Added this repo

2024-09-19 13:36:34 +03:00 · 2024-09-19 13:36:34 +03:00 · 6ddbc86f76
commit 6ddbc86f76
13 changed files with 1920 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,13 @@
+# NETWORK repo
+
+<br/>
+##This repo has network configuration for different network devices.
+
+<br/>
+You get basic/default config for:<br/>
+<br/>
+1. Microtik RB4011 (for any gateway), CR312 (sw01 + sw02 in bonding), CCR2004-1G-12S+2XS (as core L3 router)<br/>
+2. Firewall basic script for Linux<br/>
+<br/>
+
+
--- a/mikrotik/README.md
+++ b/mikrotik/README.md
@ -0,0 +1,2 @@
+# network-mikrotik
+
--- a/mikrotik/base-config/README.md
+++ b/mikrotik/base-config/README.md
@ -0,0 +1,111 @@
+# It is examples base configuration for Mikrotik.<br/>
+Please always check these options for base config new device:
+
+ 1. Add user new user with admin priv:<br/>
+`/user add name="admin2" password="PASSWORD" group=full`<br/>
+ 2. Set NTP server:<br/>
+`/system ntp client set enabled=yes primary-ntp=80.240.216.155 secondary-ntp=85.21.78.23`<br/>
+<br/>
+`/system ntp client set enabled=yes`<br/>
+`/system ntp client servers`<br/>
+`add address=0.pool.ntp.org`<br/>
+`add address=1.pool.ntp.org`<br/>
+<br/>
+`/system ntp server set enabled=no`<br/>
+<br/>
+3. Set Time Zone:<br/>
+`/system clock set time-zone-name=Europe/Moscow`<br/>
+<br/>
+4. Disabled unuse service:<br/>
+`{ :local ver [/system resource get version]; :global vermajor [:pick $ver 0 [:find $ver "."]] }`<br/>
+`:if ($vermajor = 7) do={ /ipv6 settings set disable-ipv6=yes }`<br/>
+`:if ($vermajor = 6) do={ /system package disable ipv6 }'`<br/>
+<br/>
+`/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT`<br/>
+`/tool mac-server set allowed-interface-list=none`<br/>
+`/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT`<br/>
+`/tool mac-server ping set enabled=no`<br/>
+<br/>
+`/ip smb set enabled=no`<br/>
+<br/>
+`/ip service set www     disabled=yes`<br/>
+`/ip service set api     disabled=yes`<br/>
+`/ip service set api-ssl disabled=yes`<br/>
+`/ip service set ftp     disabled=yes`<br/>
+`/ip service set telnet  disabled=yes`<br/>
+`/ip service set winbox  disabled=no`<br/>
+`/ip service set ssh     disabled=no`<br/>
+<br/>
+`/tool bandwidth-server set enabled=no`<br/>
+`/tool romon set enabled=no`<br/>
+<br/>
+`/ip ssh set strong-crypto=yes host-key-size=4096 forwarding-enabled=both always-allow-password-login=yes`<br/>
+<br/>
+`/ip settings set tcp-syncookies=yes`<br/>
+<br/>
+`/ip proxy set enabled=no`<br/>
+`/ip socks set enabled=no`<br/>
+`/ip upnp set enabled=no`<br/>
+`/ip cloud set ddns-enabled=no update-time=no`<br/>
+<br/>
+5. For security add blackhole routes and deny BOGON networks<br/>
+<br/>
+`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8 blackhole`<br/>
+`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16 blackhole`<br/>
+`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12 blackhole`<br/>
+`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16 blackhole`<br/>
+<br/>
+`/ip firewall address-list add address=0.0.0.0/8 list=all-bogon  comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=127.0.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=10.0.0.0/8 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=172.16.0.0/12 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=192.168.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=169.254.0.0/16 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=192.0.2.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=198.51.100.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=203.0.113.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=198.18.0.0/15 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=192.88.99.0/24 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=100.64.0.0/10 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=240.0.0.0/4 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=224.0.0.0/4 list=all-bogon comment="List addr BOGON networks"`<br/>
+`/ip firewall address-list add address=255.255.255.255 list=all-bogon comment="List addr BOGON networks"`<br/>
+<br/>
+`/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections FID=SERVICE-RULES" connection-state=invalid`<br/>
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections FID=SERVICE-RULES" connection-state=invalid`<br/>
+`/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`<br/>
+`/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`<br/>
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`<br/>
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`<br/>
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES  FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside`<br/>
+<br/>
+`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`<br/>
+`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable`<br/>
+`/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""`<br/>
+`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`<br/>
+`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable`<br/>
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""`<br/>
+<br/>
+6. For config bridge:<br/>
+`/interface bridge add name=bridge-1`<br/>
+`/interface bridge port add bridge=bridge-1 hw=yes interface=ether2`<br/>
+`/interface bridge port add bridge=bridge-1 hw=yes interface=ether3`<br/>
+`/interface bridge port add bridge=bridge-1 hw=yes interface=ether4`<br/>
+`/interface bridge port add bridge=bridge-1 hw=yes interface=ether5`<br/>
+<br/>
+У портов есть 3 варианта настроек:<br/>
+`admit all — Аналог гибридного порта, пропускать весь трафик (все теги vlan, в т.ч. native Vlan)`<br/>
+`admit only VLAN tagged — Аналог Trunk, пропускать только тэгированный трафик (все теги Vlan указанные в VLAN’s)`<br/>
+`admit only untagged and priority tagged — Аналог Access, пропускать указанный PVID Vlan`<br/>
+<br/>
+<br/>
+7. For backup<br/>
+`export terse file=gw02-21.04.20`<br/>
+<br/>
+`console clear-history`<br/>
+<br/>
+For CHR:<br/>
+4 vCPU / 4 RAM / 512MB IDE HDD<br/>
+<br/>
+vmkfstools -i chr-6.46.6.vmdk MikroTik-CHR.vmdk -d thin<br/>
+vmkfstools -X 512M MikroTik-CHR.vmdk<br/>
--- a/mikrotik/base-config/dc01-ccr01-terse.rsc
+++ b/mikrotik/base-config/dc01-ccr01-terse.rsc
@ -0,0 +1,130 @@
+# 2024-08-30 22:38:13 by RouterOS 7.15.3
+# software id = X2AJ-5BFT
+#
+# model = CCR2004-1G-12S+2XS
+# serial number = HEW095QA6AY
+/interface ethernet set [ find default-name=ether1 ] comment="Management interface for network devices (MAC server only)" name=ether1-mac-mgmt
+/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="Link to switch dc01-sw01 [ bond ]" l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus2 ] comment="Link to switch dc01-sw02 [ bond ]" l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus3 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus4 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus5 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus6 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus7 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus8 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus9 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus10 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus11 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp-sfpplus12 ] comment="Link to router dc01-gw01 INSIDE <--> TRANSPORT LINK <-->  OUTSIDE" l2mtu=1600
+/interface ethernet set [ find default-name=sfp28-1 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=sfp28-2 ] l2mtu=9092 mtu=9000
+/interface bonding add mode=active-backup mtu=9000 name=bond_SW01_SW02 primary=sfp-sfpplus1 slaves=sfp-sfpplus1,sfp-sfpplus2
+/interface vlan add comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0002 vlan-id=2
+/interface vlan add comment="VLAN-0003 for VMware vSphere vMotion" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0003 vlan-id=3
+/interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bond_SW01_SW02 name=VLAN-0010 vlan-id=10
+/interface vlan add comment="VLAN-0011 for Management iLO IPMI" interface=bond_SW01_SW02 name=VLAN-0011 vlan-id=11
+/interface vlan add comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=bond_SW01_SW02 mtu=9000 name=VLAN-3222-DMZ vlan-id=3222
+/interface list add name=interfaces-MAC-MGMT
+/ip smb users set [ find default=yes ] disabled=yes
+/port set 0 name=serial0
+/ip smb set enabled=no
+/ip firewall connection tracking set udp-timeout=10s
+/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT
+/ip settings set tcp-syncookies=yes
+/ipv6 settings set disable-ipv6=yes
+/interface list member add interface=ether1-mac-mgmt list=interfaces-MAC-MGMT
+/ip address add address=10.12.90.254/24 comment="Transport for access outside <--> inside" interface=sfp-sfpplus12 network=10.12.90.0
+/ip address add address=10.8.2.1/24 comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" interface=VLAN-0002 network=10.8.2.0
+/ip address add address=10.8.3.1/24 comment="VLAN-0003 for VMware vSphere vMotion" interface=VLAN-0003 network=10.8.3.0
+/ip address add address=10.8.10.251/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=VLAN-0010 network=10.8.10.0
+/ip address add address=10.8.10.1/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=VLAN-0010 network=10.8.10.0
+/ip address add address=10.8.11.1/24 comment="VLAN-0011 for Management iLO IPMI" interface=VLAN-0011 network=10.8.11.0
+/ip address add address=10.11.222.1/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=VLAN-3222-DMZ network=10.11.222.0
+/ip cloud set update-time=no
+/ip dns set servers=77.88.8.8,77.88.8.1
+/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management network devices FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
+/ip firewall address-list add address=192.168.24.0/24 comment="List addr OpenVPN FID=ovp8nkdb4cxkq1ms" list=all-ovpn
+/ip firewall address-list add address=10.8.0.0/13 comment="all-all network dmz + inside + transport + ovpn + l2pt etc" list=all-networks
+/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
+/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
+/ip firewall address-list add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" list=all-dmz
+/ip firewall address-list add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" list=all-inside
+/ip firewall address-list add address=10.12.90.0/24 comment="List subnetwork transport VLAN-4090 for access outside <--> inside" list=transport-sfp-sfpplus12
+/ip firewall address-list add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
+/ip firewall address-list add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" list=all-inside
+/ip firewall address-list add address=10.10.0.0/16 comment="all INSIDE networks (VLANs range 2000-2255)" list=all-inside
+/ip firewall address-list add address=10.8.2.0/24 comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" list=inside-VLAN-0002
+/ip firewall address-list add address=10.8.3.0/24 comment="VLAN-0003 for VMware vSphere vMotion" list=inside-VLAN-0003
+/ip firewall address-list add address=127.0.0.1 list=allow-default-for-all
+/ip firewall address-list add address=127.0.0.1 list=allow-default-buh
+/ip firewall address-list add address=10.8.10.0/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" list=inside-VLAN-0010
+/ip firewall address-list add address=10.8.11.0/24 comment="VLAN-0011 for Management iLO IPMI" list=inside-VLAN-0011
+/ip firewall address-list add address=10.8.2.5 comment="VLAN-0002 [ dc01-vcsrv01-infr.comp.loc ]" list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc
+/ip firewall address-list add address=10.8.2.11 comment="VLAN-0002 [ host01.cluster01.esxi.comp.loc ] ESXI" list=inside-VLAN-0002-ESXi-Cluster01-hosts
+/ip firewall address-list add address=10.8.2.12 comment="VLAN-0002 [ host02.cluster01.esxi.comp.loc ] ESXI" list=inside-VLAN-0002-ESXi-Cluster01-hosts
+/ip firewall address-list add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-IT
