bridge-local interface=ether5
-/ip neighbor discovery-settings
-set discover-interface-list=interfaces-MAC-MGMT
-/ip settings
-set tcp-syncookies=yes
-/ipv6 settings
-set disable-ipv6=yes
-/interface list member
-add interface=ether2 list=interfaces-MAC-MGMT
-add interface=ether3 list=interfaces-MAC-MGMT
-add interface=ether4 list=interfaces-MAC-MGMT
-add interface=ether5 list=interfaces-MAC-MGMT
-add interface=ether1-outside list=interfaces-outside
-/interface ovpn-server server
-set auth=sha1 certificate=ovpn-server cipher=aes256-cbc default-profile=\
- emergency enabled=yes mode=ethernet port=40004 protocol=udp \
- require-client-certificate=yes tls-version=only-1.2
-/ip address
-add address=11.11.11.123/29 interface=ether1-outside network=11.11.11.120
-/ip cloud
-set update-time=no
-/ip dns
-set servers=8.8.8.8
-/ip firewall address-list
-add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
-add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\
- outside-only-22.22.22.123
-add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
-add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
-add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
-add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
-add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
-add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
-add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
-add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
-add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
-add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
-add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
-add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
-add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
-add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
-add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
-/ip firewall filter
-add action=accept chain=input comment="allow INPUT established,related" \
- connection-state=established,related
-add action=accept chain=forward comment="allow FORWARD established,related" \
- connection-state=established,related
-add action=drop chain=input comment="deny INPUT Invalid connections" \
- connection-state=invalid
-add action=drop chain=forward comment="deny FORWARD Invalid connections" \
- connection-state=invalid
-add action=drop chain=input comment=\
- "deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \
- connection-state="" in-interface-list=interfaces-outside \
- src-address-list=all-bogon
-add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\
- \_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\
- all-bogon out-interface-list=interfaces-outside
-add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\
- \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
- in-interface-list=interfaces-outside src-address-list=all-bogon
-add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\
- \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
- dst-address-list=all-bogon out-interface-list=interfaces-outside
-add action=drop chain=forward comment="deny FORWARD from inside -->> outside F\
- ID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat \
- connection-state=new in-interface=ether1-outside
-add action=accept chain=input comment=\
- "allow INPUT from outside -->> ME [ICMP]" connection-state=new \
- in-interface=ether1-outside protocol=icmp
-add action=accept chain=input comment=\
- "allow INPUT from outside -->> ME OVPN server [UDP:40004]" \
- connection-state=new dst-port=40004 in-interface=ether1-outside protocol=\
- udp
-add action=accept chain=input connection-state=new dst-port=22,8291 \
- in-interface=ether1-outside protocol=tcp src-address=62.212.68.103
-add action=accept chain=input connection-state=new dst-port=22,8291 \
- in-interface=ether1-outside protocol=tcp src-address=213.141.150.29
-add action=accept chain=input dst-address=172.20.1.0/24 in-interface=\
- bridge-local protocol=icmp src-address=172.20.1.0/24
-add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 \
- dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=\
- 172.20.1.0/24
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
- protocol=tcp reject-with=tcp-reset
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
- connection-state=new protocol=udp reject-with=icmp-port-unreachable
-add action=drop chain=input comment="deny INPUT all" connection-state=""
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\
- new protocol=tcp reject-with=tcp-reset
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\
- new log-prefix=reject_fw_udp protocol=udp reject-with=\
- icmp-port-unreachable
-add action=drop chain=forward comment="deny FORWARD all" connection-state=""
-/ip hotspot profile
-set [ find default=yes ] html-directory=hotspot
-/ip route
-add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\
- main suppress-hw-offload=no
-add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
- distance=249 dst-address=10.0.0.0/8
-add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
- distance=249 dst-address=169.254.0.0/16
-add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
- distance=249 dst-address=172.16.0.0/12
-add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
- distance=249 dst-address=192.168.0.0/16
-/ip service
-set telnet disabled=yes
-set ftp disabled=yes
-set www disabled=yes
-set api disabled=yes
-set api-ssl disabled=yes
-/ip ssh
-set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
- 4096 strong-crypto=yes
-/ppp secret
-add name=ivanov_ovpn profile=emergency remote-address=172.20.1.2 service=ovpn
-/system clock
-set time-zone-name=Europe/Moscow
-/system identity
-set name=dc01-emer01
-/system note
-set show-at-login=no
-/system ntp client
-set enabled=yes
-/system ntp client servers
-add address=0.pool.ntp.org
-add address=1.pool.ntp.org
-add address=2.pool.ntp.org
-add address=3.pool.ntp.org
-/tool bandwidth-server
-set enabled=no
