From 6ddbc86f761f62e2852de49fb64d4d2a1e3e7501 Mon Sep 17 00:00:00 2001 From: Sergei Bobkov Date: Thu, 19 Sep 2024 13:36:34 +0300 Subject: [PATCH] Added this repo --- README.md | 13 + mikrotik/README.md | 2 + mikrotik/base-config/README.md | 111 ++++++ mikrotik/base-config/dc01-ccr01-terse.rsc | 130 +++++++ mikrotik/base-config/dc01-ccr01.rsc | 297 +++++++++++++++ mikrotik/base-config/dc01-emer01-terse.rsc | 90 +++++ mikrotik/base-config/dc01-emer01.rsc | 164 ++++++++ mikrotik/base-config/dc01-gw01-terse.rsc | 168 ++++++++ mikrotik/base-config/dc01-gw01.rsc | 424 +++++++++++++++++++++ mikrotik/base-config/dc01-sw01-terse.rsc | 85 +++++ mikrotik/base-config/dc01-sw01.rsc | 177 +++++++++ mikrotik/base-config/dc01-sw02-terse.rsc | 84 ++++ mikrotik/base-config/dc01-sw02.rsc | 175 +++++++++ 13 files changed, 1920 insertions(+) create mode 100644 README.md create mode 100644 mikrotik/README.md create mode 100644 mikrotik/base-config/README.md create mode 100644 mikrotik/base-config/dc01-ccr01-terse.rsc create mode 100644 mikrotik/base-config/dc01-ccr01.rsc create mode 100644 mikrotik/base-config/dc01-emer01-terse.rsc create mode 100644 mikrotik/base-config/dc01-emer01.rsc create mode 100644 mikrotik/base-config/dc01-gw01-terse.rsc create mode 100644 mikrotik/base-config/dc01-gw01.rsc create mode 100644 mikrotik/base-config/dc01-sw01-terse.rsc create mode 100644 mikrotik/base-config/dc01-sw01.rsc create mode 100644 mikrotik/base-config/dc01-sw02-terse.rsc create mode 100644 mikrotik/base-config/dc01-sw02.rsc diff --git a/README.md b/README.md new file mode 100644 index 0000000..14a59fc --- /dev/null +++ b/README.md @@ -0,0 +1,13 @@ +# NETWORK repo + +
+##This repo has network configuration for different network devices. + +
+You get basic/default config for:
+
+1. Microtik RB4011 (for any gateway), CR312 (sw01 + sw02 in bonding), CCR2004-1G-12S+2XS (as core L3 router)
+2. Firewall basic script for Linux
+
+ + diff --git a/mikrotik/README.md b/mikrotik/README.md new file mode 100644 index 0000000..43d8014 --- /dev/null +++ b/mikrotik/README.md @@ -0,0 +1,2 @@ +# network-mikrotik + diff --git a/mikrotik/base-config/README.md b/mikrotik/base-config/README.md new file mode 100644 index 0000000..7d58bd9 --- /dev/null +++ b/mikrotik/base-config/README.md @@ -0,0 +1,111 @@ +# It is examples base configuration for Mikrotik.
+Please always check these options for base config new device: + + 1. Add user new user with admin priv:
+`/user add name="admin2" password="PASSWORD" group=full`
+ 2. Set NTP server:
+`/system ntp client set enabled=yes primary-ntp=80.240.216.155 secondary-ntp=85.21.78.23`
+
+`/system ntp client set enabled=yes`
+`/system ntp client servers`
+`add address=0.pool.ntp.org`
+`add address=1.pool.ntp.org`
+
+`/system ntp server set enabled=no`
+
+3. Set Time Zone:
+`/system clock set time-zone-name=Europe/Moscow`
+
+4. Disabled unuse service:
+`{ :local ver [/system resource get version]; :global vermajor [:pick $ver 0 [:find $ver "."]] }`
+`:if ($vermajor = 7) do={ /ipv6 settings set disable-ipv6=yes }`
+`:if ($vermajor = 6) do={ /system package disable ipv6 }'`
+
+`/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT`
+`/tool mac-server set allowed-interface-list=none`
+`/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT`
+`/tool mac-server ping set enabled=no`
+
+`/ip smb set enabled=no`
+
+`/ip service set www disabled=yes`
+`/ip service set api disabled=yes`
+`/ip service set api-ssl disabled=yes`
+`/ip service set ftp disabled=yes`
+`/ip service set telnet disabled=yes`
+`/ip service set winbox disabled=no`
+`/ip service set ssh disabled=no`
+
+`/tool bandwidth-server set enabled=no`
+`/tool romon set enabled=no`
+
+`/ip ssh set strong-crypto=yes host-key-size=4096 forwarding-enabled=both always-allow-password-login=yes`
+
+`/ip settings set tcp-syncookies=yes`
+
+`/ip proxy set enabled=no`
+`/ip socks set enabled=no`
+`/ip upnp set enabled=no`
+`/ip cloud set ddns-enabled=no update-time=no`
+
+5. For security add blackhole routes and deny BOGON networks
+
+`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8 blackhole`
+`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16 blackhole`
+`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12 blackhole`
+`/ip route add comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16 blackhole`
+
+`/ip firewall address-list add address=0.0.0.0/8 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=127.0.0.0/16 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=10.0.0.0/8 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=172.16.0.0/12 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=192.168.0.0/16 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=169.254.0.0/16 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=192.0.2.0/24 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=198.51.100.0/24 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=203.0.113.0/24 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=198.18.0.0/15 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=192.88.99.0/24 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=100.64.0.0/10 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=240.0.0.0/4 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=224.0.0.0/4 list=all-bogon comment="List addr BOGON networks"`
+`/ip firewall address-list add address=255.255.255.255 list=all-bogon comment="List addr BOGON networks"`
+
+`/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections FID=SERVICE-RULES" connection-state=invalid`
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections FID=SERVICE-RULES" connection-state=invalid`
+`/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`
+`/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon`
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside`
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside`
+
+`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`
+`/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable`
+`/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""`
+`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset`
+`/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable`
+`/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""`
+
+6. For config bridge:
+`/interface bridge add name=bridge-1`
+`/interface bridge port add bridge=bridge-1 hw=yes interface=ether2`
+`/interface bridge port add bridge=bridge-1 hw=yes interface=ether3`
+`/interface bridge port add bridge=bridge-1 hw=yes interface=ether4`
+`/interface bridge port add bridge=bridge-1 hw=yes interface=ether5`
+
+У портов есть 3 варианта настроек:
+`admit all — Аналог гибридного порта, пропускать весь трафик (все теги vlan, в т.ч. native Vlan)`
+`admit only VLAN tagged — Аналог Trunk, пропускать только тэгированный трафик (все теги Vlan указанные в VLAN’s)`
+`admit only untagged and priority tagged — Аналог Access, пропускать указанный PVID Vlan`
+
+
+7. For backup
+`export terse file=gw02-21.04.20`
+
+`console clear-history`
+
+For CHR:
+4 vCPU / 4 RAM / 512MB IDE HDD
+
+vmkfstools -i chr-6.46.6.vmdk MikroTik-CHR.vmdk -d thin
+vmkfstools -X 512M MikroTik-CHR.vmdk
diff --git a/mikrotik/base-config/dc01-ccr01-terse.rsc b/mikrotik/base-config/dc01-ccr01-terse.rsc new file mode 100644 index 0000000..b403c1a --- /dev/null +++ b/mikrotik/base-config/dc01-ccr01-terse.rsc @@ -0,0 +1,130 @@ +# 2024-08-30 22:38:13 by RouterOS 7.15.3 +# software id = X2AJ-5BFT +# +# model = CCR2004-1G-12S+2XS +# serial number = HEW095QA6AY +/interface ethernet set [ find default-name=ether1 ] comment="Management interface for network devices (MAC server only)" name=ether1-mac-mgmt +/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="Link to switch dc01-sw01 [ bond ]" l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus2 ] comment="Link to switch dc01-sw02 [ bond ]" l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus3 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus4 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus5 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus6 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus7 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus8 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus9 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus10 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus11 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp-sfpplus12 ] comment="Link to router dc01-gw01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE" l2mtu=1600 +/interface ethernet set [ find default-name=sfp28-1 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=sfp28-2 ] l2mtu=9092 mtu=9000 +/interface bonding add mode=active-backup mtu=9000 name=bond_SW01_SW02 primary=sfp-sfpplus1 slaves=sfp-sfpplus1,sfp-sfpplus2 +/interface vlan add comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0002 vlan-id=2 +/interface vlan add comment="VLAN-0003 for VMware vSphere vMotion" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0003 vlan-id=3 +/interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bond_SW01_SW02 name=VLAN-0010 vlan-id=10 +/interface vlan add comment="VLAN-0011 for Management iLO IPMI" interface=bond_SW01_SW02 name=VLAN-0011 vlan-id=11 +/interface vlan add comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=bond_SW01_SW02 mtu=9000 name=VLAN-3222-DMZ vlan-id=3222 +/interface list add name=interfaces-MAC-MGMT +/ip smb users set [ find default=yes ] disabled=yes +/port set 0 name=serial0 +/ip smb set enabled=no +/ip firewall connection tracking set udp-timeout=10s +/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT +/ip settings set tcp-syncookies=yes +/ipv6 settings set disable-ipv6=yes +/interface list member add interface=ether1-mac-mgmt list=interfaces-MAC-MGMT +/ip address add address=10.12.90.254/24 comment="Transport for access outside <--> inside" interface=sfp-sfpplus12 network=10.12.90.0 +/ip address add address=10.8.2.1/24 comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" interface=VLAN-0002 network=10.8.2.0 +/ip address add address=10.8.3.1/24 comment="VLAN-0003 for VMware vSphere vMotion" interface=VLAN-0003 network=10.8.3.0 +/ip address add address=10.8.10.251/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=VLAN-0010 network=10.8.10.0 +/ip address add address=10.8.10.1/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=VLAN-0010 network=10.8.10.0 +/ip address add address=10.8.11.1/24 comment="VLAN-0011 for Management iLO IPMI" interface=VLAN-0011 network=10.8.11.0 +/ip address add address=10.11.222.1/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=VLAN-3222-DMZ network=10.11.222.0 +/ip cloud set update-time=no +/ip dns set servers=77.88.8.8,77.88.8.1 +/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management network devices FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net +/ip firewall address-list add address=192.168.24.0/24 comment="List addr OpenVPN FID=ovp8nkdb4cxkq1ms" list=all-ovpn +/ip firewall address-list add address=10.8.0.0/13 comment="all-all network dmz + inside + transport + ovpn + l2pt etc" list=all-networks +/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm +/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm +/ip firewall address-list add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" list=all-dmz +/ip firewall address-list add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" list=all-inside +/ip firewall address-list add address=10.12.90.0/24 comment="List subnetwork transport VLAN-4090 for access outside <--> inside" list=transport-sfp-sfpplus12 +/ip firewall address-list add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks +/ip firewall address-list add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" list=all-inside +/ip firewall address-list add address=10.10.0.0/16 comment="all INSIDE networks (VLANs range 2000-2255)" list=all-inside +/ip firewall address-list add address=10.8.2.0/24 comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" list=inside-VLAN-0002 +/ip firewall address-list add address=10.8.3.0/24 comment="VLAN-0003 for VMware vSphere vMotion" list=inside-VLAN-0003 +/ip firewall address-list