+/ip firewall address-list add address=127.0.0.1 comment="allow [All ICMP,TCP,UDP] [ivanov_ovpn]" list=allow-to-VLAN-0002-adm-ALL
+/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [All ICMP,TCP,UDP] [ivanov_ovpn] [VPN]" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
+/ip firewall address-list add address=127.0.0.1 list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-IT
+/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:80,443] [ivanov_ovpn] [VPN] FID=1234567890" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
+/ip firewall address-list add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-SEC
+/ip firewall address-list add address=127.0.0.1 list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-SEC
+/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:22] [ivanov_ovpn] [VPN]" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
+/ip firewall address-list add address=10.11.222.0/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" list=dmz-VLAN-3222
+/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
+/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=udp
+/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
+/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
+/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0002 -->> ME [ICMP] for VMware vSphere infrastructure (vCenter server, ESXi hosts)" connection-state=new dst-address-list=inside-VLAN-0002 in-interface=VLAN-0002 protocol=icmp src-address-list=inside-VLAN-0002
+/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for VMware vSphere vMotion" connection-state=new dst-address-list=inside-VLAN-0003 in-interface=VLAN-0003 protocol=icmp src-address-list=inside-VLAN-0003
+/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for Management interface for network devices (TCP/IP connect)" connection-state=new dst-address-list=inside-VLAN-0010 in-interface=VLAN-0010 protocol=icmp src-address-list=inside-VLAN-0010
+/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for Management iLO IPMI" connection-state=new dst-address-list=inside-VLAN-0011 in-interface=VLAN-0011 protocol=icmp src-address-list=inside-VLAN-0011
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-inside in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-inside dst-port=22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp
+/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp
+/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp
+/ip firewall filter add action=accept chain=allow-default-for-all protocol=icmp
+/ip firewall filter add action=accept chain=allow-default-buh protocol=icmp
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSPORT LINK <-->  OUTSIDE (to dc01-gw01)" connection-state=new dst-address-list=!all-networks out-interface=sfp-sfpplus12 src-address-list=all-networks
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-adm-ALL
+/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
+/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 protocol=icmp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
+/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=VLAN-0002 protocol=tcp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
+/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 protocol=icmp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
+/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=80,443 out-interface=VLAN-0002 protocol=tcp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
+/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.90.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+/ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+/ip service set telnet disabled=yes
+/ip service set ftp disabled=yes
+/ip service set www disabled=yes
+/ip service set api disabled=yes
+/ip service set api-ssl disabled=yes
+/ip smb shares set [ find default=yes ] directory=/pub
+/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
+/system clock set time-zone-name=Europe/Moscow
+/system identity set name=dc01-ccr01
+/system note set show-at-login=no
+/system ntp client set enabled=yes
+/system ntp client servers add address=80.240.216.155
+/system ntp client servers add address=185.232.69.65
+/system routerboard settings set enter-setup-on=delete-key
+/tool bandwidth-server set enabled=no
+/tool mac-server set allowed-interface-list=none
+/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT
+/tool mac-server ping set enabled=no
--- a/mikrotik/base-config/dc01-ccr01.rsc
+++ b/mikrotik/base-config/dc01-ccr01.rsc
@ -0,0 +1,297 @@
+# 2024-08-30 22:38:15 by RouterOS 7.15.3
+# software id = X2AJ-5BFT
+#
+# model = CCR2004-1G-12S+2XS
+# serial number = HEW095QA6AY
+/interface ethernet
+set [ find default-name=ether1 ] comment=\
+    "Management interface for network devices (MAC server only)" name=\
+    ether1-mac-mgmt
+set [ find default-name=sfp-sfpplus1 ] comment=\
+    "Link to switch dc01-sw01 [ bond ]" l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus2 ] comment=\
+    "Link to switch dc01-sw02 [ bond ]" l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus3 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus4 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus5 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus6 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus7 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus8 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus9 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus10 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus11 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp-sfpplus12 ] comment=\
+    "Link to router dc01-gw01 INSIDE <--> TRANSPORT LINK <-->  OUTSIDE" \
+    l2mtu=1600
+set [ find default-name=sfp28-1 ] l2mtu=9092 mtu=9000
+set [ find default-name=sfp28-2 ] l2mtu=9092 mtu=9000
+/interface bonding
+add mode=active-backup mtu=9000 name=bond_SW01_SW02 primary=sfp-sfpplus1 \
+    slaves=sfp-sfpplus1,sfp-sfpplus2
+/interface vlan
+add comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi\
+    \_hosts)" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0002 vlan-id=2
+add comment="VLAN-0003 for VMware vSphere vMotion" interface=bond_SW01_SW02 \
+    mtu=9000 name=VLAN-0003 vlan-id=3
+add comment=\
+    "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
+    interface=bond_SW01_SW02 name=VLAN-0010 vlan-id=10
+add comment="VLAN-0011 for Management iLO IPMI" interface=bond_SW01_SW02 \
+    name=VLAN-0011 vlan-id=11
+add comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=\
+    bond_SW01_SW02 mtu=9000 name=VLAN-3222-DMZ vlan-id=3222
+/interface list
+add name=interfaces-MAC-MGMT
+/ip smb users
+set [ find default=yes ] disabled=yes
+/port
+set 0 name=serial0
+/ip smb
+set enabled=no
+/ip firewall connection tracking
+set udp-timeout=10s
+/ip neighbor discovery-settings
+set discover-interface-list=interfaces-MAC-MGMT
+/ip settings
+set tcp-syncookies=yes
+/ipv6 settings
+set disable-ipv6=yes
+/interface list member
+add interface=ether1-mac-mgmt list=interfaces-MAC-MGMT
+/ip address
+add address=10.12.90.254/24 comment=\
+    "Transport for access outside <--> inside" interface=sfp-sfpplus12 \
+    network=10.12.90.0
+add address=10.8.2.1/24 comment="VLAN-0002 for VMware vSphere infrastructure (\
+    vCenter server, ESXi hosts)" interface=VLAN-0002 network=10.8.2.0
+add address=10.8.3.1/24 comment="VLAN-0003 for VMware vSphere vMotion" \
+    interface=VLAN-0003 network=10.8.3.0
+add address=10.8.10.251/24 comment=\
+    "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
+    interface=VLAN-0010 network=10.8.10.0
+add address=10.8.10.1/24 comment=\
+    "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
+    interface=VLAN-0010 network=10.8.10.0
+add address=10.8.11.1/24 comment="VLAN-0011 for Management iLO IPMI" \
+    interface=VLAN-0011 network=10.8.11.0
+add address=10.11.222.1/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \
+    interface=VLAN-3222-DMZ network=10.11.222.0
+/ip cloud
+set update-time=no
+/ip dns
+set servers=77.88.8.8,77.88.8.1
+/ip firewall address-list
+add address=10.8.10.0/24 comment="List addr for Management network devices FID\
+    =admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
+add address=192.168.24.0/24 comment="List addr OpenVPN FID=ovp8nkdb4cxkq1ms" \
+    list=all-ovpn
+add address=10.8.0.0/13 comment=\
+    "all-all network dmz + inside + transport + ovpn + l2pt etc" list=\
+    all-networks
+add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
+    ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
+add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
+    s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
+add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" \
+    list=all-dmz
+add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \
+    list=all-inside
+add address=10.12.90.0/24 comment=\
+    "List subnetwork transport VLAN-4090 for access outside <--> inside" \
+    list=transport-sfp-sfpplus12
+add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
+add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \
+    list=all-inside
+add address=10.10.0.0/16 comment=\
+    "all INSIDE networks (VLANs range 2000-2255)" list=all-inside
+add address=10.8.2.0/24 comment="VLAN-0002 for VMware vSphere infrastructure (\
+    vCenter server, ESXi hosts)" list=inside-VLAN-0002
+add address=10.8.3.0/24 comment="VLAN-0003 for VMware vSphere vMotion" list=\
+    inside-VLAN-0003
+add address=127.0.0.1 list=allow-default-for-all
+add address=127.0.0.1 list=allow-default-buh
+add address=10.8.10.0/24 comment=\
+    "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
+    list=inside-VLAN-0010
+add address=10.8.11.0/24 comment="VLAN-0011 for Management iLO IPMI" list=\
+    inside-VLAN-0011
+add address=10.8.2.5 comment="VLAN-0002 [ dc01-vcsrv01-infr.comp.loc ]" list=\
+    inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc
+add address=10.8.2.11 comment=\
+    "VLAN-0002 [ host01.cluster01.esxi.comp.loc ] ESXI" list=\
+    inside-VLAN-0002-ESXi-Cluster01-hosts
+add address=10.8.2.12 comment=\
+    "VLAN-0002 [ host02.cluster01.esxi.comp.loc ] ESXI" list=\
+    inside-VLAN-0002-ESXi-Cluster01-hosts
+add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-IT
+add address=127.0.0.1 comment="allow [All ICMP,TCP,UDP] [ivanov_ovpn]" list=\
+    allow-to-VLAN-0002-adm-ALL
+add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [All ICMP,T\
+    CP,UDP] [ivanov_ovpn] [VPN]" list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
+add address=127.0.0.1 list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-IT
+add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:8\
+    0,443] [ivanov_ovpn] [VPN] FID=1234567890" list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
+add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-SEC
+add address=127.0.0.1 list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-SEC
+add address=127.0.0.1 comment=\
+    "allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:22] [ivanov_ovpn] [VPN]" \
+    list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
+add address=10.11.222.0/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \
+    list=dmz-VLAN-3222
+/ip firewall filter
+add action=fasttrack-connection chain=forward connection-state=\
+    established,related hw-offload=yes protocol=tcp
+add action=fasttrack-connection chain=forward connection-state=\
+    established,related hw-offload=yes protocol=udp
+add action=accept chain=input comment="allow INPUT established,related" \
+    connection-state=established,related
+add action=accept chain=forward comment="allow FORWARD established,related" \
+    connection-state=established,related
+add action=drop chain=input comment="deny INPUT Invalid connections" \
+    connection-state=invalid
+add action=drop chain=forward comment="deny FORWARD Invalid connections" \
+    connection-state=invalid
+add action=accept chain=input comment="allow INPUT from VLAN-0002 -->> ME [ICM\