-/tool mac-server
-set allowed-interface-list=none
-/tool mac-server mac-winbox
-set allowed-interface-list=interfaces-MAC-MGMT
-/tool mac-server ping
-set enabled=no
diff --git a/mikrotik/base-config/dc01-gw01-terse.rsc b/mikrotik/base-config/dc01-gw01-terse.rsc
index a7d0c3c..e63f595 100644
--- a/mikrotik/base-config/dc01-gw01-terse.rsc
+++ b/mikrotik/base-config/dc01-gw01-terse.rsc
@@ -34,11 +34,11 @@
/ip address add address=10.8.10.11/24 comment="Management interface for network devices (TCP/IP connect)" interface=ether8-mgmt network=10.8.10.0
/ip cloud set update-time=no
/ip dns set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" list=allow_inet_DNS
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=allow_inet_SSH
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" list=allow-inet-DNS
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=allow-inet-SSH
/ip firewall address-list add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside
/ip firewall address-list add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=outside-only-22.22.22.122
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=allow_inet_icmp
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=allow-inet-icmp
/ip firewall address-list add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=all-ovpn
/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=outside-only-22.22.22.123
@@ -46,16 +46,16 @@
/ip firewall address-list add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=outside-only-22.22.22.125
/ip firewall address-list add address=10.99.99.99 comment="List addr clients from inside network to local DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
/ip firewall address-list add address=10.99.99.77 comment="List addr clients from inside network to local DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" list=allow_inet_all
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443] servername.local FID=q5tst1p6o3jrdnb9" list=allow-inet-HTTPS
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" list=allow-inet-all
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465,587] FID=alld1nrr9nabdnt1" list=allow-inet-SMTP
/ip firewall address-list add address=10.8.0.0/13 comment="all-all network dmz + inside + transport + ovpn + l2pt etc" list=all-networks
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" list=allow_inet_IMAP
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=allow_inet_WHOIS
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" list=allow-inet-IMAP
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=allow-inet-WHOIS
/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" list=allow-inet-IPsec
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" list=allow-inet
/ip firewall address-list add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
/ip firewall address-list add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
@@ -75,13 +75,13 @@
/ip firewall address-list add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" list=all-inside
/ip firewall address-list add address=10.12.90.0/24 comment="List subnetwork transport VLAN-4090 for access outside <--> inside" list=transport-sfp-sfpplus1
/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management network devices FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
-/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" list=allow_inet_NTP
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" list=allow-inet-NTP
/ip firewall address-list add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
/ip firewall address-list add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside
/ip firewall address-list add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside
-/ip firewall address-list add address=10.12.90.254 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet
-/ip firewall address-list add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet
-/ip firewall address-list add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet
+/ip firewall address-list add address=10.12.90.254 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow-inet
+/ip firewall address-list add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow-inet
+/ip firewall address-list add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow-inet
/ip firewall address-list add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" list=all-inside
/ip firewall address-list add address=10.10.0.0/16 comment="all INSIDE networks (VLANs range 2000-2255)" list=all-inside
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
@@ -98,24 +98,24 @@
/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside -->> VLAN-3001-DMZ DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr42rwe" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->> 10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside to front mail server frontmail01.dmz-3003.rvision.local (22.22.22.124 TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
-/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=ether1-outside src-address-list=allow_inet
-/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=ether1-outside src-address-list=allow_inet
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=icmp src-address-list=allow_inet_icmp
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_SSH
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_IMAP
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_SMTP
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_DNS
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" connection-state=new dst-port=123 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_HTTPS
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_IPsec
-/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside src-address-list=allow_inet_all
+/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=sfp-sfpplus1 jump-target=allow-icmp-tcp-udp out-interface=ether1-outside src-address-list=allow-inet