add address=127.0.0.1 list=allow-default-for-all +/ip firewall address-list add address=127.0.0.1 list=allow-default-buh +/ip firewall address-list add address=10.8.10.0/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" list=inside-VLAN-0010 +/ip firewall address-list add address=10.8.11.0/24 comment="VLAN-0011 for Management iLO IPMI" list=inside-VLAN-0011 +/ip firewall address-list add address=10.8.2.5 comment="VLAN-0002 [ dc01-vcsrv01-infr.comp.loc ]" list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc +/ip firewall address-list add address=10.8.2.11 comment="VLAN-0002 [ host01.cluster01.esxi.comp.loc ] ESXI" list=inside-VLAN-0002-ESXi-Cluster01-hosts +/ip firewall address-list add address=10.8.2.12 comment="VLAN-0002 [ host02.cluster01.esxi.comp.loc ] ESXI" list=inside-VLAN-0002-ESXi-Cluster01-hosts +/ip firewall address-list add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-IT +/ip firewall address-list add address=127.0.0.1 comment="allow [All ICMP,TCP,UDP] [ivanov_ovpn]" list=allow-to-VLAN-0002-adm-ALL +/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [All ICMP,TCP,UDP] [ivanov_ovpn] [VPN]" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL +/ip firewall address-list add address=127.0.0.1 list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-IT +/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:80,443] [ivanov_ovpn] [VPN] FID=1234567890" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs +/ip firewall address-list add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-SEC +/ip firewall address-list add address=127.0.0.1 list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-SEC +/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:22] [ivanov_ovpn] [VPN]" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH +/ip firewall address-list add address=10.11.222.0/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" list=dmz-VLAN-3222 +/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp +/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=udp +/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related +/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related +/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid +/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid +/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0002 -->> ME [ICMP] for VMware vSphere infrastructure (vCenter server, ESXi hosts)" connection-state=new dst-address-list=inside-VLAN-0002 in-interface=VLAN-0002 protocol=icmp src-address-list=inside-VLAN-0002 +/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for VMware vSphere vMotion" connection-state=new dst-address-list=inside-VLAN-0003 in-interface=VLAN-0003 protocol=icmp src-address-list=inside-VLAN-0003 +/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for Management interface for network devices (TCP/IP connect)" connection-state=new dst-address-list=inside-VLAN-0010 in-interface=VLAN-0010 protocol=icmp src-address-list=inside-VLAN-0010 +/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for Management iLO IPMI" connection-state=new dst-address-list=inside-VLAN-0011 in-interface=VLAN-0011 protocol=icmp src-address-list=inside-VLAN-0011 +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-inside in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-inside dst-port=22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp +/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp +/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp +/ip firewall filter add action=accept chain=allow-default-for-all protocol=icmp +/ip firewall filter add action=accept chain=allow-default-buh protocol=icmp +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSPORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new dst-address-list=!all-networks out-interface=sfp-sfpplus12 src-address-list=all-networks +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-adm-ALL +/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL +/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 protocol=icmp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH +/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=VLAN-0002 protocol=tcp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH +/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 protocol=icmp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs +/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=80,443 out-interface=VLAN-0002 protocol=tcp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs +/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.90.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +/ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +/ip service set telnet disabled=yes +/ip service set ftp disabled=yes +/ip service set www disabled=yes +/ip service set api disabled=yes +/ip service set api-ssl disabled=yes +/ip smb shares set [ find default=yes ] directory=/pub +/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes +/system clock set time-zone-name=Europe/Moscow +/system identity set name=dc01-ccr01 +/system note set show-at-login=no +/system ntp client set enabled=yes +/system ntp client servers add address=80.240.216.155 +/system ntp client servers add address=185.232.69.65 +/system routerboard settings set enter-setup-on=delete-key +/tool bandwidth-server set enabled=no +/tool mac-server set allowed-interface-list=none +/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT +/tool mac-server ping set enabled=no diff --git a/mikrotik/base-config/dc01-ccr01.rsc b/mikrotik/base-config/dc01-ccr01.rsc new file mode 100644 index 0000000..e507455 --- /dev/null +++ b/mikrotik/base-config/dc01-ccr01.rsc @@ -0,0 +1,297 @@ +# 2024-08-30 22:38:15 by RouterOS 7.15.3 +# software id = X2AJ-5BFT +# +# model = CCR2004-1G-12S+2XS +# serial number = HEW095QA6AY +/interface ethernet +set [ find default-name=ether1 ] comment=\ + "Management interface for network devices (MAC server only)" name=\ + ether1-mac-mgmt +set [ find default-name=sfp-sfpplus1 ] comment=\ + "Link to switch dc01-sw01 [ bond ]" l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus2 ] comment=\ + "Link to switch dc01-sw02 [ bond ]" l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus3 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus4 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus5 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus6 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus7 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus8 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus9 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus10 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus11 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp-sfpplus12 ] comment=\ + "Link to router dc01-gw01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE" \ + l2mtu=1600 +set [ find default-name=sfp28-1 ] l2mtu=9092 mtu=9000 +set [ find default-name=sfp28-2 ] l2mtu=9092 mtu=9000 +/interface bonding +add mode=active-backup mtu=9000 name=bond_SW01_SW02 primary=sfp-sfpplus1 \ + slaves=sfp-sfpplus1,sfp-sfpplus2 +/interface vlan +add comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi\ + \_hosts)" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0002 vlan-id=2 +add comment="VLAN-0003 for VMware vSphere vMotion" interface=bond_SW01_SW02 \ + mtu=9000 name=VLAN-0003 vlan-id=3 +add comment=\ + "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ + interface=bond_SW01_SW02 name=VLAN-0010 vlan-id=10 +add comment="VLAN-0011 for Management iLO IPMI" interface=bond_SW01_SW02 \ + name=VLAN-0011 vlan-id=11 +add comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=\ + bond_SW01_SW02 mtu=9000 name=VLAN-3222-DMZ vlan-id=3222 +/interface list +add name=interfaces-MAC-MGMT +/ip smb users +set [ find default=yes ] disabled=yes +/port +set 0 name=serial0 +/ip smb +set enabled=no +/ip firewall connection tracking +set udp-timeout=10s +/ip neighbor discovery-settings +set discover-interface-list=interfaces-MAC-MGMT +/ip settings +set tcp-syncookies=yes +/ipv6 settings +set disable-ipv6=yes +/interface list member +add interface=ether1-mac-mgmt list=interfaces-MAC-MGMT +/ip address +add address=10.12.90.254/24 comment=\ + "Transport for access outside <--> inside" interface=sfp-sfpplus12 \ + network=10.12.90.0 +add address=10.8.2.1/24 comment="VLAN-0002 for VMware vSphere infrastructure (\ + vCenter server, ESXi hosts)" interface=VLAN-0002 network=10.8.2.0 +add address=10.8.3.1/24 comment="VLAN-0003 for VMware vSphere vMotion" \ + interface=VLAN-0003 network=10.8.3.0 +add address=10.8.10.251/24 comment=\ + "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ + interface=VLAN-0010 network=10.8.10.0 +add address=10.8.10.1/24 comment=\ + "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ + interface=VLAN-0010 network=10.8.10.0 +add address=10.8.11.1/24 comment="VLAN-0011 for Management iLO IPMI" \ + interface=VLAN-0011 network=10.8.11.0 +add address=10.11.222.1/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \ + interface=VLAN-3222-DMZ network=10.11.222.0 +/ip cloud +set update-time=no +/ip dns +set servers=77.88.8.8,77.88.8.1 +/ip firewall address-list +add address=10.8.10.0/24 comment="List addr for Management network devices FID\ + =admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net +add address=192.168.24.0/24 comment="List addr OpenVPN FID=ovp8nkdb4cxkq1ms" \ + list=all-ovpn +add address=10.8.0.0/13 comment=\ + "all-all network dmz + inside + transport + ovpn + l2pt etc" list=\ + all-networks +add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\ + ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm +add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\ + s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm +add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" \ + list=all-dmz +add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \ + list=all-inside +add address=10.12.90.0/24 comment=\ + "List subnetwork transport VLAN-4090 for access outside <--> inside" \ + list=transport-sfp-sfpplus12 +add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks +add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \ + list=all-inside +add address=10.10.0.0/16 comment=\ + "all INSIDE networks (VLANs range 2000-2255)" list=all-inside +add address=10.8.2.0/24 comment="VLAN-0002 for VMware vSphere infrastructure (\ + vCenter server, ESXi hosts)" list=inside-VLAN-0002 +add address=10.8.3.0/24 comment="VLAN-0003 for VMware vSphere vMotion" list=\ + inside-VLAN-0003 +add address=127.0.0.1 list=allow-default-for-all +add address=127.0.0.1 list=allow-default-buh +add address=10.8.10.0/24 comment=\ + "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ + list=inside-VLAN-0010 +add address=10.8.11.0/24 comment="VLAN-0011 for Management iLO IPMI" list=\ + inside-VLAN-0011 +add address=10.8.2.5 comment="VLAN-0002 [ dc01-vcsrv01-infr.comp.loc ]" list=\ + inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc +add address=10.8.2.11 comment=\ + "VLAN-0002 [ host01.cluster01.esxi.comp.loc ] ESXI" list=\ + inside-VLAN-0002-ESXi-Cluster01-hosts +add address=10.8.2.12 comment=\ + "VLAN-0002 [ host02.cluster01.esxi.comp.loc ] ESXI" list=\ + inside-VLAN-0002-ESXi-Cluster01-hosts +add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-IT +add address=127.0.0.1 comment="allow [All ICMP,TCP,UDP] [ivanov_ovpn]" list=\ + allow-to-VLAN-0002-adm-ALL +add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [All ICMP,T\ + CP,UDP] [ivanov_ovpn] [VPN]" list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL +add address=127.0.0.1 list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-IT +add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:8\ + 0,443] [ivanov_ovpn] [VPN] FID=1234567890" list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs +add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-SEC +add address=127.0.0.1 list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-SEC +add address=127.0.0.1 comment=\ + "allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:22] [ivanov_ovpn] [VPN]" \ + list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH +add address=10.11.222.0/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \ + list=dmz-VLAN-3222 +/ip firewall filter +add action=fasttrack-connection chain=forward connection-state=\ + established,related hw-offload=yes protocol=tcp +add action=fasttrack-connection chain=forward connection-state=\ + established,related hw-offload=yes protocol=udp +add action=accept chain=input comment="allow INPUT established,related" \ + connection-state=established,related +add action=accept chain=forward comment="allow FORWARD established,related" \ + connection-state=established,related +add action=drop chain=input comment="deny INPUT Invalid connections" \ + connection-state=invalid +add action=drop chain=forward comment="deny FORWARD Invalid connections" \ + connection-state=invalid +add action=accept chain=input comment="allow INPUT from VLAN-0002 -->> ME [ICM\ + P] for VMware vSphere infrastructure (vCenter server, ESXi hosts)" \ + connection-state=new dst-address-list=inside-VLAN-0002 in-interface=\ + VLAN-0002 protocol=icmp src-address-list=inside-VLAN-0002 +add action=accept chain=input comment=\ + "allow INPUT from VLAN-0003 -->> ME [ICMP] for VMware vSphere vMotion" \ + connection-state=new dst-address-list=inside-VLAN-0003 in-interface=\ + VLAN-0003 protocol=icmp src-address-list=inside-VLAN-0003 +add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICM\ + P] for Management interface for network devices (TCP/IP connect)" \ + connection-state=new dst-address-list=inside-VLAN-0010 in-interface=\ + VLAN-0010 protocol=icmp src-address-list=inside-VLAN-0010 +add action=accept chain=input comment=\ + "allow INPUT from VLAN-0003 -->> ME [ICMP] for Management iLO IPMI" \ + connection-state=new dst-address-list=inside-VLAN-0011 in-interface=\ + VLAN-0011 protocol=icmp src-address-list=inside-VLAN-0011 +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\ + admin-mgm-net +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\ + admin-L2TP-VPN-mgm +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + in-interface=sfp-sfpplus12 protocol=icmp src-address-list=\ + admin-L2TP-VPN-mgm +add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ + ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \ + connection-state=new dst-address-list=all-inside in-interface=\ + sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ + ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \ + connection-state=new dst-address-list=all-inside dst-port=\ + 22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp \ + src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ + ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\ + new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp \ + src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ + ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\ + new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 \ + in-interface=sfp-sfpplus12 protocol=tcp src-address-list=\ + admin-L2TP-VPN-mgm +add action=accept chain=allow_icmp_tcp_udp comment=\ + "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp +add action=accept chain=allow_icmp_tcp_udp comment=\ + "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp +add action=accept chain=allow_icmp_tcp_udp comment=\ + "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp +add action=accept chain=allow-default-for-all protocol=icmp +add action=accept chain=allow-default-buh protocol=icmp +add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSP\ + ORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new \ + dst-address-list=!all-networks out-interface=sfp-sfpplus12 \ + src-address-list=all-networks +add action=reject chain=input comment=\ + "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \ + protocol=tcp reject-with=tcp-reset +add action=reject chain=input comment=\ + "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \ + connection-state=new protocol=udp reject-with=icmp-port-unreachable +add action=drop chain=input comment="deny INPUT all" connection-state="" +add action=reject chain=forward comment=\ + "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \ + protocol=tcp reject-with=tcp-reset +add action=reject chain=forward comment=\ + "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \ + connection-state=new protocol=udp reject-with=icmp-port-unreachable +add action=drop chain=forward comment="deny FORWARD all" connection-state="" +add action=jump chain=forward connection-state=new dst-address-list=\ + inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 \ + src-address-list=allow-to-VLAN-0002-adm-ALL +add action=jump chain=forward connection-state=new dst-address-list=\ + inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=\ + allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL +add action=accept chain=forward connection-state=new dst-address-list=\ + inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \ + protocol=icmp src-address-list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH +add action=accept chain=forward connection-state=new dst-address-list=\ + inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=\ + VLAN-0002 protocol=tcp src-address-list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH +add action=accept chain=forward connection-state=new dst-address-list=\ + inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \ + protocol=icmp src-address-list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs +add action=accept chain=forward connection-state=new dst-address-list=\ + inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=80,443 \ + out-interface=VLAN-0002 protocol=tcp src-address-list=\ + allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs +/ip route +add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.90.1 \ + routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\ + nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\ + 10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \ + target-scope=10 +/ip service +set telnet disabled=yes +set ftp disabled=yes +set www disabled=yes +set api disabled=yes +set api-ssl disabled=yes +/ip smb shares +set [ find default=yes ] directory=/pub +/ip ssh +set always-allow-password-login=yes forwarding-enabled=both host-key-size=\ + 4096 strong-crypto=yes +/system clock +set time-zone-name=Europe/Moscow +/system identity +set name=dc01-ccr01 +/system note +set show-at-login=no +/system ntp client +set enabled=yes +/system ntp client servers +add address=80.240.216.155 +add address=185.232.69.65 +/system routerboard settings +set enter-setup-on=delete-key +/tool bandwidth-server +set enabled=no +/tool mac-server +set allowed-interface-list=none +/tool mac-server mac-winbox +set allowed-interface-list=interfaces-MAC-MGMT +/tool mac-server ping +set enabled=no diff --git a/mikrotik/base-config/dc01-emer01-terse.rsc b/mikrotik/base-config/dc01-emer01-terse.rsc new file mode 100644 index 0000000..3c0649b --- /dev/null +++ b/mikrotik/base-config/dc01-emer01-terse.rsc @@ -0,0 +1,90 @@ +# 2024-09-04 13:07:25 by RouterOS 7.15.3 +# software id = 73EZ-45GQ +# +# model = RB750Gr3 +# serial number = 6F380862DC41 +/interface bridge add name=bridge-local +/interface ethernet set [ find default-name=ether1 ] name=ether1-outside +/interface list add name=interfaces-MAC-MGMT +/interface list add name=interfaces-outside +/ppp profile add bridge=bridge-local change-tcp-mss=yes local-address=172.20.1.1 name=emergency only-one=yes use-ipv6=no use-mpls=no use-upnp=no +/ip smb set enabled=no +/interface bridge port add bridge=bridge-local interface=ether2 +/interface bridge port add bridge=bridge-local interface=ether3 +/interface bridge port add bridge=bridge-local interface=ether4 +/interface bridge port add bridge=bridge-local interface=ether5 +/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT +/ip settings set tcp-syncookies=yes +/ipv6 settings set disable-ipv6=yes +/interface list member add interface=ether2 list=interfaces-MAC-MGMT +/interface list member add interface=ether3 list=interfaces-MAC-MGMT +/interface list member add interface=ether4 list=interfaces-MAC-MGMT +/interface list member add interface=ether5 list=interfaces-MAC-MGMT +/interface list member add interface=ether1-outside list=interfaces-outside +/interface ovpn-server server set auth=sha1 certificate=ovpn-server cipher=aes256-cbc default-profile=emergency enabled=yes mode=ethernet port=40004 protocol=udp require-client-certificate=yes tls-version=only-1.2 +/ip address add address=11.11.11.123/29 interface=ether1-outside network=11.11.11.120 +/ip cloud set update-time=no +/ip dns set servers=8.8.8.8 +/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside +/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=outside-only-22.22.22.123 +/ip firewall address-list add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon +/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related +/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related +/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid +/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid +/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface-list=interfaces-outside src-address-list=all-bogon +/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface-list=interfaces-outside +/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface-list=interfaces-outside src-address-list=all-bogon +/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface-list=interfaces-outside +/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside FID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat connection-state=new in-interface=ether1-outside +/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [ICMP]" connection-state=new in-interface=ether1-outside protocol=icmp +/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME OVPN server [UDP:40004]" connection-state=new dst-port=40004 in-interface=ether1-outside protocol=udp +/ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=62.212.68.103 +/ip firewall filter add action=accept chain=input connection-state=new dst-port=22,8291 in-interface=ether1-outside protocol=tcp src-address=213.141.150.29 +/ip firewall filter add action=accept chain=input dst-address=172.20.1.0/24 in-interface=bridge-local protocol=icmp src-address=172.20.1.0/24 +/ip firewall filter add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=172.20.1.0/24 +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip hotspot profile set [ find default=yes ] html-directory=hotspot +/ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=main suppress-hw-offload=no +/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8 +/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16 +/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12 +/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16 +/ip service set telnet disabled=yes +/ip service set ftp disabled=yes +/ip service set www disabled=yes +/ip service set api disabled=yes +/ip service set api-ssl disabled=yes +/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes +/ppp secret add name=ivanov_ovpn profile=emergency remote-address=172.20.1.2 service=ovpn +/system clock set time-zone-name=Europe/Moscow +/system identity set name=dc01-emer01 +/system note set show-at-login=no +/system ntp client set enabled=yes +/system ntp client servers add address=0.pool.ntp.org +/system ntp client servers add address=1.pool.ntp.org +/system ntp client servers add address=2.pool.ntp.org +/system ntp client servers add address=3.pool.ntp.org +/tool bandwidth-server set enabled=no +/tool mac-server set allowed-interface-list=none +/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT +/tool mac-server ping set enabled=no diff --git a/mikrotik/base-config/dc01-emer01.rsc b/mikrotik/base-config/dc01-emer01.rsc new file mode 100644 index 0000000..1f0fea8 --- /dev/null +++ b/mikrotik/base-config/dc01-emer01.rsc @@ -0,0 +1,164 @@ +# 2024-09-04 13:07:44 by RouterOS 7.15.3 +# software id = 73EZ-45GQ +# +# model = RB750Gr3 +# serial number = 6F380862DC41 +/interface bridge +add name=bridge-local +/interface ethernet +set [ find default-name=ether1 ] name=ether1-outside +/interface list +add name=interfaces-MAC-MGMT +add name=interfaces-outside +/ppp profile +add bridge=bridge-local change-tcp-mss=yes local-address=172.20.1.1 name=\ + emergency only-one=yes use-ipv6=no use-mpls=no use-upnp=no +/ip smb +set enabled=no +/interface bridge port +add bridge=bridge-local interface=ether2 +add bridge=bridge-local interface=ether3 +add bridge=bridge-local interface=ether4 +add bridge=bridge-local interface=ether5 +/ip neighbor discovery-settings +set discover-interface-list=interfaces-MAC-MGMT +/ip settings +set tcp-syncookies=yes +/ipv6 settings +set disable-ipv6=yes +/interface list member +add interface=ether2 list=interfaces-MAC-MGMT +add interface=ether3 list=interfaces-MAC-MGMT +add interface=ether4 list=interfaces-MAC-MGMT +add interface=ether5 list=interfaces-MAC-MGMT +add interface=ether1-outside list=interfaces-outside +/interface ovpn-server server +set auth=sha1 certificate=ovpn-server cipher=aes256-cbc default-profile=\ + emergency enabled=yes mode=ethernet port=40004 protocol=udp \ + require-client-certificate=yes tls-version=only-1.2 +/ip address +add address=11.11.11.123/29 interface=ether1-outside network=11.11.11.120 +/ip cloud +set update-time=no +/ip dns +set servers=8.8.8.8 +/ip firewall address-list +add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside +add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\ + outside-only-22.22.22.123 +add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon +add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon +add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon +add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon +add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon +add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon +add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon +add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon +add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon +add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon +add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon +add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon +add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon +add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon +add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon +/ip firewall filter +add action=accept chain=input comment="allow INPUT established,related" \ + connection-state=established,related +add action=accept chain=forward comment="allow FORWARD established,related" \ + connection-state=established,related +add action=drop chain=input comment="deny INPUT Invalid connections" \ + connection-state=invalid +add action=drop chain=forward comment="deny FORWARD Invalid connections" \ + connection-state=invalid +add action=drop chain=input comment=\ + "deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \ + connection-state="" in-interface-list=interfaces-outside \ + src-address-list=all-bogon +add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\ + \_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\ + all-bogon out-interface-list=interfaces-outside +add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\ + \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \ + in-interface-list=interfaces-outside src-address-list=all-bogon +add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\ + \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \ + dst-address-list=all-bogon out-interface-list=interfaces-outside +add action=drop chain=forward comment="deny FORWARD from inside -->> outside F\ + ID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat \ + connection-state=new in-interface=ether1-outside +add action=accept chain=input comment=\ + "allow INPUT from outside -->> ME [ICMP]" connection-state=new \ + in-interface=ether1-outside protocol=icmp +add action=accept chain=input comment=\ + "allow INPUT from outside -->> ME OVPN server [UDP:40004]" \ + connection-state=new dst-port=40004 in-interface=ether1-outside protocol=\ + udp +add action=accept chain=input connection-state=new dst-port=22,8291 \ + in-interface=ether1-outside protocol=tcp src-address=62.212.68.103 +add action=accept chain=input connection-state=new dst-port=22,8291 \ + in-interface=ether1-outside protocol=tcp src-address=213.141.150.29 +add action=accept chain=input dst-address=172.20.1.0/24 in-interface=\ + bridge-local protocol=icmp src-address=172.20.1.0/24 +add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 \ + dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=\ + 172.20.1.0/24 +add action=reject chain=input comment=\ + "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \ + protocol=tcp reject-with=tcp-reset +add action=reject chain=input comment=\ + "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \ + connection-state=new protocol=udp reject-with=icmp-port-unreachable +add action=drop chain=input comment="deny INPUT all" connection-state="" +add action=reject chain=forward comment=\ + "deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\ + new protocol=tcp reject-with=tcp-reset +add action=reject chain=forward comment=\ + "deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\ + new log-prefix=reject_fw_udp protocol=udp reject-with=\ + icmp-port-unreachable +add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip hotspot profile +set [ find default=yes ] html-directory=hotspot +/ip route +add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\ + main suppress-hw-offload=no +add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ + distance=249 dst-address=10.0.0.0/8 +add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ + distance=249 dst-address=169.254.0.0/16 +add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ + distance=249 dst-address=172.16.0.0/12 +add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ + distance=249 dst-address=192.168.0.0/16 +/ip service +set telnet disabled=yes +set ftp disabled=yes +set www disabled=yes +set api disabled=yes +set api-ssl disabled=yes +/ip ssh +set always-allow-password-login=yes forwarding-enabled=both host-key-size=\ + 4096 strong-crypto=yes +/ppp secret +add name=ivanov_ovpn profile=emergency remote-address=172.20.1.2 service=ovpn +/system clock +set time-zone-name=Europe/Moscow +/system identity +set name=dc01-emer01 +/system note +set show-at-login=no +/system ntp client +set enabled=yes +/system ntp client servers +add address=0.pool.ntp.org +add address=1.pool.ntp.org +add address=2.pool.ntp.org +add address=3.pool.ntp.org +/tool bandwidth-server +set enabled=no +/tool mac-server +set allowed-interface-list=none +/tool mac-server mac-winbox +set allowed-interface-list=interfaces-MAC-MGMT +/tool mac-server ping +set enabled=no diff --git a/mikrotik/base-config/dc01-gw01-terse.rsc b/mikrotik/base-config/dc01-gw01-terse.rsc new file mode 100644 index 0000000..c1c622b --- /dev/null +++ b/mikrotik/base-config/dc01-gw01-terse.rsc @@ -0,0 +1,168 @@ +# 2024-08-30 22:34:45 by RouterOS 7.15.3 +# software id = 6HAJ-6CUK +# +# model = RB4011iGS+ +# serial number = HEH08H8P0GS +/interface ethernet set [ find default-name=ether1 ] name=ether1-outside +/interface ethernet set [ find default-name=ether2 ] disabled=yes +/interface ethernet set [ find default-name=ether3 ] disabled=yes +/interface ethernet set [ find default-name=ether4 ] disabled=yes +/interface ethernet set [ find default-name=ether5 ] disabled=yes +/interface ethernet set [ find default-name=ether6 ] disabled=yes +/interface ethernet set [ find default-name=ether7 ] disabled=yes +/interface ethernet set [ find default-name=ether8 ] comment="Management interface for network devices (TCP/IP connect)" name=ether8-mgmt +/interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt +/interface ethernet set [ find default-name=ether10 ] disabled=yes +/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="Link to dc01-ccr01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE" +/interface list add name=interfaces-MGM +/interface list add name=interfaces-outside +/interface list add name=interfaces-VPN-ptp +/ip smb users set [ find default=yes ] disabled=yes +/port set 0 name=serial0 +/port set 1 name=serial1 +/ppp profile add change-tcp-mss=yes comment="For L2TP VPN MGM admins FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" name=L2TP_VPN_Profile_mgm only-one=no use-compression=yes use-encryption=yes use-ipv6=no use-mpls=no use-upnp=no +/ip smb set enabled=no +/ip firewall connection tracking set udp-timeout=10s +/ip neighbor discovery-settings set discover-interface-list=interfaces-MGM +/ip settings set tcp-syncookies=yes +/ipv6 settings set disable-ipv6=yes +/interface l2tp-server server set authentication=mschap2 enabled=yes use-ipsec=yes +/interface list member add interface=ether9-mac-mgmt list=interfaces-MGM +/interface list member add interface=ether1-outside list=interfaces-outside +/ip address add address=10.12.90.1/24 comment="Transport for access outside <--> inside" interface=sfp-sfpplus1 network=10.12.90.0 +/ip address add address=11.11.11.122/29 comment="Outside IPs" interface=ether1-outside network=11.11.11.120 +/ip address add address=10.8.10.11/24 comment="Management interface for network devices (TCP/IP connect)" interface=ether8-mgmt network=10.8.10.0 +/ip cloud set update-time=no +/ip dns set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1 +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" list=allow_inet_DNS +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=allow_inet_SSH +/ip firewall address-list add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside +/ip firewall address-list add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=outside-only-22.22.22.122 +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=allow_inet_icmp +/ip firewall address-list add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=all-ovpn +/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside +/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=outside-only-22.22.22.123 +/ip firewall address-list add address=11.11.11.124 comment="List addr OUTSIDE IP=22.22.22.124" list=outside-only-22.22.22.124 +/ip firewall address-list add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=outside-only-22.22.22.125 +/ip firewall address-list add address=10.99.99.99 comment="List addr clients from inside network to local DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS +/ip firewall address-list add address=10.99.99.77 comment="List addr clients from inside network to local DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" list=allow_inet_all +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP +/ip firewall address-list add address=10.8.0.0/13 comment="all-all network dmz + inside + transport + ovpn + l2pt etc" list=all-networks +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" list=allow_inet_IMAP +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=allow_inet_WHOIS +/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm +/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet +/ip firewall address-list add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon +/ip firewall address-list add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" list=all-dmz +/ip firewall address-list add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" list=all-inside +/ip firewall address-list add address=10.12.90.0/24 comment="List subnetwork transport VLAN-4090 for access outside <--> inside" list=transport-sfp-sfpplus1 +/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management network devices FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net +/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" list=allow_inet_NTP +/ip firewall address-list add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks +/ip firewall address-list add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside +/ip firewall address-list add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside +/ip firewall address-list add address=10.12.90.254 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet +/ip firewall address-list add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet +/ip firewall address-list add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet +/ip firewall address-list add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" list=all-inside +/ip firewall address-list add address=10.10.0.0/16 comment="all INSIDE networks (VLANs range 2000-2255)" list=all-inside +/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp +/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=udp +/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related +/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related +/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid +/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid +/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon +/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside +/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon +/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside +/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside -->> VLAN-3001-DMZ DNAT (UDP 22211 -> 10.91.1.11:22211) FID=2hfs38dq1jr42rwe" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.1.11 dst-port=22211 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=udp src-address-list=!all-networks +/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside -->> VLAN-3001-DMZ DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr42rwe" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks +/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->> 10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks +/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside to front mail server frontmail01.dmz-3003.rvision.local (22.22.22.124 TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks +/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=ether1-outside src-address-list=allow_inet +/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=ether1-outside src-address-list=allow_inet +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=icmp src-address-list=allow_inet_icmp +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_SSH +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_IMAP +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_SMTP +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_DNS +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" connection-state=new dst-port=123 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_HTTPS +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_IPsec +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside src-address-list=allow_inet_all +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp +/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp +/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp +/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [ICMP]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=icmp +/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [GRE]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=gre +/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=ipsec-esp +/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [IPsec-ah]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=ipsec-ah +/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME (UDP:500,1701,4500]" connection-state=new dst-address-list=outside-only-22.22.22.122 dst-port=500,1701,4500 in-interface=ether1-outside protocol=udp +/ip firewall filter add action=accept chain=input comment="allow INPUT from transport sfp-sfpplus1 -->> ME [ICMP]" connection-state=new dst-address-list=transport-sfp-sfpplus1 in-interface=sfp-sfpplus1 protocol=icmp src-address-list=transport-sfp-sfpplus1 +/ip firewall filter add action=accept chain=input comment="allow INPUT from inside -->> ME [UDP:53 DNS] for spoofing DNS" connection-state=new dst-port=53 in-interface=sfp-sfpplus1 protocol=udp src-address-list=allow-INSDIE-to-local-DNS +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=ether8-mgmt protocol=icmp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=53 in-interface=ether8-mgmt protocol=udp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip firewall nat add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" dst-address-list=!all-networks out-interface=ether1-outside src-address-list=all-networks to-addresses=11.11.11.122 +/ip firewall nat add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail systems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=10.91.3.11 to-addresses=22.22.22.123 +/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN-3001-DMZ (22.22.22.122 UDP 22211 -->> 10.91.1.11 UDP 22211) OpenVPN 01 FID=2hfs38dq1jr42rwe" disabled=yes dst-address-list=outside-only-22.22.22.122 dst-port=22211 in-interface=ether1-outside protocol=udp src-address-list=!all-networks to-addresses=10.91.1.11 to-ports=22211 +/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN-3001-DMZ (22.22.22.122 TCP 22212 -->> 10.91.1.12 TCP 22212) OpenVPN 02 FID=hf92hfh38dh1jr421we" disabled=yes dst-address-list=outside-only-22.22.22.122 dst-port=22212 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.1.12 to-ports=22212 +/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 25 -->> 10.91.3.11 TCP 25) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=25 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=25 +/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 465 -->> 10.91.3.11 TCP 465) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=465 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=465 +/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 993 -->> 10.91.3.11 TCP 993) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=993 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=993 +/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8 +/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16 +/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12 +/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16 +/ip route add comment="Route to DC01-CCR01 all networks" disabled=no distance=1 dst-address=10.8.0.0/13 gateway=10.12.90.254 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +/ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=main suppress-hw-offload=no +/ip service set telnet disabled=yes +/ip service set ftp disabled=yes +/ip service set www disabled=yes +/ip service set api disabled=yes +/ip service set api-ssl disabled=yes +/ip smb shares set [ find default=yes ] directory=/pub +/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes +/ppp secret add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm remote-address=172.16.38.222 service=l2tp +/system clock set time-zone-name=Europe/Moscow +/system identity set name=dc01-gw01 +/system note set show-at-login=no +/system ntp client set enabled=yes +/system ntp client servers add address=80.240.216.155 +/system ntp client servers add address=185.232.69.65 +/system routerboard settings set enter-setup-on=delete-key +/tool bandwidth-server set enabled=no +/tool mac-server set allowed-interface-list=none +/tool mac-server mac-winbox set allowed-interface-list=interfaces-MGM +/tool mac-server ping set enabled=no diff --git a/mikrotik/base-config/dc01-gw01.rsc b/mikrotik/base-config/dc01-gw01.rsc new file mode 100644 index 0000000..60136b2 --- /dev/null +++ b/mikrotik/base-config/dc01-gw01.rsc @@ -0,0 +1,424 @@ +# 2024-08-30 22:34:52 by RouterOS 7.15.3 +# software id = 6HAJ-6CUK +# +# model = RB4011iGS+ +# serial number = HEH08H8P0GS +/interface ethernet +set [ find default-name=ether1 ] name=ether1-outside +set [ find default-name=ether2 ] disabled=yes +set [ find default-name=ether3 ] disabled=yes +set [ find default-name=ether4 ] disabled=yes +set [ find default-name=ether5 ] disabled=yes +set [ find default-name=ether6 ] disabled=yes +set [ find default-name=ether7 ] disabled=yes +set [ find default-name=ether8 ] comment=\ + "Management interface for network devices (TCP/IP connect)" name=\ + ether8-mgmt +set [ find default-name=ether9 ] comment=\ + "Management interface for network devices (MAC server only)" name=\ + ether9-mac-mgmt +set [ find default-name=ether10 ] disabled=yes +set [ find default-name=sfp-sfpplus1 ] comment=\ + "Link to dc01-ccr01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE" +/interface list +add name=interfaces-MGM +add name=interfaces-outside +add name=interfaces-VPN-ptp +/ip smb users +set [ find default=yes ] disabled=yes +/port +set 0 name=serial0 +set 1 name=serial1 +/ppp profile +add change-tcp-mss=yes comment=\ + "For L2TP VPN MGM admins FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \ + name=L2TP_VPN_Profile_mgm only-one=no use-compression=yes use-encryption=\ + yes use-ipv6=no use-mpls=no use-upnp=no +/ip smb +set enabled=no +/ip firewall connection tracking +set udp-timeout=10s +/ip neighbor discovery-settings +set discover-interface-list=interfaces-MGM +/ip settings +set tcp-syncookies=yes +/ipv6 settings +set disable-ipv6=yes +/interface l2tp-server server +set authentication=mschap2 enabled=yes use-ipsec=yes +/interface list member +add interface=ether9-mac-mgmt list=interfaces-MGM +add interface=ether1-outside list=interfaces-outside +/ip address +add address=10.12.90.1/24 comment="Transport for access outside <--> inside" \ + interface=sfp-sfpplus1 network=10.12.90.0 +add address=11.11.11.122/29 comment="Outside IPs" interface=ether1-outside \ + network=11.11.11.120 +add address=10.8.10.11/24 comment=\ + "Management interface for network devices (TCP/IP connect)" interface=\ + ether8-mgmt network=10.8.10.0 +/ip cloud +set update-time=no +/ip dns +set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1 +/ip firewall address-list +add address=127.0.0.1 comment=\ + "List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" \ + list=allow_inet_DNS +add address=127.0.0.1 comment=\ + "List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=\ + allow_inet_SSH +add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside +add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=\ + outside-only-22.22.22.122 +add address=127.0.0.1 comment=\ + "List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=\ + allow_inet_icmp +add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=\ + all-ovpn +add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside +add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\ + outside-only-22.22.22.123 +add address=11.11.11.124 comment="List addr OUTSIDE IP=22.22.22.124" list=\ + outside-only-22.22.22.124 +add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=\ + outside-only-22.22.22.125 +add address=10.99.99.99 comment="List addr clients from inside network to loca\ + l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS +add address=10.99.99.77 comment="List addr clients from inside network to loca\ + l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS +add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443\ + ] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS +add address=127.0.0.1 comment=\ + "List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" \ + list=allow_inet_all +add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465\ + ,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP +add address=10.8.0.0/13 comment=\ + "all-all network dmz + inside + transport + ovpn + l2pt etc" list=\ + all-networks +add address=127.0.0.1 comment=\ + "List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" \ + list=allow_inet_IMAP +add address=127.0.0.1 comment=\ + "List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=\ + allow_inet_WHOIS +add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\ + ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm +add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\ + s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm +add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,17\ + 01,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec +add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,T\ + CP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet +add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon +add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon +add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon +add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon +add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon +add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon +add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon +add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon +add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon +add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon +add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon +add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon +add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon +add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon +add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon +add address=10.11.0.0/16 comment=\ + "all DMZ networks (VLANs range 3000-3255)" list=all-dmz +add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \ + list=all-inside +add address=10.12.90.0/24 comment=\ + "List subnetwork transport VLAN-4090 for access outside <--> inside" \ + list=transport-sfp-sfpplus1 +add address=10.8.10.0/24 comment="List addr for Management network devices FID\ + =admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net +add address=127.0.0.1 comment=\ + "List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" \ + list=allow_inet_NTP +add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks +add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside +add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside +add address=10.12.90.254 comment="List addr for allow Internet access [All ICM\ + P,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet +add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP\ + ,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet +add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP\ + ,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet +add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \ + list=all-inside +add address=10.10.0.0/16 comment=\ + "all INSIDE networks (VLANs range 2000-2255)" list=all-inside +/ip firewall filter +add action=fasttrack-connection chain=forward connection-state=\ + established,related hw-offload=yes protocol=tcp +add action=fasttrack-connection chain=forward connection-state=\ + established,related hw-offload=yes protocol=udp +add action=accept chain=input comment="allow INPUT established,related" \ + connection-state=established,related +add action=accept chain=forward comment="allow FORWARD established,related" \ + connection-state=established,related +add action=drop chain=input comment="deny INPUT Invalid connections" \ + connection-state=invalid +add action=drop chain=forward comment="deny FORWARD Invalid connections" \ + connection-state=invalid +add action=drop chain=input comment=\ + "deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \ + connection-state="" in-interface=ether1-outside src-address-list=\ + all-bogon +add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\ + \_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\ + all-bogon out-interface=ether1-outside +add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\ + \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \ + in-interface=ether1-outside src-address-list=all-bogon +add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\ + \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \ + dst-address-list=all-bogon out-interface=ether1-outside +add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\ + e -->> VLAN-3001-DMZ DNAT (UDP 22211 -> 10.91.1.11:22211) FID=2hfs38dq1jr\ + 42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \ + dst-address=10.91.1.11 dst-port=22211 in-interface=ether1-outside \ + out-interface=sfp-sfpplus1 protocol=udp src-address-list=!all-networks +add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\ + e -->> VLAN-3001-DMZ DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr\ + 42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \ + dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside \ + out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks +add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\ + e to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->>\ + \_10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" \ + connection-nat-state=dstnat connection-state=new disabled=yes \ + dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside \ + out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks +add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\ + e to front mail server frontmail01.dmz-3003.rvision.local (22.22.22.124 \ + TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" \ + connection-nat-state=dstnat connection-state=new disabled=yes \ + dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside \ + out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks +add action=jump chain=forward comment="allow FORWARD from inside -->> outside \ + SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \ + in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=\ + ether1-outside src-address-list=allow_inet +add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outs\ + ide SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \ + in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=\ + ether1-outside src-address-list=allow_inet +add action=accept chain=forward comment=\ + "allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" \ + connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 \ + out-interface=ether1-outside protocol=icmp src-address-list=\ + allow_inet_icmp +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" \ + connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=\ + ether1-outside protocol=tcp src-address-list=allow_inet_SSH +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" \ + connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 \ + out-interface=ether1-outside protocol=tcp src-address-list=\ + allow_inet_IMAP +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" \ + connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 \ + out-interface=ether1-outside protocol=tcp src-address-list=\ + allow_inet_SMTP +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" \ + connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=\ + ether1-outside protocol=udp src-address-list=allow_inet_DNS +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" \ + connection-state=new dst-port=123 in-interface=sfp-sfpplus1 \ + out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" \ + connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=\ + ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" \ + connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 \ + out-interface=ether1-outside protocol=tcp src-address-list=\ + allow_inet_HTTPS +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" \ + connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 \ + out-interface=ether1-outside protocol=udp src-address-list=\ + allow_inet_IPsec +add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ + e SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" \ + connection-state=new in-interface=sfp-sfpplus1 out-interface=\ + ether1-outside src-address-list=allow_inet_all +add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ + ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=\ + ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ + ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=\ + dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=\ + admin-L2TP-VPN-mgm +add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ + ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-acces\ + s-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=\ + all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 \ + src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=allow_icmp_tcp_udp comment=\ + "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp +add action=accept chain=allow_icmp_tcp_udp comment=\ + "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp +add action=accept chain=allow_icmp_tcp_udp comment=\ + "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp +add action=accept chain=input comment=\ + "allow INPUT from outside -->> ME [ICMP]" connection-state=new \ + dst-address-list=all-outside in-interface=ether1-outside protocol=icmp +add action=accept chain=input comment=\ + "allow INPUT from outside -->> ME [GRE]" connection-state=new \ + dst-address-list=all-outside in-interface=ether1-outside protocol=gre +add action=accept chain=input comment=\ + "allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new \ + dst-address-list=all-outside in-interface=ether1-outside protocol=\ + ipsec-esp +add action=accept chain=input comment=\ + "allow INPUT from outside -->> ME [IPsec-ah]" connection-state=new \ + dst-address-list=all-outside in-interface=ether1-outside protocol=\ + ipsec-ah +add action=accept chain=input comment=\ + "allow INPUT from outside -->> ME (UDP:500,1701,4500]" connection-state=\ + new dst-address-list=outside-only-22.22.22.122 dst-port=500,1701,4500 \ + in-interface=ether1-outside protocol=udp +add action=accept chain=input comment=\ + "allow INPUT from transport sfp-sfpplus1 -->> ME [ICMP]" \ + connection-state=new dst-address-list=transport-sfp-sfpplus1 \ + in-interface=sfp-sfpplus1 protocol=icmp src-address-list=\ + transport-sfp-sfpplus1 +add action=accept chain=input comment=\ + "allow INPUT from inside -->> ME [UDP:53 DNS] for spoofing DNS" \ + connection-state=new dst-port=53 in-interface=sfp-sfpplus1 protocol=udp \ + src-address-list=allow-INSDIE-to-local-DNS +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + in-interface=ether8-mgmt protocol=icmp src-address-list=admin-mgm-net +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + dst-port=53 in-interface=ether8-mgmt protocol=udp src-address-list=\ + admin-mgm-net +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp \ + src-address-list=admin-mgm-net +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp \ + src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic \ + protocol=tcp src-address-list=admin-L2TP-VPN-mgm +add action=reject chain=input comment=\ + "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \ + protocol=tcp reject-with=tcp-reset +add action=reject chain=input comment=\ + "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \ + connection-state=new protocol=udp reject-with=icmp-port-unreachable +add action=drop chain=input comment="deny INPUT all" connection-state="" +add action=reject chain=forward comment=\ + "deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\ + new protocol=tcp reject-with=tcp-reset +add action=reject chain=forward comment=\ + "deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\ + new log-prefix=reject_fw_udp protocol=udp reject-with=\ + icmp-port-unreachable +add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip firewall nat +add action=src-nat chain=srcnat comment=\ + "EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" \ + dst-address-list=!all-networks out-interface=ether1-outside \ + src-address-list=all-networks to-addresses=11.11.11.122 +add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail sys\ + tems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes \ + dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=\ + 10.91.3.11 to-addresses=22.22.22.123 +add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\ + -3001-DMZ (22.22.22.122 UDP 22211 -->> 10.91.1.11 UDP 22211) OpenVPN 01 F\ + ID=2hfs38dq1jr42rwe" disabled=yes dst-address-list=\ + outside-only-22.22.22.122 dst-port=22211 in-interface=ether1-outside \ + protocol=udp src-address-list=!all-networks to-addresses=10.91.1.11 \ + to-ports=22211 +add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\ + -3001-DMZ (22.22.22.122 TCP 22212 -->> 10.91.1.12 TCP 22212) OpenVPN 02 F\ + ID=hf92hfh38dh1jr421we" disabled=yes dst-address-list=\ + outside-only-22.22.22.122 dst-port=22212 in-interface=ether1-outside \ + protocol=tcp src-address-list=!all-networks to-addresses=10.91.1.12 \ + to-ports=22212 +add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\ + \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 25 -->> 10.