+    P] for VMware vSphere infrastructure (vCenter server, ESXi hosts)" \
+    connection-state=new dst-address-list=inside-VLAN-0002 in-interface=\
+    VLAN-0002 protocol=icmp src-address-list=inside-VLAN-0002
+add action=accept chain=input comment=\
+    "allow INPUT from VLAN-0003 -->> ME [ICMP] for VMware vSphere vMotion" \
+    connection-state=new dst-address-list=inside-VLAN-0003 in-interface=\
+    VLAN-0003 protocol=icmp src-address-list=inside-VLAN-0003
+add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICM\
+    P] for Management interface for network devices (TCP/IP connect)" \
+    connection-state=new dst-address-list=inside-VLAN-0010 in-interface=\
+    VLAN-0010 protocol=icmp src-address-list=inside-VLAN-0010
+add action=accept chain=input comment=\
+    "allow INPUT from VLAN-0003 -->> ME [ICMP] for Management iLO IPMI" \
+    connection-state=new dst-address-list=inside-VLAN-0011 in-interface=\
+    VLAN-0011 protocol=icmp src-address-list=inside-VLAN-0011
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
+    admin-mgm-net
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
+    admin-L2TP-VPN-mgm
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    in-interface=sfp-sfpplus12 protocol=icmp src-address-list=\
+    admin-L2TP-VPN-mgm
+add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
+    ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
+    connection-state=new dst-address-list=all-inside in-interface=\
+    sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
+    ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
+    connection-state=new dst-address-list=all-inside dst-port=\
+    22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp \
+    src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
+    ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\
+    new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp \
+    src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
+    ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\
+    new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 \
+    in-interface=sfp-sfpplus12 protocol=tcp src-address-list=\
+    admin-L2TP-VPN-mgm
+add action=accept chain=allow_icmp_tcp_udp comment=\
+    "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp
+add action=accept chain=allow_icmp_tcp_udp comment=\
+    "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp
+add action=accept chain=allow_icmp_tcp_udp comment=\
+    "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp
+add action=accept chain=allow-default-for-all protocol=icmp
+add action=accept chain=allow-default-buh protocol=icmp
+add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSP\
+    ORT LINK <-->  OUTSIDE (to dc01-gw01)" connection-state=new \
+    dst-address-list=!all-networks out-interface=sfp-sfpplus12 \
+    src-address-list=all-networks
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
+    protocol=tcp reject-with=tcp-reset
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
+    connection-state=new protocol=udp reject-with=icmp-port-unreachable
+add action=drop chain=input comment="deny INPUT all" connection-state=""
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \
+    protocol=tcp reject-with=tcp-reset
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \
+    connection-state=new protocol=udp reject-with=icmp-port-unreachable
+add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+add action=jump chain=forward connection-state=new dst-address-list=\
+    inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 \
+    src-address-list=allow-to-VLAN-0002-adm-ALL
+add action=jump chain=forward connection-state=new dst-address-list=\
+    inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=\
+    allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
+add action=accept chain=forward connection-state=new dst-address-list=\
+    inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \
+    protocol=icmp src-address-list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
+add action=accept chain=forward connection-state=new dst-address-list=\
+    inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=\
+    VLAN-0002 protocol=tcp src-address-list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
+add action=accept chain=forward connection-state=new dst-address-list=\
+    inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \
+    protocol=icmp src-address-list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
+add action=accept chain=forward connection-state=new dst-address-list=\
+    inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=80,443 \
+    out-interface=VLAN-0002 protocol=tcp src-address-list=\
+    allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
+/ip route
+add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.90.1 \
+    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\
+    nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\
+    10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \
+    target-scope=10
+/ip service
+set telnet disabled=yes
+set ftp disabled=yes
+set www disabled=yes
+set api disabled=yes
+set api-ssl disabled=yes
+/ip smb shares
+set [ find default=yes ] directory=/pub
+/ip ssh
+set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
+    4096 strong-crypto=yes
+/system clock
+set time-zone-name=Europe/Moscow
+/system identity
+set name=dc01-ccr01
+/system note
+set show-at-login=no
+/system ntp client
+set enabled=yes
+/system ntp client servers
+add address=80.240.216.155
+add address=185.232.69.65
+/system routerboard settings
+set enter-setup-on=delete-key
+/tool bandwidth-server
+set enabled=no
+/tool mac-server
+set allowed-interface-list=none
+/tool mac-server mac-winbox
+set allowed-interface-list=interfaces-MAC-MGMT
+/tool mac-server ping
+set enabled=no
--- a/mikrotik/base-config/dc01-emer01-terse.rsc
+++ b/mikrotik/base-config/dc01-emer01-terse.rsc
@ -0,0 +1,90 @@
+# 2024-09-04 13:07:25 by RouterOS 7.15.3
+# software id = 73EZ-45GQ
+#
+# model = RB750Gr3
+# serial number = 6F380862DC41
+/interface bridge add name=bridge-local
+/interface ethernet set [ find default-name=ether1 ] name=ether1-outside
+/interface list add name=interfaces-MAC-MGMT
+/interface list add name=interfaces-outside
+/ppp profile add bridge=bridge-local change-tcp-mss=yes local-address=172.20.1.1 name=emergency only-one=yes use-ipv6=no use-mpls=no use-upnp=no
+/ip smb set enabled=no
+/interface bridge port add bridge=bridge-local interface=ether2
+/interface bridge port add bridge=bridge-local interface=ether3
+/interface bridge port add bridge=bridge-local interface=ether4
+/interface bridge port add bridge=bridge-local interface=ether5
+/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT
+/ip settings set tcp-syncookies=yes
+/ipv6 settings set disable-ipv6=yes
+/interface list member add interface=ether2 list=interfaces-MAC-MGMT
+/interface list member add interface=ether3 list=interfaces-MAC-MGMT
+/interface list member add interface=ether4 list=interfaces-MAC-MGMT
+/interface list member add interface=ether5 list=interfaces-MAC-MGMT
+/interface list member add interface=ether1-outside list=interfaces-outside
+/interface ovpn-server server set auth=sha1 certificate=ovpn-server cipher=aes256-cbc default-profile=emergency enabled=yes mode=ethernet port=40004 protocol=udp require-client-certificate=yes tls-version=only-1.2
+/ip address add address=11.11.11.123/29 interface=ether1-outside network=11.11.11.120
+/ip cloud set update-time=no
+/ip dns set servers=8.8.8.8
+/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
+/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=outside-only-22.22.22.123
+/ip firewall address-list add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
+/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
+/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
+/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface-list=interfaces-outside src-address-list=all-bogon
+/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface-list=interfaces-outside
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface-list=interfaces-outside src-address-list=all-bogon
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface-list=interfaces-outside
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES  FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside
+/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [ICMP]" connection-state=new in-interface=ether1-outside protocol=icmp
+/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME OVPN server [UDP:40004]" connection-state=new dst-port=40004 in-interface=ether1-outside protocol=udp
+/ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=62.212.68.103
+/ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=213.141.150.29
+/ip firewall filter add action=accept chain=input dst-address=172.20.1.0/24 in-interface=bridge-local protocol=icmp src-address=172.20.1.0/24
+/ip firewall filter add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=172.20.1.0/24
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip hotspot profile set [ find default=yes ] html-directory=hotspot
+/ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=main suppress-hw-offload=no
+/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8
+/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16
+/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12
+/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16
+/ip service set telnet disabled=yes
+/ip service set ftp disabled=yes
+/ip service set www disabled=yes
+/ip service set api disabled=yes
+/ip service set api-ssl disabled=yes
+/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
+/ppp secret add name=ivanov_ovpn profile=emergency remote-address=172.20.1.2 service=ovpn
+/system clock set time-zone-name=Europe/Moscow
+/system identity set name=dc01-emer01
+/system note set show-at-login=no
+/system ntp client set enabled=yes
+/system ntp client servers add address=0.pool.ntp.org
+/system ntp client servers add address=1.pool.ntp.org
+/system ntp client servers add address=2.pool.ntp.org
+/system ntp client servers add address=3.pool.ntp.org
+/tool bandwidth-server set enabled=no
+/tool mac-server set allowed-interface-list=none
+/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT
+/tool mac-server ping set enabled=no
--- a/mikrotik/base-config/dc01-emer01.rsc
+++ b/mikrotik/base-config/dc01-emer01.rsc
@ -0,0 +1,164 @@
+# 2024-09-04 13:07:44 by RouterOS 7.15.3
+# software id = 73EZ-45GQ
+#
+# model = RB750Gr3
+# serial number = 6F380862DC41
+/interface bridge
+add name=bridge-local
+/interface ethernet
+set [ find default-name=ether1 ] name=ether1-outside
+/interface list
+add name=interfaces-MAC-MGMT
+add name=interfaces-outside
+/ppp profile
+add bridge=bridge-local change-tcp-mss=yes local-address=172.20.1.1 name=\
+    emergency only-one=yes use-ipv6=no use-mpls=no use-upnp=no
+/ip smb
+set enabled=no
+/interface bridge port
+add bridge=bridge-local interface=ether2
+add bridge=bridge-local interface=ether3
+add bridge=bridge-local interface=ether4
+add bridge=bridge-local interface=ether5
+/ip neighbor discovery-settings
+set discover-interface-list=interfaces-MAC-MGMT
+/ip settings
+set tcp-syncookies=yes
+/ipv6 settings
+set disable-ipv6=yes
+/interface list member
+add interface=ether2 list=interfaces-MAC-MGMT
+add interface=ether3 list=interfaces-MAC-MGMT
+add interface=ether4 list=interfaces-MAC-MGMT
+add interface=ether5 list=interfaces-MAC-MGMT
+add interface=ether1-outside list=interfaces-outside
+/interface ovpn-server server
+set auth=sha1 certificate=ovpn-server cipher=aes256-cbc default-profile=\
+    emergency enabled=yes mode=ethernet port=40004 protocol=udp \
+    require-client-certificate=yes tls-version=only-1.2
+/ip address
+add address=11.11.11.123/29 interface=ether1-outside network=11.11.11.120