+/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=ether8-mgmt jump-target=allow-icmp-tcp-udp out-interface=ether1-outside src-address-list=allow-inet
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=icmp src-address-list=allow-inet-icmp
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow-inet-SSH
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow-inet-IMAP
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow-inet-SMTP
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow-inet-DNS
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" connection-state=new dst-port=123 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow-inet-NTP
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow-inet-WHOIS
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow-inet-HTTPS
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow-inet-IPsec
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside src-address-list=allow-inet-all
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 src-address-list=admin-L2TP-VPN-mgm
-/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp
-/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp
-/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp
+/ip firewall filter add action=accept chain=allow-icmp-tcp-udp comment="Chain allow icmp-tcp-udp [All ICMP,TCP,UDP]" protocol=icmp
+/ip firewall filter add action=accept chain=allow-icmp-tcp-udp comment="Chain allow icmp-tcp-udp [All ICMP,TCP,UDP]" protocol=tcp
+/ip firewall filter add action=accept chain=allow-icmp-tcp-udp comment="Chain allow icmp-tcp-udp [All ICMP,TCP,UDP]" protocol=udp
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [ICMP]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=icmp
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [GRE]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=gre
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=ipsec-esp
@@ -133,7 +133,7 @@
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
-/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
/ip firewall nat add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" dst-address-list=!all-networks out-interface=ether1-outside src-address-list=all-networks to-addresses=11.11.11.122
/ip firewall nat add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail systems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=10.91.3.11 to-addresses=22.22.22.123
@@ -155,7 +155,7 @@
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/pub
/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
-/ppp secret add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm remote-address=172.16.38.222 service=l2tp
+/ppp secret add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" local-address=172.16.38.1 name=ivanov-mgm profile=L2TP-VPN-Profile-mgm remote-address=172.16.38.222 service=l2tp
/system clock set time-zone-name=Europe/Moscow
/system identity set name=dc01-gw01
/system note set show-at-login=no
diff --git a/mikrotik/base-config/dc01-gw01.rsc b/mikrotik/base-config/dc01-gw01.rsc
deleted file mode 100644
index 60136b2..0000000
--- a/mikrotik/base-config/dc01-gw01.rsc
+++ /dev/null
@@ -1,424 +0,0 @@
-# 2024-08-30 22:34:52 by RouterOS 7.15.3
-# software id = 6HAJ-6CUK
-#
-# model = RB4011iGS+
-# serial number = HEH08H8P0GS
-/interface ethernet
-set [ find default-name=ether1 ] name=ether1-outside
-set [ find default-name=ether2 ] disabled=yes
-set [ find default-name=ether3 ] disabled=yes
-set [ find default-name=ether4 ] disabled=yes
-set [ find default-name=ether5 ] disabled=yes
-set [ find default-name=ether6 ] disabled=yes
-set [ find default-name=ether7 ] disabled=yes
-set [ find default-name=ether8 ] comment=\
- "Management interface for network devices (TCP/IP connect)" name=\
- ether8-mgmt
-set [ find default-name=ether9 ] comment=\
- "Management interface for network devices (MAC server only)" name=\
- ether9-mac-mgmt
-set [ find default-name=ether10 ] disabled=yes
-set [ find default-name=sfp-sfpplus1 ] comment=\
- "Link to dc01-ccr01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE"
-/interface list
-add name=interfaces-MGM
-add name=interfaces-outside
-add name=interfaces-VPN-ptp
-/ip smb users
-set [ find default=yes ] disabled=yes
-/port
-set 0 name=serial0
-set 1 name=serial1
-/ppp profile
-add change-tcp-mss=yes comment=\
- "For L2TP VPN MGM admins FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
- name=L2TP_VPN_Profile_mgm only-one=no use-compression=yes use-encryption=\
- yes use-ipv6=no use-mpls=no use-upnp=no
-/ip smb
-set enabled=no
-/ip firewall connection tracking
-set udp-timeout=10s
-/ip neighbor discovery-settings
-set discover-interface-list=interfaces-MGM
-/ip settings
-set tcp-syncookies=yes
-/ipv6 settings
-set disable-ipv6=yes
-/interface l2tp-server server
-set authentication=mschap2 enabled=yes use-ipsec=yes
-/interface list member
-add interface=ether9-mac-mgmt list=interfaces-MGM
-add interface=ether1-outside list=interfaces-outside
-/ip address
-add address=10.12.90.1/24 comment="Transport for access outside <--> inside" \
- interface=sfp-sfpplus1 network=10.12.90.0
-add address=11.11.11.122/29 comment="Outside IPs" interface=ether1-outside \
- network=11.11.11.120
-add address=10.8.10.11/24 comment=\
- "Management interface for network devices (TCP/IP connect)" interface=\
- ether8-mgmt network=10.8.10.0
-/ip cloud
-set update-time=no
-/ip dns
-set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1
-/ip firewall address-list
-add address=127.0.0.1 comment=\
- "List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" \
- list=allow_inet_DNS
-add address=127.0.0.1 comment=\
- "List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=\
- allow_inet_SSH
-add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside
-add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=\
- outside-only-22.22.22.122
-add address=127.0.0.1 comment=\