\ + 91.3.11 TCP 25) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\ + outside-only-22.22.22.125 dst-port=25 in-interface=ether1-outside \ + protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \ + to-ports=25 +add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\ + \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 465 -->> 10\ + .91.3.11 TCP 465) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\ + outside-only-22.22.22.125 dst-port=465 in-interface=ether1-outside \ + protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \ + to-ports=465 +add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\ + \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 993 -->> 10\ + .91.3.11 TCP 993) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\ + outside-only-22.22.22.125 dst-port=993 in-interface=ether1-outside \ + protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \ + to-ports=993 +/ip route +add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ + distance=249 dst-address=10.0.0.0/8 +add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ + distance=249 dst-address=169.254.0.0/16 +add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ + distance=249 dst-address=172.16.0.0/12 +add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ + distance=249 dst-address=192.168.0.0/16 +add comment="Route to DC01-CCR01 all networks" disabled=no distance=1 \ + dst-address=10.8.0.0/13 gateway=10.12.90.254 pref-src="" routing-table=\ + main scope=30 suppress-hw-offload=no target-scope=10 +add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\ + main suppress-hw-offload=no +/ip service +set telnet disabled=yes +set ftp disabled=yes +set www disabled=yes +set api disabled=yes +set api-ssl disabled=yes +/ip smb shares +set [ find default=yes ] directory=/pub +/ip ssh +set always-allow-password-login=yes forwarding-enabled=both host-key-size=\ + 4096 strong-crypto=yes +/ppp secret +add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" \ + local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm \ + remote-address=172.16.38.222 service=l2tp +/system clock +set time-zone-name=Europe/Moscow +/system identity +set name=dc01-gw01 +/system note +set show-at-login=no +/system ntp client +set enabled=yes +/system ntp client servers +add address=80.240.216.155 +add address=185.232.69.65 +/system routerboard settings +set enter-setup-on=delete-key +/tool bandwidth-server +set enabled=no +/tool mac-server +set allowed-interface-list=none +/tool mac-server mac-winbox +set allowed-interface-list=interfaces-MGM +/tool mac-server ping +set enabled=no diff --git a/mikrotik/base-config/dc01-sw01-terse.rsc b/mikrotik/base-config/dc01-sw01-terse.rsc new file mode 100644 index 0000000..6982c4c --- /dev/null +++ b/mikrotik/base-config/dc01-sw01-terse.rsc @@ -0,0 +1,85 @@ +# 2024-08-30 19:14:38 by RouterOS 7.15.3 +# software id = 1Y74-1PQS +# +# model = CRS312-4C+8XG +# serial number = HEQ0941H7M6 +/interface bridge add name=bridge port-cost-mode=short priority=0x4000 vlan-filtering=yes +/interface ethernet set [ find default-name=combo1 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=combo2 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=combo3 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether8 ] comment="Link from dc01-gw01 for Management interface for network devices (TCP/IP connect)" +/interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt +/interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bridge name=VLAN-0010 vlan-id=10 +/interface bonding add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2 +/interface list add name=interfaces-MAC-MGMT +/ip smb users set [ find default=yes ] disabled=yes +/port set 0 name=serial0 +/system logging action set 1 disk-file-name=log +/ip smb set enabled=no +/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP internal-path-cost=10 path-cost=10 +/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10 +/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10 +/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 internal-path-cost=10 path-cost=10 +/interface bridge port add bridge=bridge comment="Link from dc01-gw01 for Management interface for network devices (TCP/IP connect) VLAN-0010" frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10 +/ip firewall connection tracking set udp-timeout=10s +/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT +/ip settings set tcp-syncookies=yes +/ipv6 settings set disable-ipv6=yes +/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=101-255 +/interface bridge vlan add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100.x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3000-3255 +/interface bridge vlan add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2 +/interface bridge vlan add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3 +/interface bridge vlan add bridge=bridge comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=10 +/interface bridge vlan add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=11 +/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=1000-1255 +/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2000-2255 +/interface list member add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT +/ip address add address=10.8.10.201/24 interface=VLAN-0010 network=10.8.10.0 +/ip cloud set update-time=no +/ip dns set servers=10.8.10.11 +/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm +/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm +/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management only network devices (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related +/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related +/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid +/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip hotspot profile set [ find default=yes ] html-directory=hotspot +/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +/ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +/ip service set telnet disabled=yes +/ip service set ftp disabled=yes +/ip service set www disabled=yes +/ip service set api disabled=yes +/ip service set api-ssl disabled=yes +/ip smb shares set [ find default=yes ] directory=/pub +/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes +/system clock set time-zone-name=Europe/Moscow +/system identity set name=dc01-sw01 +/system note set show-at-login=no +/system ntp client set enabled=yes +/system ntp client servers add address=80.240.216.155 +/system ntp client servers add address=185.232.69.65 +/system routerboard settings set boot-os=router-os enter-setup-on=delete-key +/tool bandwidth-server set enabled=no +/tool mac-server set allowed-interface-list=none +/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT +/tool mac-server ping set enabled=no diff --git a/mikrotik/base-config/dc01-sw01.rsc b/mikrotik/base-config/dc01-sw01.rsc new file mode 100644 index 0000000..0d0d4bd --- /dev/null +++ b/mikrotik/base-config/dc01-sw01.rsc @@ -0,0 +1,177 @@ +# 2024-08-30 19:14:48 by RouterOS 7.15.3 +# software id = 1Y74-1PQS +# +# model = CRS312-4C+8XG +# serial number = HEQ0941H7M6 +/interface bridge +add name=bridge port-cost-mode=short priority=0x4000 vlan-filtering=yes +/interface ethernet +set [ find default-name=combo1 ] l2mtu=9092 mtu=9000 +set [ find default-name=combo2 ] l2mtu=9092 mtu=9000 +set [ find default-name=combo3 ] l2mtu=9092 mtu=9000 +set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 \ + mtu=9000 +set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 \ + mtu=9000 +set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether8 ] comment="Link from dc01-gw01 for Management i\ + nterface for network devices (TCP/IP connect)" +set [ find default-name=ether9 ] comment=\ + "Management interface for network devices (MAC server only)" name=\ + ether9-mac-mgmt +/interface vlan +add comment=\ + "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ + interface=bridge name=VLAN-0010 vlan-id=10 +/interface bonding +add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2 +/interface list +add name=interfaces-MAC-MGMT +/ip smb users +set [ find default=yes ] disabled=yes +/port +set 0 name=serial0 +/system logging action +set 1 disk-file-name=log +/ip smb +set enabled=no +/interface bridge port +add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP \ + internal-path-cost=10 path-cost=10 +add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 \ + internal-path-cost=10 path-cost=10 +add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 \ + internal-path-cost=10 path-cost=10 +add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 \ + internal-path-cost=10 path-cost=10 +add bridge=bridge comment="Link from dc01-gw01 for Management interface for ne\ + twork devices (TCP/IP connect) VLAN-0010" frame-types=\ + admit-only-untagged-and-priority-tagged interface=ether8 pvid=10 +/ip firewall connection tracking +set udp-timeout=10s +/ip neighbor discovery-settings +set discover-interface-list=interfaces-MAC-MGMT +/ip settings +set tcp-syncookies=yes +/ipv6 settings +set disable-ipv6=yes +/interface bridge vlan +add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x\ + \_ <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \ + vlan-ids=101-255 +add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100\ + .x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \ + vlan-ids=3000-3255 +add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=\ + bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2 +add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=\ + bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3 +add bridge=bridge comment=\ + "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ + tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=10 +add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=\ + bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=11 +add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x \ + \_ <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \ + vlan-ids=1000-1255 +add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x \ + \_ <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \ + vlan-ids=2000-2255 +/interface list member +add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT +/ip address +add address=10.8.10.201/24 interface=VLAN-0010 network=10.8.10.0 +/ip cloud +set update-time=no +/ip dns +set servers=10.8.10.11 +/ip firewall address-list +add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\ + ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm +add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\ + s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm +add address=10.8.10.0/24 comment="List addr for Management only network device\ + s (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net +/ip firewall filter +add action=accept chain=input comment="allow INPUT established,related" \ + connection-state=established,related +add action=accept chain=forward comment="allow FORWARD established,related" \ + connection-state=established,related +add action=drop chain=input comment="deny INPUT Invalid connections" \ + connection-state=invalid +add action=drop chain=forward comment="deny FORWARD Invalid connections" \ + connection-state=invalid +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\ + admin-mgm-net +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\ + admin-L2TP-VPN-mgm +add action=reject chain=input comment=\ + "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \ + protocol=tcp reject-with=tcp-reset +add action=reject chain=input comment=\ + "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \ + connection-state=new protocol=udp reject-with=icmp-port-unreachable +add action=drop chain=input comment="deny INPUT all" connection-state="" +add action=reject chain=forward comment=\ + "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \ + protocol=tcp reject-with=tcp-reset +add action=reject chain=forward comment=\ + "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \ + connection-state=new protocol=udp reject-with=icmp-port-unreachable +add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip hotspot profile +set [ find default=yes ] html-directory=hotspot +/ip route +add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src=\ + "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\ + nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\ + 10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \ + target-scope=10 +/ip service +set telnet disabled=yes +set ftp disabled=yes +set www disabled=yes +set api disabled=yes +set api-ssl disabled=yes +/ip smb shares +set [ find default=yes ] directory=/pub +/ip ssh +set always-allow-password-login=yes forwarding-enabled=both host-key-size=\ + 4096 strong-crypto=yes +/system clock +set time-zone-name=Europe/Moscow +/system identity +set name=dc01-sw01 +/system note +set show-at-login=no +/system ntp client +set enabled=yes +/system ntp client servers +add address=80.240.216.155 +add address=185.232.69.65 +/system routerboard settings +set boot-os=router-os enter-setup-on=delete-key +/tool bandwidth-server +set enabled=no +/tool mac-server +set allowed-interface-list=none +/tool mac-server mac-winbox +set allowed-interface-list=interfaces-MAC-MGMT +/tool mac-server ping +set enabled=no diff --git a/mikrotik/base-config/dc01-sw02-terse.rsc b/mikrotik/base-config/dc01-sw02-terse.rsc new file mode 100644 index 0000000..35e057c --- /dev/null +++ b/mikrotik/base-config/dc01-sw02-terse.rsc @@ -0,0 +1,84 @@ +# 2024-08-30 19:15:03 by RouterOS 7.15.3 +# software id = QEDC-AGM4 +# +# model = CRS312-4C+8XG +# serial number = HEQ09EBWASB +/interface bridge add name=bridge port-cost-mode=short vlan-filtering=yes +/interface ethernet set [ find default-name=combo1 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=combo2 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=combo3 ] l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000 +/interface ethernet set [ find default-name=ether8 ] comment="Link from mgmt switch (for iLo IPMI) VLAN-0011" +/interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt +/interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bridge name=VLAN-0010 vlan-id=10 +/interface bonding add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2 +/interface list add name=interfaces-MAC-MGMT +/ip smb users set [ find default=yes ] disabled=yes +/port set 0 name=serial0 +/system logging action set 1 disk-file-name=log +/ip smb set enabled=no +/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP internal-path-cost=10 path-cost=10 +/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10 +/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10 +/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 internal-path-cost=10 path-cost=10 +/interface bridge port add bridge=bridge comment="Link from mgmt switch (for iLo IPMI) VLAN-0011" frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=11 +/ip firewall connection tracking set udp-timeout=10s +/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT +/ip settings set tcp-syncookies=yes +/ipv6 settings set disable-ipv6=yes +/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=101-255 +/interface bridge vlan add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100.x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3000-3255 +/interface bridge vlan add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2 +/interface bridge vlan add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3 +/interface bridge vlan add bridge=bridge comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=10 +/interface bridge vlan add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=11 +/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=1000-1255 +/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2000-2255 +/interface list member add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT +/ip address add address=10.8.10.202/24 interface=VLAN-0010 network=10.8.10.0 +/ip cloud set update-time=no +/ip dns set servers=10.8.10.11 +/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm +/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm +/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management only network devices (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related +/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related +/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid +/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset +/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable +/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +/ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +/ip service set telnet disabled=yes +/ip service set ftp disabled=yes +/ip service set www disabled=yes +/ip service set api disabled=yes +/ip service set api-ssl disabled=yes +/ip smb shares set [ find default=yes ] directory=/pub +/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes +/system clock set time-zone-name=Europe/Moscow +/system identity set name=dc01-sw02 +/system note set show-at-login=no +/system ntp client set enabled=yes +/system ntp client servers add address=80.240.216.155 +/system ntp client servers add address=185.232.69.65 +/system routerboard settings set boot-os=router-os enter-setup-on=delete-key +/tool bandwidth-server set enabled=no +/tool mac-server set allowed-interface-list=none +/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT +/tool mac-server ping set enabled=no diff --git a/mikrotik/base-config/dc01-sw02.rsc b/mikrotik/base-config/dc01-sw02.rsc new file mode 100644 index 0000000..cd2b9f0 --- /dev/null +++ b/mikrotik/base-config/dc01-sw02.rsc @@ -0,0 +1,175 @@ +# 2024-08-30 19:15:13 by RouterOS 7.15.3 +# software id = QEDC-AGM4 +# +# model = CRS312-4C+8XG +# serial number = HEQ09EBWASB +/interface bridge +add name=bridge port-cost-mode=short vlan-filtering=yes +/interface ethernet +set [ find default-name=combo1 ] l2mtu=9092 mtu=9000 +set [ find default-name=combo2 ] l2mtu=9092 mtu=9000 +set [ find default-name=combo3 ] l2mtu=9092 mtu=9000 +set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 \ + mtu=9000 +set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 \ + mtu=9000 +set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000 +set [ find default-name=ether8 ] comment=\ + "Link from mgmt switch (for iLo IPMI) VLAN-0011" +set [ find default-name=ether9 ] comment=\ + "Management interface for network devices (MAC server only)" name=\ + ether9-mac-mgmt +/interface vlan +add comment=\ + "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ + interface=bridge name=VLAN-0010 vlan-id=10 +/interface bonding +add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2 +/interface list +add name=interfaces-MAC-MGMT +/ip smb users +set [ find default=yes ] disabled=yes +/port +set 0 name=serial0 +/system logging action +set 1 disk-file-name=log +/ip smb +set enabled=no +/interface bridge port +add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP \ + internal-path-cost=10 path-cost=10 +add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 \ + internal-path-cost=10 path-cost=10 +add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 \ + internal-path-cost=10 path-cost=10 +add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 \ + internal-path-cost=10 path-cost=10 +add bridge=bridge comment="Link from mgmt switch (for iLo IPMI) VLAN-0011" \ + frame-types=admit-only-untagged-and-priority-tagged interface=ether8 \ + pvid=11 +/ip firewall connection tracking +set udp-timeout=10s +/ip neighbor discovery-settings +set discover-interface-list=interfaces-MAC-MGMT +/ip settings +set tcp-syncookies=yes +/ipv6 settings +set disable-ipv6=yes +/interface bridge vlan +add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x\ + \_ <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \ + vlan-ids=101-255 +add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100\ + .x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \ + vlan-ids=3000-3255 +add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=\ + bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2 +add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=\ + bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3 +add bridge=bridge comment=\ + "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ + tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=10 +add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=\ + bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=11 +add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x \ + \_ <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \ + vlan-ids=1000-1255 +add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x \ + \_ <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \ + vlan-ids=2000-2255 +/interface list member +add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT +/ip address +add address=10.8.10.202/24 interface=VLAN-0010 network=10.8.10.0 +/ip cloud +set update-time=no +/ip dns +set servers=10.8.10.11 +/ip firewall address-list +add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\ + ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm +add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\ + s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm +add address=10.8.10.0/24 comment="List addr for Management only network device\ + s (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net +/ip firewall filter +add action=accept chain=input comment="allow INPUT established,related" \ + connection-state=established,related +add action=accept chain=forward comment="allow FORWARD established,related" \ + connection-state=established,related +add action=drop chain=input comment="deny INPUT Invalid connections" \ + connection-state=invalid +add action=drop chain=forward comment="deny FORWARD Invalid connections" \ + connection-state=invalid +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net +add action=accept chain=input comment=\ + "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ + dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\ + admin-mgm-net +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm +add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ + ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ + dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\ + admin-L2TP-VPN-mgm +add action=reject chain=input comment=\ + "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \ + protocol=tcp reject-with=tcp-reset +add action=reject chain=input comment=\ + "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \ + connection-state=new protocol=udp reject-with=icmp-port-unreachable +add action=drop chain=input comment="deny INPUT all" connection-state="" +add action=reject chain=forward comment=\ + "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \ + protocol=tcp reject-with=tcp-reset +add action=reject chain=forward comment=\ + "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \ + connection-state=new protocol=udp reject-with=icmp-port-unreachable +add action=drop chain=forward comment="deny FORWARD all" connection-state="" +/ip route +add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src=\ + "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 +add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\ + nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\ + 10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \ + target-scope=10 +/ip service +set telnet disabled=yes +set ftp disabled=yes +set www disabled=yes +set api disabled=yes +set api-ssl disabled=yes +/ip smb shares +set [ find default=yes ] directory=/pub +/ip ssh +set always-allow-password-login=yes forwarding-enabled=both host-key-size=\ + 4096 strong-crypto=yes +/system clock +set time-zone-name=Europe/Moscow +/system identity +set name=dc01-sw02 +/system note +set show-at-login=no +/system ntp client +set enabled=yes +/system ntp client servers +add address=80.240.216.155 +add address=185.232.69.65 +/system routerboard settings +set boot-os=router-os enter-setup-on=delete-key +/tool bandwidth-server +set enabled=no +/tool mac-server +set allowed-interface-list=none +/tool mac-server mac-winbox +set allowed-interface-list=interfaces-MAC-MGMT +/tool mac-server ping +set enabled=no