+/ip cloud
+set update-time=no
+/ip dns
+set servers=8.8.8.8
+/ip firewall address-list
+add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
+add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\
+    outside-only-22.22.22.123
+add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
+add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
+add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
+add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
+add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
+add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
+add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
+add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
+add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
+add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
+add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
+add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
+add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
+add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
+add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
+/ip firewall filter
+add action=accept chain=input comment="allow INPUT established,related" \
+    connection-state=established,related
+add action=accept chain=forward comment="allow FORWARD established,related" \
+    connection-state=established,related
+add action=drop chain=input comment="deny INPUT Invalid connections" \
+    connection-state=invalid
+add action=drop chain=forward comment="deny FORWARD Invalid connections" \
+    connection-state=invalid
+add action=drop chain=input comment=\
+    "deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \
+    connection-state="" in-interface-list=interfaces-outside \
+    src-address-list=all-bogon
+add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\
+    \_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\
+    all-bogon out-interface-list=interfaces-outside
+add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\
+    \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
+    in-interface-list=interfaces-outside src-address-list=all-bogon
+add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\
+    \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
+    dst-address-list=all-bogon out-interface-list=interfaces-outside
+add action=drop chain=forward comment="deny FORWARD from inside -->> outside F\
+    ID=SERVICE-RULES  FID=SERVICE-RULES" connection-nat-state=!dstnat \
+    connection-state=new in-interface=ether1-outside
+add action=accept chain=input comment=\
+    "allow INPUT from outside -->> ME [ICMP]" connection-state=new \
+    in-interface=ether1-outside protocol=icmp
+add action=accept chain=input comment=\
+    "allow INPUT from outside -->> ME OVPN server [UDP:40004]" \
+    connection-state=new dst-port=40004 in-interface=ether1-outside protocol=\
+    udp
+add action=accept chain=input connection-state=new dst-port=22,8291 \
+    in-interface=ether1-outside protocol=tcp src-address=62.212.68.103
+add action=accept chain=input connection-state=new dst-port=22,8291 \
+    in-interface=ether1-outside protocol=tcp src-address=213.141.150.29
+add action=accept chain=input dst-address=172.20.1.0/24 in-interface=\
+    bridge-local protocol=icmp src-address=172.20.1.0/24
+add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 \
+    dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=\
+    172.20.1.0/24
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
+    protocol=tcp reject-with=tcp-reset
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
+    connection-state=new protocol=udp reject-with=icmp-port-unreachable
+add action=drop chain=input comment="deny INPUT all" connection-state=""
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\
+    new protocol=tcp reject-with=tcp-reset
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\
+    new log-prefix=reject_fw_udp protocol=udp reject-with=\
+    icmp-port-unreachable
+add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip hotspot profile
+set [ find default=yes ] html-directory=hotspot
+/ip route
+add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\
+    main suppress-hw-offload=no
+add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
+    distance=249 dst-address=10.0.0.0/8
+add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
+    distance=249 dst-address=169.254.0.0/16
+add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
+    distance=249 dst-address=172.16.0.0/12
+add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
+    distance=249 dst-address=192.168.0.0/16
+/ip service
+set telnet disabled=yes
+set ftp disabled=yes
+set www disabled=yes
+set api disabled=yes
+set api-ssl disabled=yes
+/ip ssh
+set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
+    4096 strong-crypto=yes
+/ppp secret
+add name=ivanov_ovpn profile=emergency remote-address=172.20.1.2 service=ovpn
+/system clock
+set time-zone-name=Europe/Moscow
+/system identity
+set name=dc01-emer01
+/system note
+set show-at-login=no
+/system ntp client
+set enabled=yes
+/system ntp client servers
+add address=0.pool.ntp.org
+add address=1.pool.ntp.org
+add address=2.pool.ntp.org
+add address=3.pool.ntp.org
+/tool bandwidth-server
+set enabled=no
+/tool mac-server
+set allowed-interface-list=none
+/tool mac-server mac-winbox
+set allowed-interface-list=interfaces-MAC-MGMT
+/tool mac-server ping
+set enabled=no
--- a/mikrotik/base-config/dc01-gw01-terse.rsc
+++ b/mikrotik/base-config/dc01-gw01-terse.rsc
@ -0,0 +1,168 @@
+# 2024-08-30 22:34:45 by RouterOS 7.15.3
+# software id = 6HAJ-6CUK
+#
+# model = RB4011iGS+
+# serial number = HEH08H8P0GS
+/interface ethernet set [ find default-name=ether1 ] name=ether1-outside
+/interface ethernet set [ find default-name=ether2 ] disabled=yes
+/interface ethernet set [ find default-name=ether3 ] disabled=yes
+/interface ethernet set [ find default-name=ether4 ] disabled=yes
+/interface ethernet set [ find default-name=ether5 ] disabled=yes
+/interface ethernet set [ find default-name=ether6 ] disabled=yes
+/interface ethernet set [ find default-name=ether7 ] disabled=yes
+/interface ethernet set [ find default-name=ether8 ] comment="Management interface for network devices (TCP/IP connect)" name=ether8-mgmt
+/interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt
+/interface ethernet set [ find default-name=ether10 ] disabled=yes
+/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="Link to dc01-ccr01 INSIDE <--> TRANSPORT LINK <-->  OUTSIDE"
+/interface list add name=interfaces-MGM
+/interface list add name=interfaces-outside
+/interface list add name=interfaces-VPN-ptp
+/ip smb users set [ find default=yes ] disabled=yes
+/port set 0 name=serial0
+/port set 1 name=serial1
+/ppp profile add change-tcp-mss=yes comment="For L2TP VPN MGM admins FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" name=L2TP_VPN_Profile_mgm only-one=no use-compression=yes use-encryption=yes use-ipv6=no use-mpls=no use-upnp=no
+/ip smb set enabled=no
+/ip firewall connection tracking set udp-timeout=10s
+/ip neighbor discovery-settings set discover-interface-list=interfaces-MGM
+/ip settings set tcp-syncookies=yes
+/ipv6 settings set disable-ipv6=yes
+/interface l2tp-server server set authentication=mschap2 enabled=yes use-ipsec=yes
+/interface list member add interface=ether9-mac-mgmt list=interfaces-MGM
+/interface list member add interface=ether1-outside list=interfaces-outside
+/ip address add address=10.12.90.1/24 comment="Transport for access outside <--> inside" interface=sfp-sfpplus1 network=10.12.90.0
+/ip address add address=11.11.11.122/29 comment="Outside IPs" interface=ether1-outside network=11.11.11.120
+/ip address add address=10.8.10.11/24 comment="Management interface for network devices (TCP/IP connect)" interface=ether8-mgmt network=10.8.10.0
+/ip cloud set update-time=no
+/ip dns set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" list=allow_inet_DNS
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=allow_inet_SSH
+/ip firewall address-list add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside
+/ip firewall address-list add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=outside-only-22.22.22.122
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=allow_inet_icmp
+/ip firewall address-list add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=all-ovpn
+/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
+/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=outside-only-22.22.22.123
+/ip firewall address-list add address=11.11.11.124 comment="List addr OUTSIDE IP=22.22.22.124" list=outside-only-22.22.22.124
+/ip firewall address-list add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=outside-only-22.22.22.125
+/ip firewall address-list add address=10.99.99.99 comment="List addr clients from inside network to local DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
+/ip firewall address-list add address=10.99.99.77 comment="List addr clients from inside network to local DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" list=allow_inet_all
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP
+/ip firewall address-list add address=10.8.0.0/13 comment="all-all network dmz + inside + transport + ovpn + l2pt etc" list=all-networks
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" list=allow_inet_IMAP
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=allow_inet_WHOIS
+/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq  ADMIN-FID" list=admin-L2TP-VPN-mgm
+/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq  ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet
+/ip firewall address-list add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
+/ip firewall address-list add address=10.11.0.0/16 comment="all DMZ networks     (VLANs range 3000-3255)" list=all-dmz
+/ip firewall address-list add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" list=all-inside
+/ip firewall address-list add address=10.12.90.0/24 comment="List subnetwork transport VLAN-4090 for access outside <--> inside" list=transport-sfp-sfpplus1
+/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management network devices FID=admin-mgm-amdpfyeu  ADMIN-FID" list=admin-mgm-net
+/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" list=allow_inet_NTP
+/ip firewall address-list add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
+/ip firewall address-list add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside
+/ip firewall address-list add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside
+/ip firewall address-list add address=10.12.90.254 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet
+/ip firewall address-list add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet
+/ip firewall address-list add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet
+/ip firewall address-list add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" list=all-inside
+/ip firewall address-list add address=10.10.0.0/16 comment="all INSIDE networks (VLANs range 2000-2255)" list=all-inside
+/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
+/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=udp
+/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
+/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
+/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon
+/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside
+/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside -->> VLAN-3001-DMZ  DNAT (UDP 22211 -> 10.91.1.11:22211) FID=2hfs38dq1jr42rwe" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.1.11 dst-port=22211 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=udp src-address-list=!all-networks
+/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside -->> VLAN-3001-DMZ  DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr42rwe" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