- "List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=\
- allow_inet_icmp
-add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=\
- all-ovpn
-add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
-add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\
- outside-only-22.22.22.123
-add address=11.11.11.124 comment="List addr OUTSIDE IP=22.22.22.124" list=\
- outside-only-22.22.22.124
-add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=\
- outside-only-22.22.22.125
-add address=10.99.99.99 comment="List addr clients from inside network to loca\
- l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
-add address=10.99.99.77 comment="List addr clients from inside network to loca\
- l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
-add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443\
- ] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS
-add address=127.0.0.1 comment=\
- "List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" \
- list=allow_inet_all
-add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465\
- ,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP
-add address=10.8.0.0/13 comment=\
- "all-all network dmz + inside + transport + ovpn + l2pt etc" list=\
- all-networks
-add address=127.0.0.1 comment=\
- "List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" \
- list=allow_inet_IMAP
-add address=127.0.0.1 comment=\
- "List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=\
- allow_inet_WHOIS
-add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
- ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
-add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
- s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
-add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,17\
- 01,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec
-add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,T\
- CP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet
-add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
-add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
-add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
-add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
-add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
-add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
-add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
-add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
-add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
-add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
-add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
-add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
-add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
-add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
-add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
-add address=10.11.0.0/16 comment=\
- "all DMZ networks (VLANs range 3000-3255)" list=all-dmz
-add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \
- list=all-inside
-add address=10.12.90.0/24 comment=\
- "List subnetwork transport VLAN-4090 for access outside <--> inside" \
- list=transport-sfp-sfpplus1
-add address=10.8.10.0/24 comment="List addr for Management network devices FID\
- =admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
-add address=127.0.0.1 comment=\
- "List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" \
- list=allow_inet_NTP
-add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
-add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside
-add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside
-add address=10.12.90.254 comment="List addr for allow Internet access [All ICM\
- P,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet
-add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP\
- ,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet
-add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP\
- ,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet
-add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \
- list=all-inside
-add address=10.10.0.0/16 comment=\
- "all INSIDE networks (VLANs range 2000-2255)" list=all-inside
-/ip firewall filter
-add action=fasttrack-connection chain=forward connection-state=\
- established,related hw-offload=yes protocol=tcp
-add action=fasttrack-connection chain=forward connection-state=\
- established,related hw-offload=yes protocol=udp
-add action=accept chain=input comment="allow INPUT established,related" \
- connection-state=established,related
-add action=accept chain=forward comment="allow FORWARD established,related" \
- connection-state=established,related
-add action=drop chain=input comment="deny INPUT Invalid connections" \
- connection-state=invalid
-add action=drop chain=forward comment="deny FORWARD Invalid connections" \
- connection-state=invalid
-add action=drop chain=input comment=\
- "deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \
- connection-state="" in-interface=ether1-outside src-address-list=\
- all-bogon
-add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\
- \_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\
- all-bogon out-interface=ether1-outside
-add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\
- \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
- in-interface=ether1-outside src-address-list=all-bogon
-add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\
- \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
- dst-address-list=all-bogon out-interface=ether1-outside
-add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
- e -->> VLAN-3001-DMZ DNAT (UDP 22211 -> 10.91.1.11:22211) FID=2hfs38dq1jr\
- 42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \
- dst-address=10.91.1.11 dst-port=22211 in-interface=ether1-outside \
- out-interface=sfp-sfpplus1 protocol=udp src-address-list=!all-networks
-add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
- e -->> VLAN-3001-DMZ DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr\
