# 2024-08-30 22:38:13 by RouterOS 7.15.3
# software id = X2AJ-5BFT
#
# model = CCR2004-1G-12S+2XS
# serial number = HEW095QA6AY
/interface ethernet set [ find default-name=ether1 ] comment="Management interface for network devices (MAC server only)" name=ether1-mac-mgmt
/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="Link to switch dc01-sw01 [ bond ]" l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus2 ] comment="Link to switch dc01-sw02 [ bond ]" l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus3 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus4 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus5 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus6 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus7 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus8 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus9 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus10 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus11 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp-sfpplus12 ] comment="Link to router dc01-gw01 INSIDE <--> TRANSPORT LINK <-->  OUTSIDE" l2mtu=1600
/interface ethernet set [ find default-name=sfp28-1 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=sfp28-2 ] l2mtu=9092 mtu=9000
/interface bonding add mode=active-backup mtu=9000 name=bond_SW01_SW02 primary=sfp-sfpplus1 slaves=sfp-sfpplus1,sfp-sfpplus2
/interface vlan add comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0002 vlan-id=2
/interface vlan add comment="VLAN-0003 for VMware vSphere vMotion" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0003 vlan-id=3
/interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bond_SW01_SW02 name=VLAN-0010 vlan-id=10
/interface vlan add comment="VLAN-0011 for Management iLO IPMI" interface=bond_SW01_SW02 name=VLAN-0011 vlan-id=11
/interface vlan add comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=bond_SW01_SW02 mtu=9000 name=VLAN-3222-DMZ vlan-id=3222
/interface list add name=interfaces-MAC-MGMT
/ip smb users set [ find default=yes ] disabled=yes
/port set 0 name=serial0
/ip smb set enabled=no
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT
/ip settings set tcp-syncookies=yes
/ipv6 settings set disable-ipv6=yes
/interface list member add interface=ether1-mac-mgmt list=interfaces-MAC-MGMT
/ip address add address=10.12.90.254/24 comment="Transport for access outside <--> inside" interface=sfp-sfpplus12 network=10.12.90.0
/ip address add address=10.8.2.1/24 comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" interface=VLAN-0002 network=10.8.2.0
/ip address add address=10.8.3.1/24 comment="VLAN-0003 for VMware vSphere vMotion" interface=VLAN-0003 network=10.8.3.0
/ip address add address=10.8.10.251/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=VLAN-0010 network=10.8.10.0
/ip address add address=10.8.10.1/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=VLAN-0010 network=10.8.10.0
/ip address add address=10.8.11.1/24 comment="VLAN-0011 for Management iLO IPMI" interface=VLAN-0011 network=10.8.11.0
/ip address add address=10.11.222.1/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=VLAN-3222-DMZ network=10.11.222.0
/ip cloud set update-time=no
/ip dns set servers=77.88.8.8,77.88.8.1
/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management network devices FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
/ip firewall address-list add address=192.168.24.0/24 comment="List addr OpenVPN FID=ovp8nkdb4cxkq1ms" list=all-ovpn
/ip firewall address-list add address=10.8.0.0/13 comment="all-all network dmz + inside + transport + ovpn + l2pt etc" list=all-networks
/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
/ip firewall address-list add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" list=all-dmz
/ip firewall address-list add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" list=all-inside
/ip firewall address-list add address=10.12.90.0/24 comment="List subnetwork transport VLAN-4090 for access outside <--> inside" list=transport-sfp-sfpplus12
/ip firewall address-list add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
/ip firewall address-list add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" list=all-inside
/ip firewall address-list add address=10.10.0.0/16 comment="all INSIDE networks (VLANs range 2000-2255)" list=all-inside
/ip firewall address-list add address=10.8.2.0/24 comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi hosts)" list=inside-VLAN-0002
/ip firewall address-list add address=10.8.3.0/24 comment="VLAN-0003 for VMware vSphere vMotion" list=inside-VLAN-0003
/ip firewall address-list add address=127.0.0.1 list=allow-default-for-all
/ip firewall address-list add address=127.0.0.1 list=allow-default-buh
/ip firewall address-list add address=10.8.10.0/24 comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" list=inside-VLAN-0010
/ip firewall address-list add address=10.8.11.0/24 comment="VLAN-0011 for Management iLO IPMI" list=inside-VLAN-0011
/ip firewall address-list add address=10.8.2.5 comment="VLAN-0002 [ dc01-vcsrv01-infr.comp.loc ]" list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc
/ip firewall address-list add address=10.8.2.11 comment="VLAN-0002 [ host01.cluster01.esxi.comp.loc ] ESXI" list=inside-VLAN-0002-ESXi-Cluster01-hosts
/ip firewall address-list add address=10.8.2.12 comment="VLAN-0002 [ host02.cluster01.esxi.comp.loc ] ESXI" list=inside-VLAN-0002-ESXi-Cluster01-hosts
/ip firewall address-list add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-IT
/ip firewall address-list add address=127.0.0.1 comment="allow [All ICMP,TCP,UDP] [ivanov_ovpn]" list=allow-to-VLAN-0002-adm-ALL
/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [All ICMP,TCP,UDP] [ivanov_ovpn] [VPN]" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
/ip firewall address-list add address=127.0.0.1 list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-IT
/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:80,443] [ivanov_ovpn] [VPN] FID=1234567890" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
/ip firewall address-list add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-SEC
/ip firewall address-list add address=127.0.0.1 list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-SEC
/ip firewall address-list add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:22] [ivanov_ovpn] [VPN]" list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
/ip firewall address-list add address=10.11.222.0/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" list=dmz-VLAN-3222
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=udp
/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0002 -->> ME [ICMP] for VMware vSphere infrastructure (vCenter server, ESXi hosts)" connection-state=new dst-address-list=inside-VLAN-0002 in-interface=VLAN-0002 protocol=icmp src-address-list=inside-VLAN-0002
/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for VMware vSphere vMotion" connection-state=new dst-address-list=inside-VLAN-0003 in-interface=VLAN-0003 protocol=icmp src-address-list=inside-VLAN-0003
/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for Management interface for network devices (TCP/IP connect)" connection-state=new dst-address-list=inside-VLAN-0010 in-interface=VLAN-0010 protocol=icmp src-address-list=inside-VLAN-0010
/ip firewall filter add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICMP] for Management iLO IPMI" connection-state=new dst-address-list=inside-VLAN-0011 in-interface=VLAN-0011 protocol=icmp src-address-list=inside-VLAN-0011
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-inside in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-inside dst-port=22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp
/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp
/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp
/ip firewall filter add action=accept chain=allow-default-for-all protocol=icmp
/ip firewall filter add action=accept chain=allow-default-buh protocol=icmp
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSPORT LINK <-->  OUTSIDE (to dc01-gw01)" connection-state=new dst-address-list=!all-networks out-interface=sfp-sfpplus12 src-address-list=all-networks
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-adm-ALL
/ip firewall filter add action=jump chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 protocol=icmp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=VLAN-0002 protocol=tcp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 protocol=icmp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
/ip firewall filter add action=accept chain=forward connection-state=new dst-address-list=inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=80,443 out-interface=VLAN-0002 protocol=tcp src-address-list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.90.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/pub
/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/system clock set time-zone-name=Europe/Moscow
/system identity set name=dc01-ccr01
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=80.240.216.155
/system ntp client servers add address=185.232.69.65
/system routerboard settings set enter-setup-on=delete-key
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT
/tool mac-server ping set enabled=no