+/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->> 10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
+/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside to front mail server  frontmail01.dmz-3003.rvision.local (22.22.22.124 TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
+/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=ether1-outside src-address-list=allow_inet
+/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=ether1-outside src-address-list=allow_inet
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=icmp src-address-list=allow_inet_icmp
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_SSH
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_IMAP
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_SMTP
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_DNS
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" connection-state=new dst-port=123 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_HTTPS
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_IPsec
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside src-address-list=allow_inet_all
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp
+/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp
+/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp
+/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [ICMP]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=icmp
+/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [GRE]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=gre
+/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=ipsec-esp
+/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [IPsec-ah]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=ipsec-ah
+/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME (UDP:500,1701,4500]" connection-state=new dst-address-list=outside-only-22.22.22.122 dst-port=500,1701,4500 in-interface=ether1-outside protocol=udp
+/ip firewall filter add action=accept chain=input comment="allow INPUT from transport sfp-sfpplus1 -->> ME [ICMP]" connection-state=new dst-address-list=transport-sfp-sfpplus1 in-interface=sfp-sfpplus1 protocol=icmp src-address-list=transport-sfp-sfpplus1
+/ip firewall filter add action=accept chain=input comment="allow INPUT from inside -->> ME [UDP:53 DNS] for spoofing DNS" connection-state=new dst-port=53 in-interface=sfp-sfpplus1 protocol=udp src-address-list=allow-INSDIE-to-local-DNS
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=ether8-mgmt protocol=icmp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=53 in-interface=ether8-mgmt protocol=udp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic protocol=tcp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip firewall nat add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" dst-address-list=!all-networks out-interface=ether1-outside src-address-list=all-networks to-addresses=11.11.11.122
+/ip firewall nat add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail systems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=10.91.3.11 to-addresses=22.22.22.123
+/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN-3001-DMZ (22.22.22.122 UDP 22211 -->> 10.91.1.11 UDP 22211) OpenVPN 01 FID=2hfs38dq1jr42rwe" disabled=yes dst-address-list=outside-only-22.22.22.122 dst-port=22211 in-interface=ether1-outside protocol=udp src-address-list=!all-networks to-addresses=10.91.1.11 to-ports=22211
+/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN-3001-DMZ (22.22.22.122 TCP 22212 -->> 10.91.1.12 TCP 22212) OpenVPN 02 FID=hf92hfh38dh1jr421we" disabled=yes dst-address-list=outside-only-22.22.22.122 dst-port=22212 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.1.12 to-ports=22212
+/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 25 -->> 10.91.3.11 TCP 25) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=25 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=25
+/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 465 -->> 10.91.3.11 TCP 465) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=465 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=465
+/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 993 -->> 10.91.3.11 TCP 993) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=993 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=993
+/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8
+/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16
+/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12
+/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16
+/ip route add comment="Route to DC01-CCR01 all networks" disabled=no distance=1 dst-address=10.8.0.0/13 gateway=10.12.90.254 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+/ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=main suppress-hw-offload=no
+/ip service set telnet disabled=yes
+/ip service set ftp disabled=yes
+/ip service set www disabled=yes
+/ip service set api disabled=yes
+/ip service set api-ssl disabled=yes
+/ip smb shares set [ find default=yes ] directory=/pub
+/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
+/ppp secret add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm remote-address=172.16.38.222 service=l2tp
+/system clock set time-zone-name=Europe/Moscow
+/system identity set name=dc01-gw01
+/system note set show-at-login=no
+/system ntp client set enabled=yes
+/system ntp client servers add address=80.240.216.155
+/system ntp client servers add address=185.232.69.65
+/system routerboard settings set enter-setup-on=delete-key
+/tool bandwidth-server set enabled=no
+/tool mac-server set allowed-interface-list=none
+/tool mac-server mac-winbox set allowed-interface-list=interfaces-MGM
+/tool mac-server ping set enabled=no
--- a/mikrotik/base-config/dc01-gw01.rsc
+++ b/mikrotik/base-config/dc01-gw01.rsc
@ -0,0 +1,424 @@
+# 2024-08-30 22:34:52 by RouterOS 7.15.3
+# software id = 6HAJ-6CUK
+#
+# model = RB4011iGS+
+# serial number = HEH08H8P0GS
+/interface ethernet
+set [ find default-name=ether1 ] name=ether1-outside
+set [ find default-name=ether2 ] disabled=yes
+set [ find default-name=ether3 ] disabled=yes
+set [ find default-name=ether4 ] disabled=yes
+set [ find default-name=ether5 ] disabled=yes
+set [ find default-name=ether6 ] disabled=yes
+set [ find default-name=ether7 ] disabled=yes
+set [ find default-name=ether8 ] comment=\
+    "Management interface for network devices (TCP/IP connect)" name=\
+    ether8-mgmt
+set [ find default-name=ether9 ] comment=\
+    "Management interface for network devices (MAC server only)" name=\
+    ether9-mac-mgmt
+set [ find default-name=ether10 ] disabled=yes
+set [ find default-name=sfp-sfpplus1 ] comment=\
+    "Link to dc01-ccr01 INSIDE <--> TRANSPORT LINK <-->  OUTSIDE"
+/interface list
+add name=interfaces-MGM
+add name=interfaces-outside
+add name=interfaces-VPN-ptp
+/ip smb users
+set [ find default=yes ] disabled=yes
+/port
+set 0 name=serial0
+set 1 name=serial1
+/ppp profile
+add change-tcp-mss=yes comment=\
+    "For L2TP VPN MGM admins FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
+    name=L2TP_VPN_Profile_mgm only-one=no use-compression=yes use-encryption=\
+    yes use-ipv6=no use-mpls=no use-upnp=no
+/ip smb
+set enabled=no
+/ip firewall connection tracking
+set udp-timeout=10s
+/ip neighbor discovery-settings
+set discover-interface-list=interfaces-MGM
+/ip settings
+set tcp-syncookies=yes
+/ipv6 settings
+set disable-ipv6=yes
+/interface l2tp-server server
+set authentication=mschap2 enabled=yes use-ipsec=yes
+/interface list member
+add interface=ether9-mac-mgmt list=interfaces-MGM
+add interface=ether1-outside list=interfaces-outside
+/ip address
+add address=10.12.90.1/24 comment="Transport for access outside <--> inside" \
+    interface=sfp-sfpplus1 network=10.12.90.0
+add address=11.11.11.122/29 comment="Outside IPs" interface=ether1-outside \
+    network=11.11.11.120
+add address=10.8.10.11/24 comment=\
+    "Management interface for network devices (TCP/IP connect)" interface=\
+    ether8-mgmt network=10.8.10.0
+/ip cloud
+set update-time=no
+/ip dns
+set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1
+/ip firewall address-list
+add address=127.0.0.1 comment=\
+    "List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" \
+    list=allow_inet_DNS
+add address=127.0.0.1 comment=\
+    "List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=\
+    allow_inet_SSH
+add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside
+add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=\
+    outside-only-22.22.22.122
+add address=127.0.0.1 comment=\
+    "List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=\
+    allow_inet_icmp
+add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=\
+    all-ovpn
+add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
+add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\
+    outside-only-22.22.22.123
+add address=11.11.11.124 comment="List addr OUTSIDE IP=22.22.22.124" list=\
+    outside-only-22.22.22.124
+add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=\
+    outside-only-22.22.22.125
+add address=10.99.99.99 comment="List addr clients from inside network to loca\
+    l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
+add address=10.99.99.77 comment="List addr clients from inside network to loca\
+    l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
+add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443\
+    ] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS
+add address=127.0.0.1 comment=\
+    "List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" \
+    list=allow_inet_all
+add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465\
+    ,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP
+add address=10.8.0.0/13 comment=\
+    "all-all network dmz + inside + transport + ovpn + l2pt etc" list=\
+    all-networks
+add address=127.0.0.1 comment=\
+    "List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" \
+    list=allow_inet_IMAP
+add address=127.0.0.1 comment=\
+    "List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=\
+    allow_inet_WHOIS
+add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
+    ccess-l2tp-vpn-en7gdnsq  ADMIN-FID" list=admin-L2TP-VPN-mgm
+add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
+    s-ovpn-vpn-en7gdnsq  ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
+add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,17\
+    01,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec
+add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,T\
+    CP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet
+add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
+add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
+add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
+add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
+add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
+add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
+add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
+add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
+add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
+add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
+add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
+add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
+add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
+add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
+add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
+add address=10.11.0.0/16 comment=\
+    "all DMZ networks     (VLANs range 3000-3255)" list=all-dmz
+add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \
+    list=all-inside
+add address=10.12.90.0/24 comment=\
+    "List subnetwork transport VLAN-4090 for access outside <--> inside" \
+    list=transport-sfp-sfpplus1
+add address=10.8.10.0/24 comment="List addr for Management network devices FID\
+    =admin-mgm-amdpfyeu  ADMIN-FID" list=admin-mgm-net