- 42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \
- dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside \
- out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
-add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
- e to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->>\
- \_10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" \
- connection-nat-state=dstnat connection-state=new disabled=yes \
- dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside \
- out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
-add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
- e to front mail server frontmail01.dmz-3003.rvision.local (22.22.22.124 \
- TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" \
- connection-nat-state=dstnat connection-state=new disabled=yes \
- dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside \
- out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
-add action=jump chain=forward comment="allow FORWARD from inside -->> outside \
- SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \
- in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=\
- ether1-outside src-address-list=allow_inet
-add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outs\
- ide SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \
- in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=\
- ether1-outside src-address-list=allow_inet
-add action=accept chain=forward comment=\
- "allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" \
- connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 \
- out-interface=ether1-outside protocol=icmp src-address-list=\
- allow_inet_icmp
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" \
- connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=\
- ether1-outside protocol=tcp src-address-list=allow_inet_SSH
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" \
- connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 \
- out-interface=ether1-outside protocol=tcp src-address-list=\
- allow_inet_IMAP
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" \
- connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 \
- out-interface=ether1-outside protocol=tcp src-address-list=\
- allow_inet_SMTP
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" \
- connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=\
- ether1-outside protocol=udp src-address-list=allow_inet_DNS
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" \
- connection-state=new dst-port=123 in-interface=sfp-sfpplus1 \
- out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" \
- connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=\
- ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" \
- connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 \
- out-interface=ether1-outside protocol=tcp src-address-list=\
- allow_inet_HTTPS
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" \
- connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 \
- out-interface=ether1-outside protocol=udp src-address-list=\
- allow_inet_IPsec
-add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
- e SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" \
- connection-state=new in-interface=sfp-sfpplus1 out-interface=\
- ether1-outside src-address-list=allow_inet_all
-add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
- ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=\
- ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
- ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=\
- dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=\
- admin-L2TP-VPN-mgm
-add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
- ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-acces\
- s-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=\
- all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 \
- src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=allow_icmp_tcp_udp comment=\
- "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp
-add action=accept chain=allow_icmp_tcp_udp comment=\
- "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp
-add action=accept chain=allow_icmp_tcp_udp comment=\
- "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp
-add action=accept chain=input comment=\
- "allow INPUT from outside -->> ME [ICMP]" connection-state=new \
- dst-address-list=all-outside in-interface=ether1-outside protocol=icmp
-add action=accept chain=input comment=\
- "allow INPUT from outside -->> ME [GRE]" connection-state=new \
- dst-address-list=all-outside in-interface=ether1-outside protocol=gre
-add action=accept chain=input comment=\
- "allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new \
- dst-address-list=all-outside in-interface=ether1-outside protocol=\
- ipsec-esp
-add action=accept chain=input comment=\
- "allow INPUT from outside -->> ME [IPsec-ah]" connection-state=new \
- dst-address-list=all-outside in-interface=ether1-outside protocol=\
- ipsec-ah
-add action=accept chain=input comment=\
- "allow INPUT from outside -->> ME (UDP:500,1701,4500]" connection-state=\
- new dst-address-list=outside-only-22.22.22.122 dst-port=500,1701,4500 \
- in-interface=ether1-outside protocol=udp
-add action=accept chain=input comment=\
- "allow INPUT from transport sfp-sfpplus1 -->> ME [ICMP]" \
- connection-state=new dst-address-list=transport-sfp-sfpplus1 \
- in-interface=sfp-sfpplus1 protocol=icmp src-address-list=\
- transport-sfp-sfpplus1
-add action=accept chain=input comment=\
- "allow INPUT from inside -->> ME [UDP:53 DNS] for spoofing DNS" \
- connection-state=new dst-port=53 in-interface=sfp-sfpplus1 protocol=udp \
- src-address-list=allow-INSDIE-to-local-DNS
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- in-interface=ether8-mgmt protocol=icmp src-address-list=admin-mgm-net
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- dst-port=53 in-interface=ether8-mgmt protocol=udp src-address-list=\
- admin-mgm-net
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp \
- src-address-list=admin-mgm-net
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp \
- src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic \
- protocol=tcp src-address-list=admin-L2TP-VPN-mgm
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
- protocol=tcp reject-with=tcp-reset
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
- connection-state=new protocol=udp reject-with=icmp-port-unreachable
-add action=drop chain=input comment="deny INPUT all" connection-state=""
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\
- new protocol=tcp reject-with=tcp-reset
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\
- new log-prefix=reject_fw_udp protocol=udp reject-with=\
- icmp-port-unreachable
-add action=drop chain=forward comment="deny FORWARD all" connection-state=""
-/ip firewall nat
-add action=src-nat chain=srcnat comment=\
- "EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" \
- dst-address-list=!all-networks out-interface=ether1-outside \
- src-address-list=all-networks to-addresses=11.11.11.122
-add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail sys\
- tems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes \
- dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=\
- 10.91.3.11 to-addresses=22.22.22.123
-add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\
- -3001-DMZ (22.22.22.122 UDP 22211 -->> 10.91.1.11 UDP 22211) OpenVPN 01 F\
- ID=2hfs38dq1jr42rwe" disabled=yes dst-address-list=\
- outside-only-22.22.22.122 dst-port=22211 in-interface=ether1-outside \
- protocol=udp src-address-list=!all-networks to-addresses=10.91.1.11 \
- to-ports=22211
-add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\
- -3001-DMZ (22.22.22.122 TCP 22212 -->> 10.91.1.12 TCP 22212) OpenVPN 02 F\
- ID=hf92hfh38dh1jr421we" disabled=yes dst-address-list=\
- outside-only-22.22.22.122 dst-port=22212 in-interface=ether1-outside \
- protocol=tcp src-address-list=!all-networks to-addresses=10.91.1.12 \
- to-ports=22212
-add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
- \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 25 -->> 10.\
- 91.3.11 TCP 25) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
- outside-only-22.22.22.125 dst-port=25 in-interface=ether1-outside \
- protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
- to-ports=25
-add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
- \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 465 -->> 10\
- .91.3.11 TCP 465) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
- outside-only-22.22.22.125 dst-port=465 in-interface=ether1-outside \
- protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
- to-ports=465
-add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
- \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 993 -->> 10\
- .91.3.11 TCP 993) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
- outside-only-22.22.22.125 dst-port=993 in-interface=ether1-outside \
- protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
- to-ports=993
-/ip route
-add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
- distance=249 dst-address=10.0.0.0/8
-add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
- distance=249 dst-address=169.254.0.0/16
-add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
- distance=249 dst-address=172.16.0.0/12
-add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
- distance=249 dst-address=192.168.0.0/16
-add comment="Route to DC01-CCR01 all networks" disabled=no distance=1 \
- dst-address=10.8.0.0/13 gateway=10.12.90.254 pref-src="" routing-table=\
- main scope=30 suppress-hw-offload=no target-scope=10
-add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\
- main suppress-hw-offload=no
-/ip service
-set telnet disabled=yes
-set ftp disabled=yes
-set www disabled=yes
-set api disabled=yes
-set api-ssl disabled=yes
-/ip smb shares
-set [ find default=yes ] directory=/pub
-/ip ssh
-set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
- 4096 strong-crypto=yes
-/ppp secret
-add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" \
- local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm \
- remote-address=172.16.38.222 service=l2tp
-/system clock
-set time-zone-name=Europe/Moscow
-/system identity
-set name=dc01-gw01
-/system note
-set show-at-login=no
-/system ntp client
-set enabled=yes
-/system ntp client servers
-add address=80.240.216.155
-add address=185.232.69.65
-/system routerboard settings
-set enter-setup-on=delete-key
-/tool bandwidth-server
-set enabled=no
-/tool mac-server
-set allowed-interface-list=none
-/tool mac-server mac-winbox
-set allowed-interface-list=interfaces-MGM
-/tool mac-server ping
-set enabled=no
diff --git a/mikrotik/base-config/dc01-sw01.rsc b/mikrotik/base-config/dc01-sw01.rsc
deleted file mode 100644
index 0d0d4bd..0000000
--- a/mikrotik/base-config/dc01-sw01.rsc
+++ /dev/null
@@ -1,177 +0,0 @@
-# 2024-08-30 19:14:48 by RouterOS 7.15.3
-# software id = 1Y74-1PQS
-#
-# model = CRS312-4C+8XG
-# serial number = HEQ0941H7M6
-/interface bridge
-add name=bridge port-cost-mode=short priority=0x4000 vlan-filtering=yes
-/interface ethernet
-set [ find default-name=combo1 ] l2mtu=9092 mtu=9000
-set [ find default-name=combo2 ] l2mtu=9092 mtu=9000
-set [ find default-name=combo3 ] l2mtu=9092 mtu=9000
-set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 \
- mtu=9000
-set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 \
- mtu=9000
-set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether8 ] comment="Link from dc01-gw01 for Management i\
- nterface for network devices (TCP/IP connect)"
-set [ find default-name=ether9 ] comment=\
- "Management interface for network devices (MAC server only)" name=\
- ether9-mac-mgmt
-/interface vlan
-add comment=\
- "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
- interface=bridge name=VLAN-0010 vlan-id=10