+add address=127.0.0.1 comment=\
+    "List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" \
+    list=allow_inet_NTP
+add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
+add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside
+add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside
+add address=10.12.90.254 comment="List addr for allow Internet access [All ICM\
+    P,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet
+add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP\
+    ,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet
+add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP\
+    ,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet
+add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \
+    list=all-inside
+add address=10.10.0.0/16 comment=\
+    "all INSIDE networks (VLANs range 2000-2255)" list=all-inside
+/ip firewall filter
+add action=fasttrack-connection chain=forward connection-state=\
+    established,related hw-offload=yes protocol=tcp
+add action=fasttrack-connection chain=forward connection-state=\
+    established,related hw-offload=yes protocol=udp
+add action=accept chain=input comment="allow INPUT established,related" \
+    connection-state=established,related
+add action=accept chain=forward comment="allow FORWARD established,related" \
+    connection-state=established,related
+add action=drop chain=input comment="deny INPUT Invalid connections" \
+    connection-state=invalid
+add action=drop chain=forward comment="deny FORWARD Invalid connections" \
+    connection-state=invalid
+add action=drop chain=input comment=\
+    "deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \
+    connection-state="" in-interface=ether1-outside src-address-list=\
+    all-bogon
+add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\
+    \_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\
+    all-bogon out-interface=ether1-outside
+add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\
+    \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
+    in-interface=ether1-outside src-address-list=all-bogon
+add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\
+    \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
+    dst-address-list=all-bogon out-interface=ether1-outside
+add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
+    e -->> VLAN-3001-DMZ  DNAT (UDP 22211 -> 10.91.1.11:22211) FID=2hfs38dq1jr\
+    42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \
+    dst-address=10.91.1.11 dst-port=22211 in-interface=ether1-outside \
+    out-interface=sfp-sfpplus1 protocol=udp src-address-list=!all-networks
+add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
+    e -->> VLAN-3001-DMZ  DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr\
+    42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \
+    dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside \
+    out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
+add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
+    e to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->>\
+    \_10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" \
+    connection-nat-state=dstnat connection-state=new disabled=yes \
+    dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside \
+    out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
+add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
+    e to front mail server  frontmail01.dmz-3003.rvision.local (22.22.22.124 \
+    TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" \
+    connection-nat-state=dstnat connection-state=new disabled=yes \
+    dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside \
+    out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
+add action=jump chain=forward comment="allow FORWARD from inside -->> outside \
+    SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \
+    in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=\
+    ether1-outside src-address-list=allow_inet
+add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outs\
+    ide SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \
+    in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=\
+    ether1-outside src-address-list=allow_inet
+add action=accept chain=forward comment=\
+    "allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" \
+    connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 \
+    out-interface=ether1-outside protocol=icmp src-address-list=\
+    allow_inet_icmp
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" \
+    connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=\
+    ether1-outside protocol=tcp src-address-list=allow_inet_SSH
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" \
+    connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 \
+    out-interface=ether1-outside protocol=tcp src-address-list=\
+    allow_inet_IMAP
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" \
+    connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 \
+    out-interface=ether1-outside protocol=tcp src-address-list=\
+    allow_inet_SMTP
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" \
+    connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=\
+    ether1-outside protocol=udp src-address-list=allow_inet_DNS
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" \
+    connection-state=new dst-port=123 in-interface=sfp-sfpplus1 \
+    out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" \
+    connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=\
+    ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" \
+    connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 \
+    out-interface=ether1-outside protocol=tcp src-address-list=\
+    allow_inet_HTTPS
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" \
+    connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 \
+    out-interface=ether1-outside protocol=udp src-address-list=\
+    allow_inet_IPsec
+add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
+    e SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" \
+    connection-state=new in-interface=sfp-sfpplus1 out-interface=\
+    ether1-outside src-address-list=allow_inet_all
+add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
+    ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=\
+    ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
+    ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=\
+    dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=\
+    admin-L2TP-VPN-mgm
+add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
+    ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-acces\
+    s-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=\
+    all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 \
+    src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=allow_icmp_tcp_udp comment=\
+    "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp
+add action=accept chain=allow_icmp_tcp_udp comment=\
+    "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp
+add action=accept chain=allow_icmp_tcp_udp comment=\
+    "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp
+add action=accept chain=input comment=\
+    "allow INPUT from outside -->> ME [ICMP]" connection-state=new \
+    dst-address-list=all-outside in-interface=ether1-outside protocol=icmp
+add action=accept chain=input comment=\
+    "allow INPUT from outside -->> ME [GRE]" connection-state=new \
+    dst-address-list=all-outside in-interface=ether1-outside protocol=gre
+add action=accept chain=input comment=\
+    "allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new \
+    dst-address-list=all-outside in-interface=ether1-outside protocol=\
+    ipsec-esp
+add action=accept chain=input comment=\
+    "allow INPUT from outside -->> ME [IPsec-ah]" connection-state=new \
+    dst-address-list=all-outside in-interface=ether1-outside protocol=\
+    ipsec-ah
+add action=accept chain=input comment=\
+    "allow INPUT from outside -->> ME (UDP:500,1701,4500]" connection-state=\
+    new dst-address-list=outside-only-22.22.22.122 dst-port=500,1701,4500 \
+    in-interface=ether1-outside protocol=udp
+add action=accept chain=input comment=\
+    "allow INPUT from transport sfp-sfpplus1 -->> ME [ICMP]" \
+    connection-state=new dst-address-list=transport-sfp-sfpplus1 \
+    in-interface=sfp-sfpplus1 protocol=icmp src-address-list=\
+    transport-sfp-sfpplus1
+add action=accept chain=input comment=\
+    "allow INPUT from inside -->> ME [UDP:53 DNS] for spoofing DNS" \
+    connection-state=new dst-port=53 in-interface=sfp-sfpplus1 protocol=udp \
+    src-address-list=allow-INSDIE-to-local-DNS
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    in-interface=ether8-mgmt protocol=icmp src-address-list=admin-mgm-net
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    dst-port=53 in-interface=ether8-mgmt protocol=udp src-address-list=\
+    admin-mgm-net
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp \
+    src-address-list=admin-mgm-net
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp \
+    src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic \
+    protocol=tcp src-address-list=admin-L2TP-VPN-mgm
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
+    protocol=tcp reject-with=tcp-reset
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
+    connection-state=new protocol=udp reject-with=icmp-port-unreachable
+add action=drop chain=input comment="deny INPUT all" connection-state=""
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\
+    new protocol=tcp reject-with=tcp-reset
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\
+    new log-prefix=reject_fw_udp protocol=udp reject-with=\
+    icmp-port-unreachable
+add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip firewall nat
+add action=src-nat chain=srcnat comment=\
+    "EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" \
+    dst-address-list=!all-networks out-interface=ether1-outside \
+    src-address-list=all-networks to-addresses=11.11.11.122
+add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail sys\
+    tems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes \
+    dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=\
+    10.91.3.11 to-addresses=22.22.22.123
+add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\
+    -3001-DMZ (22.22.22.122 UDP 22211 -->> 10.91.1.11 UDP 22211) OpenVPN 01 F\
+    ID=2hfs38dq1jr42rwe" disabled=yes dst-address-list=\
+    outside-only-22.22.22.122 dst-port=22211 in-interface=ether1-outside \
+    protocol=udp src-address-list=!all-networks to-addresses=10.91.1.11 \
+    to-ports=22211
+add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\
+    -3001-DMZ (22.22.22.122 TCP 22212 -->> 10.91.1.12 TCP 22212) OpenVPN 02 F\
+    ID=hf92hfh38dh1jr421we" disabled=yes dst-address-list=\
+    outside-only-22.22.22.122 dst-port=22212 in-interface=ether1-outside \
+    protocol=tcp src-address-list=!all-networks to-addresses=10.91.1.12 \
+    to-ports=22212
+add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
+    \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 25 -->> 10.\
+    91.3.11 TCP 25) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
+    outside-only-22.22.22.125 dst-port=25 in-interface=ether1-outside \
+    protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
+    to-ports=25
+add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
+    \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 465 -->> 10\
+    .91.3.11 TCP 465) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
+    outside-only-22.22.22.125 dst-port=465 in-interface=ether1-outside \
+    protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
+    to-ports=465
+add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
+    \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 993 -->> 10\