-/interface bonding
-add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2
-/interface list
-add name=interfaces-MAC-MGMT
-/ip smb users
-set [ find default=yes ] disabled=yes
-/port
-set 0 name=serial0
-/system logging action
-set 1 disk-file-name=log
-/ip smb
-set enabled=no
-/interface bridge port
-add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP \
- internal-path-cost=10 path-cost=10
-add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 \
- internal-path-cost=10 path-cost=10
-add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 \
- internal-path-cost=10 path-cost=10
-add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 \
- internal-path-cost=10 path-cost=10
-add bridge=bridge comment="Link from dc01-gw01 for Management interface for ne\
- twork devices (TCP/IP connect) VLAN-0010" frame-types=\
- admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
-/ip firewall connection tracking
-set udp-timeout=10s
-/ip neighbor discovery-settings
-set discover-interface-list=interfaces-MAC-MGMT
-/ip settings
-set tcp-syncookies=yes
-/ipv6 settings
-set disable-ipv6=yes
-/interface bridge vlan
-add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x\
- \_ <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
- vlan-ids=101-255
-add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100\
- .x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
- vlan-ids=3000-3255
-add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=\
- bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2
-add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=\
- bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3
-add bridge=bridge comment=\
- "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
- tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=10
-add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=\
- bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=11
-add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x \
- \_ <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
- vlan-ids=1000-1255
-add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x \
- \_ <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
- vlan-ids=2000-2255
-/interface list member
-add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT
-/ip address
-add address=10.8.10.201/24 interface=VLAN-0010 network=10.8.10.0
-/ip cloud
-set update-time=no
-/ip dns
-set servers=10.8.10.11
-/ip firewall address-list
-add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
- ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
-add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
- s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
-add address=10.8.10.0/24 comment="List addr for Management only network device\
- s (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
-/ip firewall filter
-add action=accept chain=input comment="allow INPUT established,related" \
- connection-state=established,related
-add action=accept chain=forward comment="allow FORWARD established,related" \
- connection-state=established,related
-add action=drop chain=input comment="deny INPUT Invalid connections" \
- connection-state=invalid
-add action=drop chain=forward comment="deny FORWARD Invalid connections" \
- connection-state=invalid
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
- admin-mgm-net
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
- admin-L2TP-VPN-mgm
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
- protocol=tcp reject-with=tcp-reset
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
- connection-state=new protocol=udp reject-with=icmp-port-unreachable
-add action=drop chain=input comment="deny INPUT all" connection-state=""
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \
- protocol=tcp reject-with=tcp-reset
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \
- connection-state=new protocol=udp reject-with=icmp-port-unreachable
-add action=drop chain=forward comment="deny FORWARD all" connection-state=""
-/ip hotspot profile
-set [ find default=yes ] html-directory=hotspot
-/ip route
-add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src=\
- "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
-add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\
- nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\
- 10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \
- target-scope=10
-/ip service
-set telnet disabled=yes
-set ftp disabled=yes
-set www disabled=yes
-set api disabled=yes
-set api-ssl disabled=yes
-/ip smb shares
-set [ find default=yes ] directory=/pub
-/ip ssh
-set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
- 4096 strong-crypto=yes
-/system clock
-set time-zone-name=Europe/Moscow
-/system identity
-set name=dc01-sw01
-/system note
-set show-at-login=no
-/system ntp client
-set enabled=yes
-/system ntp client servers
-add address=80.240.216.155
-add address=185.232.69.65
-/system routerboard settings
-set boot-os=router-os enter-setup-on=delete-key
-/tool bandwidth-server
-set enabled=no
-/tool mac-server
-set allowed-interface-list=none
-/tool mac-server mac-winbox
-set allowed-interface-list=interfaces-MAC-MGMT
-/tool mac-server ping
-set enabled=no
diff --git a/mikrotik/base-config/dc01-sw02.rsc b/mikrotik/base-config/dc01-sw02.rsc
deleted file mode 100644
index cd2b9f0..0000000
--- a/mikrotik/base-config/dc01-sw02.rsc
+++ /dev/null
@@ -1,175 +0,0 @@
-# 2024-08-30 19:15:13 by RouterOS 7.15.3
-# software id = QEDC-AGM4
-#
-# model = CRS312-4C+8XG
-# serial number = HEQ09EBWASB
-/interface bridge
-add name=bridge port-cost-mode=short vlan-filtering=yes
-/interface ethernet
-set [ find default-name=combo1 ] l2mtu=9092 mtu=9000
-set [ find default-name=combo2 ] l2mtu=9092 mtu=9000
-set [ find default-name=combo3 ] l2mtu=9092 mtu=9000
-set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 \
- mtu=9000
-set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 \
- mtu=9000
-set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000
-set [ find default-name=ether8 ] comment=\
- "Link from mgmt switch (for iLo IPMI) VLAN-0011"
-set [ find default-name=ether9 ] comment=\
- "Management interface for network devices (MAC server only)" name=\
- ether9-mac-mgmt
-/interface vlan
-add comment=\
- "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
- interface=bridge name=VLAN-0010 vlan-id=10
-/interface bonding
-add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2
-/interface list
-add name=interfaces-MAC-MGMT
-/ip smb users
-set [ find default=yes ] disabled=yes
-/port
-set 0 name=serial0
-/system logging action
-set 1 disk-file-name=log
-/ip smb
-set enabled=no
-/interface bridge port
-add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP \
- internal-path-cost=10 path-cost=10
-add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 \
- internal-path-cost=10 path-cost=10
-add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 \
- internal-path-cost=10 path-cost=10
-add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 \
- internal-path-cost=10 path-cost=10
-add bridge=bridge comment="Link from mgmt switch (for iLo IPMI) VLAN-0011" \
- frame-types=admit-only-untagged-and-priority-tagged interface=ether8 \
- pvid=11
-/ip firewall connection tracking
-set udp-timeout=10s
-/ip neighbor discovery-settings
-set discover-interface-list=interfaces-MAC-MGMT
-/ip settings
-set tcp-syncookies=yes
-/ipv6 settings
-set disable-ipv6=yes
-/interface bridge vlan
-add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x\
- \_ <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
- vlan-ids=101-255
-add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100\
- .x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
- vlan-ids=3000-3255
-add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=\
- bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2
-add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=\
- bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3
-add bridge=bridge comment=\
- "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
- tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=10
-add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=\
- bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=11
-add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x \
- \_ <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
- vlan-ids=1000-1255
-add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x \
- \_ <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
- vlan-ids=2000-2255
-/interface list member
-add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT
-/ip address
-add address=10.8.10.202/24 interface=VLAN-0010 network=10.8.10.0
-/ip cloud
-set update-time=no
-/ip dns
-set servers=10.8.10.11
-/ip firewall address-list
-add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
- ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
-add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
- s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
-add address=10.8.10.0/24 comment="List addr for Management only network device\
- s (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
-/ip firewall filter
-add action=accept chain=input comment="allow INPUT established,related" \
- connection-state=established,related
-add action=accept chain=forward comment="allow FORWARD established,related" \
- connection-state=established,related
-add action=drop chain=input comment="deny INPUT Invalid connections" \
- connection-state=invalid
-add action=drop chain=forward comment="deny FORWARD Invalid connections" \
- connection-state=invalid
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
-add action=accept chain=input comment=\
- "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
- dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
- admin-mgm-net
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
-add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
- ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
- dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
- admin-L2TP-VPN-mgm
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
- protocol=tcp reject-with=tcp-reset
-add action=reject chain=input comment=\
- "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
- connection-state=new protocol=udp reject-with=icmp-port-unreachable
-add action=drop chain=input comment="deny INPUT all" connection-state=""
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \
- protocol=tcp reject-with=tcp-reset
-add action=reject chain=forward comment=\
- "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \
- connection-state=new protocol=udp reject-with=icmp-port-unreachable
-add action=drop chain=forward comment="deny FORWARD all" connection-state=""
-/ip route
-add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src=\
- "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
-add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\
- nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\
- 10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \
- target-scope=10
-/ip service
-set telnet disabled=yes
-set ftp disabled=yes
-set www disabled=yes
-set api disabled=yes
-set api-ssl disabled=yes
-/ip smb shares
-set [ find default=yes ] directory=/pub
-/ip ssh
-set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
- 4096 strong-crypto=yes
-/system clock
-set time-zone-name=Europe/Moscow
-/system identity
-set name=dc01-sw02
-/system note
-set show-at-login=no
-/system ntp client
-set enabled=yes
-/system ntp client servers
-add address=80.240.216.155
-add address=185.232.69.65
-/system routerboard settings
-set boot-os=router-os enter-setup-on=delete-key
-/tool bandwidth-server
-set enabled=no
-/tool mac-server
-set allowed-interface-list=none
-/tool mac-server mac-winbox
-set allowed-interface-list=interfaces-MAC-MGMT
-/tool mac-server ping
-set enabled=no