+    .91.3.11 TCP 993) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
+    outside-only-22.22.22.125 dst-port=993 in-interface=ether1-outside \
+    protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
+    to-ports=993
+/ip route
+add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
+    distance=249 dst-address=10.0.0.0/8
+add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
+    distance=249 dst-address=169.254.0.0/16
+add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
+    distance=249 dst-address=172.16.0.0/12
+add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
+    distance=249 dst-address=192.168.0.0/16
+add comment="Route to DC01-CCR01 all networks" disabled=no distance=1 \
+    dst-address=10.8.0.0/13 gateway=10.12.90.254 pref-src="" routing-table=\
+    main scope=30 suppress-hw-offload=no target-scope=10
+add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\
+    main suppress-hw-offload=no
+/ip service
+set telnet disabled=yes
+set ftp disabled=yes
+set www disabled=yes
+set api disabled=yes
+set api-ssl disabled=yes
+/ip smb shares
+set [ find default=yes ] directory=/pub
+/ip ssh
+set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
+    4096 strong-crypto=yes
+/ppp secret
+add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" \
+    local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm \
+    remote-address=172.16.38.222 service=l2tp
+/system clock
+set time-zone-name=Europe/Moscow
+/system identity
+set name=dc01-gw01
+/system note
+set show-at-login=no
+/system ntp client
+set enabled=yes
+/system ntp client servers
+add address=80.240.216.155
+add address=185.232.69.65
+/system routerboard settings
+set enter-setup-on=delete-key
+/tool bandwidth-server
+set enabled=no
+/tool mac-server
+set allowed-interface-list=none
+/tool mac-server mac-winbox
+set allowed-interface-list=interfaces-MGM
+/tool mac-server ping
+set enabled=no
--- a/mikrotik/base-config/dc01-sw01-terse.rsc
+++ b/mikrotik/base-config/dc01-sw01-terse.rsc
@ -0,0 +1,85 @@
+# 2024-08-30 19:14:38 by RouterOS 7.15.3
+# software id = 1Y74-1PQS
+#
+# model = CRS312-4C+8XG
+# serial number = HEQ0941H7M6
+/interface bridge add name=bridge port-cost-mode=short priority=0x4000 vlan-filtering=yes
+/interface ethernet set [ find default-name=combo1 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=combo2 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=combo3 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether8 ] comment="Link from dc01-gw01 for Management interface for network devices (TCP/IP connect)"
+/interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt
+/interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bridge name=VLAN-0010 vlan-id=10
+/interface bonding add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2
+/interface list add name=interfaces-MAC-MGMT
+/ip smb users set [ find default=yes ] disabled=yes
+/port set 0 name=serial0
+/system logging action set 1 disk-file-name=log
+/ip smb set enabled=no
+/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP internal-path-cost=10 path-cost=10
+/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10
+/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10
+/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 internal-path-cost=10 path-cost=10
+/interface bridge port add bridge=bridge comment="Link from dc01-gw01 for Management interface for network devices (TCP/IP connect) VLAN-0010" frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
+/ip firewall connection tracking set udp-timeout=10s
+/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT
+/ip settings set tcp-syncookies=yes
+/ipv6 settings set disable-ipv6=yes
+/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x     <->     10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=101-255
+/interface bridge vlan add bridge=bridge comment="VLANs range for DMZ     IPs range for use 10.11.100.x   <->     10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3000-3255
+/interface bridge vlan add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2
+/interface bridge vlan add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3
+/interface bridge vlan add bridge=bridge comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=10
+/interface bridge vlan add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=11
+/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x         <->     10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=1000-1255
+/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x       <->     10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2000-2255
+/interface list member add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT
+/ip address add address=10.8.10.201/24 interface=VLAN-0010 network=10.8.10.0
+/ip cloud set update-time=no
+/ip dns set servers=10.8.10.11
+/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq  ADMIN-FID" list=admin-L2TP-VPN-mgm
+/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq  ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
+/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management only network devices (Mikrotik) FID=admin-mgm-amdpfyeu  ADMIN-FID" list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
+/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip hotspot profile set [ find default=yes ] html-directory=hotspot
+/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+/ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+/ip service set telnet disabled=yes
+/ip service set ftp disabled=yes
+/ip service set www disabled=yes
+/ip service set api disabled=yes
+/ip service set api-ssl disabled=yes
+/ip smb shares set [ find default=yes ] directory=/pub
+/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
+/system clock set time-zone-name=Europe/Moscow
+/system identity set name=dc01-sw01
+/system note set show-at-login=no
+/system ntp client set enabled=yes
+/system ntp client servers add address=80.240.216.155
+/system ntp client servers add address=185.232.69.65
+/system routerboard settings set boot-os=router-os enter-setup-on=delete-key
+/tool bandwidth-server set enabled=no
+/tool mac-server set allowed-interface-list=none
+/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT
+/tool mac-server ping set enabled=no
--- a/mikrotik/base-config/dc01-sw01.rsc
+++ b/mikrotik/base-config/dc01-sw01.rsc
@ -0,0 +1,177 @@
+# 2024-08-30 19:14:48 by RouterOS 7.15.3
+# software id = 1Y74-1PQS
+#
+# model = CRS312-4C+8XG
+# serial number = HEQ0941H7M6
+/interface bridge
+add name=bridge port-cost-mode=short priority=0x4000 vlan-filtering=yes
+/interface ethernet
+set [ find default-name=combo1 ] l2mtu=9092 mtu=9000
+set [ find default-name=combo2 ] l2mtu=9092 mtu=9000
+set [ find default-name=combo3 ] l2mtu=9092 mtu=9000
+set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 \
+    mtu=9000
+set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 \
+    mtu=9000
+set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether8 ] comment="Link from dc01-gw01 for Management i\
+    nterface for network devices (TCP/IP connect)"
+set [ find default-name=ether9 ] comment=\
+    "Management interface for network devices (MAC server only)" name=\
+    ether9-mac-mgmt
+/interface vlan
+add comment=\
+    "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
+    interface=bridge name=VLAN-0010 vlan-id=10
+/interface bonding
+add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2
+/interface list
+add name=interfaces-MAC-MGMT
+/ip smb users
+set [ find default=yes ] disabled=yes
+/port
+set 0 name=serial0
+/system logging action
+set 1 disk-file-name=log
+/ip smb
+set enabled=no
+/interface bridge port
+add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP \
+    internal-path-cost=10 path-cost=10
+add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 \
+    internal-path-cost=10 path-cost=10
+add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 \
+    internal-path-cost=10 path-cost=10
+add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 \
+    internal-path-cost=10 path-cost=10
+add bridge=bridge comment="Link from dc01-gw01 for Management interface for ne\
+    twork devices (TCP/IP connect) VLAN-0010" frame-types=\
+    admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
+/ip firewall connection tracking
+set udp-timeout=10s
+/ip neighbor discovery-settings
+set discover-interface-list=interfaces-MAC-MGMT
+/ip settings
+set tcp-syncookies=yes
+/ipv6 settings
+set disable-ipv6=yes
+/interface bridge vlan
+add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x\
+    \_    <->     10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
+    vlan-ids=101-255
+add bridge=bridge comment="VLANs range for DMZ     IPs range for use 10.11.100\
+    .x   <->     10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
+    vlan-ids=3000-3255
+add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=\
+    bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2
+add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=\
+    bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3
+add bridge=bridge comment=\
+    "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
+    tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=10
+add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=\
+    bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=11
+add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x  \
+    \_      <->     10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
+    vlan-ids=1000-1255
+add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x \
+    \_     <->     10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
+    vlan-ids=2000-2255
+/interface list member
+add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT
+/ip address
+add address=10.8.10.201/24 interface=VLAN-0010 network=10.8.10.0
+/ip cloud
+set update-time=no
+/ip dns
+set servers=10.8.10.11
+/ip firewall address-list
+add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
+    ccess-l2tp-vpn-en7gdnsq  ADMIN-FID" list=admin-L2TP-VPN-mgm
+add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
+    s-ovpn-vpn-en7gdnsq  ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
+add address=10.8.10.0/24 comment="List addr for Management only network device\
+    s (Mikrotik) FID=admin-mgm-amdpfyeu  ADMIN-FID" list=admin-mgm-net
+/ip firewall filter
+add action=accept chain=input comment="allow INPUT established,related" \
+    connection-state=established,related
+add action=accept chain=forward comment="allow FORWARD established,related" \
+    connection-state=established,related
+add action=drop chain=input comment="deny INPUT Invalid connections" \
+    connection-state=invalid
+add action=drop chain=forward comment="deny FORWARD Invalid connections" \
+    connection-state=invalid
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
+    admin-mgm-net
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
+    admin-L2TP-VPN-mgm
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
+    protocol=tcp reject-with=tcp-reset
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
+    connection-state=new protocol=udp reject-with=icmp-port-unreachable
+add action=drop chain=input comment="deny INPUT all" connection-state=""
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \
+    protocol=tcp reject-with=tcp-reset
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \
+    connection-state=new protocol=udp reject-with=icmp-port-unreachable
+add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip hotspot profile
+set [ find default=yes ] html-directory=hotspot
+/ip route
+add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src=\
+    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\
+    nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\
+    10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \
+    target-scope=10
+/ip service
+set telnet disabled=yes
+set ftp disabled=yes
+set www disabled=yes
+set api disabled=yes
+set api-ssl disabled=yes
+/ip smb shares
+set [ find default=yes ] directory=/pub
+/ip ssh
+set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
+    4096 strong-crypto=yes
+/system clock
+set time-zone-name=Europe/Moscow
+/system identity
+set name=dc01-sw01
+/system note
+set show-at-login=no
+/system ntp client
+set enabled=yes
+/system ntp client servers
+add address=80.240.216.155
+add address=185.232.69.65
+/system routerboard settings
+set boot-os=router-os enter-setup-on=delete-key
+/tool bandwidth-server
+set enabled=no
+/tool mac-server
+set allowed-interface-list=none
+/tool mac-server mac-winbox
+set allowed-interface-list=interfaces-MAC-MGMT
+/tool mac-server ping
+set enabled=no
--- a/mikrotik/base-config/dc01-sw02-terse.rsc
+++ b/mikrotik/base-config/dc01-sw02-terse.rsc
@ -0,0 +1,84 @@
+# 2024-08-30 19:15:03 by RouterOS 7.15.3
+# software id = QEDC-AGM4
+#
+# model = CRS312-4C+8XG
+# serial number = HEQ09EBWASB
+/interface bridge add name=bridge port-cost-mode=short vlan-filtering=yes
+/interface ethernet set [ find default-name=combo1 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=combo2 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=combo3 ] l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000
+/interface ethernet set [ find default-name=ether8 ] comment="Link from mgmt switch (for iLo IPMI) VLAN-0011"
+/interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt
+/interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bridge name=VLAN-0010 vlan-id=10
+/interface bonding add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2
+/interface list add name=interfaces-MAC-MGMT
+/ip smb users set [ find default=yes ] disabled=yes
+/port set 0 name=serial0
+/system logging action set 1 disk-file-name=log
+/ip smb set enabled=no
+/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP internal-path-cost=10 path-cost=10
+/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10
+/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10
+/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 internal-path-cost=10 path-cost=10
+/interface bridge port add bridge=bridge comment="Link from mgmt switch (for iLo IPMI) VLAN-0011" frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=11
+/ip firewall connection tracking set udp-timeout=10s
+/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT
+/ip settings set tcp-syncookies=yes
+/ipv6 settings set disable-ipv6=yes
+/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x     <->     10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=101-255
+/interface bridge vlan add bridge=bridge comment="VLANs range for DMZ     IPs range for use 10.11.100.x   <->     10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3000-3255
+/interface bridge vlan add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2
+/interface bridge vlan add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3
+/interface bridge vlan add bridge=bridge comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=10
+/interface bridge vlan add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=11
+/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x         <->     10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=1000-1255
+/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x       <->     10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2000-2255
+/interface list member add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT
+/ip address add address=10.8.10.202/24 interface=VLAN-0010 network=10.8.10.0
+/ip cloud set update-time=no
+/ip dns set servers=10.8.10.11
+/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq  ADMIN-FID" list=admin-L2TP-VPN-mgm
+/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq  ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
+/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management only network devices (Mikrotik) FID=admin-mgm-amdpfyeu  ADMIN-FID" list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
+/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
+/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
+/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
+/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+/ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+/ip service set telnet disabled=yes
+/ip service set ftp disabled=yes
+/ip service set www disabled=yes
+/ip service set api disabled=yes
+/ip service set api-ssl disabled=yes
+/ip smb shares set [ find default=yes ] directory=/pub
+/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
+/system clock set time-zone-name=Europe/Moscow
+/system identity set name=dc01-sw02
+/system note set show-at-login=no
+/system ntp client set enabled=yes
+/system ntp client servers add address=80.240.216.155
+/system ntp client servers add address=185.232.69.65
+/system routerboard settings set boot-os=router-os enter-setup-on=delete-key
+/tool bandwidth-server set enabled=no
+/tool mac-server set allowed-interface-list=none
+/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT
+/tool mac-server ping set enabled=no
--- a/mikrotik/base-config/dc01-sw02.rsc
+++ b/mikrotik/base-config/dc01-sw02.rsc
@ -0,0 +1,175 @@
+# 2024-08-30 19:15:13 by RouterOS 7.15.3
+# software id = QEDC-AGM4
+#
+# model = CRS312-4C+8XG
+# serial number = HEQ09EBWASB
+/interface bridge
+add name=bridge port-cost-mode=short vlan-filtering=yes
+/interface ethernet
+set [ find default-name=combo1 ] l2mtu=9092 mtu=9000
+set [ find default-name=combo2 ] l2mtu=9092 mtu=9000
+set [ find default-name=combo3 ] l2mtu=9092 mtu=9000
+set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 \
+    mtu=9000
+set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 \
+    mtu=9000
+set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000
+set [ find default-name=ether8 ] comment=\
+    "Link from mgmt switch (for iLo IPMI) VLAN-0011"
+set [ find default-name=ether9 ] comment=\
+    "Management interface for network devices (MAC server only)" name=\
+    ether9-mac-mgmt
+/interface vlan
+add comment=\
+    "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
+    interface=bridge name=VLAN-0010 vlan-id=10
+/interface bonding
+add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2
+/interface list
+add name=interfaces-MAC-MGMT
+/ip smb users
+set [ find default=yes ] disabled=yes
+/port
+set 0 name=serial0
+/system logging action
+set 1 disk-file-name=log
+/ip smb
+set enabled=no
+/interface bridge port
+add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP \
+    internal-path-cost=10 path-cost=10
+add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 \
+    internal-path-cost=10 path-cost=10
+add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 \
+    internal-path-cost=10 path-cost=10
+add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 \
+    internal-path-cost=10 path-cost=10
+add bridge=bridge comment="Link from mgmt switch (for iLo IPMI) VLAN-0011" \
+    frame-types=admit-only-untagged-and-priority-tagged interface=ether8 \
+    pvid=11
+/ip firewall connection tracking
+set udp-timeout=10s
+/ip neighbor discovery-settings
+set discover-interface-list=interfaces-MAC-MGMT
+/ip settings
+set tcp-syncookies=yes
+/ipv6 settings
+set disable-ipv6=yes
+/interface bridge vlan
+add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x\
+    \_    <->     10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
+    vlan-ids=101-255
+add bridge=bridge comment="VLANs range for DMZ     IPs range for use 10.11.100\
+    .x   <->     10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
+    vlan-ids=3000-3255
+add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=\
+    bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2
+add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=\
+    bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3
+add bridge=bridge comment=\
+    "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
+    tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=10
+add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=\
+    bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=11
+add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x  \
+    \_      <->     10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
+    vlan-ids=1000-1255
+add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x \
+    \_     <->     10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
+    vlan-ids=2000-2255
+/interface list member
+add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT
+/ip address
+add address=10.8.10.202/24 interface=VLAN-0010 network=10.8.10.0
+/ip cloud
+set update-time=no
+/ip dns
+set servers=10.8.10.11
+/ip firewall address-list
+add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
+    ccess-l2tp-vpn-en7gdnsq  ADMIN-FID" list=admin-L2TP-VPN-mgm
+add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
+    s-ovpn-vpn-en7gdnsq  ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
+add address=10.8.10.0/24 comment="List addr for Management only network device\
+    s (Mikrotik) FID=admin-mgm-amdpfyeu  ADMIN-FID" list=admin-mgm-net
+/ip firewall filter
+add action=accept chain=input comment="allow INPUT established,related" \
+    connection-state=established,related
+add action=accept chain=forward comment="allow FORWARD established,related" \
+    connection-state=established,related
+add action=drop chain=input comment="deny INPUT Invalid connections" \
+    connection-state=invalid
+add action=drop chain=forward comment="deny FORWARD Invalid connections" \
+    connection-state=invalid
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
+add action=accept chain=input comment=\
+    "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
+    dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
+    admin-mgm-net
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
+add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
+    ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
+    dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
+    admin-L2TP-VPN-mgm
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
+    protocol=tcp reject-with=tcp-reset
+add action=reject chain=input comment=\
+    "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
+    connection-state=new protocol=udp reject-with=icmp-port-unreachable
+add action=drop chain=input comment="deny INPUT all" connection-state=""
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \
+    protocol=tcp reject-with=tcp-reset
+add action=reject chain=forward comment=\
+    "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \
+    connection-state=new protocol=udp reject-with=icmp-port-unreachable
+add action=drop chain=forward comment="deny FORWARD all" connection-state=""
+/ip route
+add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src=\
+    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
+add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\
+    nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\
+    10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \
+    target-scope=10
+/ip service
+set telnet disabled=yes
+set ftp disabled=yes
+set www disabled=yes
+set api disabled=yes
+set api-ssl disabled=yes
+/ip smb shares
+set [ find default=yes ] directory=/pub
+/ip ssh
+set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
+    4096 strong-crypto=yes
+/system clock
+set time-zone-name=Europe/Moscow
+/system identity
+set name=dc01-sw02
+/system note
+set show-at-login=no
+/system ntp client
+set enabled=yes
+/system ntp client servers
+add address=80.240.216.155
+add address=185.232.69.65
+/system routerboard settings
+set boot-os=router-os enter-setup-on=delete-key
+/tool bandwidth-server
+set enabled=no
+/tool mac-server
+set allowed-interface-list=none
+/tool mac-server mac-winbox
+set allowed-interface-list=interfaces-MAC-MGMT
+/tool mac-server ping
+set enabled=no