# 2024-08-30 22:38:15 by RouterOS 7.15.3 # software id = X2AJ-5BFT # # model = CCR2004-1G-12S+2XS # serial number = HEW095QA6AY /interface ethernet set [ find default-name=ether1 ] comment=\ "Management interface for network devices (MAC server only)" name=\ ether1-mac-mgmt set [ find default-name=sfp-sfpplus1 ] comment=\ "Link to switch dc01-sw01 [ bond ]" l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus2 ] comment=\ "Link to switch dc01-sw02 [ bond ]" l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus3 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus4 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus5 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus6 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus7 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus8 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus9 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus10 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus11 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp-sfpplus12 ] comment=\ "Link to router dc01-gw01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE" \ l2mtu=1600 set [ find default-name=sfp28-1 ] l2mtu=9092 mtu=9000 set [ find default-name=sfp28-2 ] l2mtu=9092 mtu=9000 /interface bonding add mode=active-backup mtu=9000 name=bond_SW01_SW02 primary=sfp-sfpplus1 \ slaves=sfp-sfpplus1,sfp-sfpplus2 /interface vlan add comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi\ \_hosts)" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0002 vlan-id=2 add comment="VLAN-0003 for VMware vSphere vMotion" interface=bond_SW01_SW02 \ mtu=9000 name=VLAN-0003 vlan-id=3 add comment=\ "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ interface=bond_SW01_SW02 name=VLAN-0010 vlan-id=10 add comment="VLAN-0011 for Management iLO IPMI" interface=bond_SW01_SW02 \ name=VLAN-0011 vlan-id=11 add comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=\ bond_SW01_SW02 mtu=9000 name=VLAN-3222-DMZ vlan-id=3222 /interface list add name=interfaces-MAC-MGMT /ip smb users set [ find default=yes ] disabled=yes /port set 0 name=serial0 /ip smb set enabled=no /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT /ip settings set tcp-syncookies=yes /ipv6 settings set disable-ipv6=yes /interface list member add interface=ether1-mac-mgmt list=interfaces-MAC-MGMT /ip address add address=10.12.90.254/24 comment=\ "Transport for access outside <--> inside" interface=sfp-sfpplus12 \ network=10.12.90.0 add address=10.8.2.1/24 comment="VLAN-0002 for VMware vSphere infrastructure (\ vCenter server, ESXi hosts)" interface=VLAN-0002 network=10.8.2.0 add address=10.8.3.1/24 comment="VLAN-0003 for VMware vSphere vMotion" \ interface=VLAN-0003 network=10.8.3.0 add address=10.8.10.251/24 comment=\ "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ interface=VLAN-0010 network=10.8.10.0 add address=10.8.10.1/24 comment=\ "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ interface=VLAN-0010 network=10.8.10.0 add address=10.8.11.1/24 comment="VLAN-0011 for Management iLO IPMI" \ interface=VLAN-0011 network=10.8.11.0 add address=10.11.222.1/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \ interface=VLAN-3222-DMZ network=10.11.222.0 /ip cloud set update-time=no /ip dns set servers=77.88.8.8,77.88.8.1 /ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management network devices FID\ =admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net add address=192.168.24.0/24 comment="List addr OpenVPN FID=ovp8nkdb4cxkq1ms" \ list=all-ovpn add address=10.8.0.0/13 comment=\ "all-all network dmz + inside + transport + ovpn + l2pt etc" list=\ all-networks add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\ ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\ s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" \ list=all-dmz add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \ list=all-inside add address=10.12.90.0/24 comment=\ "List subnetwork transport VLAN-4090 for access outside <--> inside" \ list=transport-sfp-sfpplus12 add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \ list=all-inside add address=10.10.0.0/16 comment=\ "all INSIDE networks (VLANs range 2000-2255)" list=all-inside add address=10.8.2.0/24 comment="VLAN-0002 for VMware vSphere infrastructure (\ vCenter server, ESXi hosts)" list=inside-VLAN-0002 add address=10.8.3.0/24 comment="VLAN-0003 for VMware vSphere vMotion" list=\ inside-VLAN-0003 add address=127.0.0.1 list=allow-default-for-all add address=127.0.0.1 list=allow-default-buh add address=10.8.10.0/24 comment=\ "VLAN-0010 for Management interface for network devices (TCP/IP connect)" \ list=inside-VLAN-0010 add address=10.8.11.0/24 comment="VLAN-0011 for Management iLO IPMI" list=\ inside-VLAN-0011 add address=10.8.2.5 comment="VLAN-0002 [ dc01-vcsrv01-infr.comp.loc ]" list=\ inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc add address=10.8.2.11 comment=\ "VLAN-0002 [ host01.cluster01.esxi.comp.loc ] ESXI" list=\ inside-VLAN-0002-ESXi-Cluster01-hosts add address=10.8.2.12 comment=\ "VLAN-0002 [ host02.cluster01.esxi.comp.loc ] ESXI" list=\ inside-VLAN-0002-ESXi-Cluster01-hosts add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-IT add address=127.0.0.1 comment="allow [All ICMP,TCP,UDP] [ivanov_ovpn]" list=\ allow-to-VLAN-0002-adm-ALL add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [All ICMP,T\ CP,UDP] [ivanov_ovpn] [VPN]" list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL add address=127.0.0.1 list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-IT add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:8\ 0,443] [ivanov_ovpn] [VPN] FID=1234567890" list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-SEC add address=127.0.0.1 list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-SEC add address=127.0.0.1 comment=\ "allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:22] [ivanov_ovpn] [VPN]" \ list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH add address=10.11.222.0/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \ list=dmz-VLAN-3222 /ip firewall filter add action=fasttrack-connection chain=forward connection-state=\ established,related hw-offload=yes protocol=tcp add action=fasttrack-connection chain=forward connection-state=\ established,related hw-offload=yes protocol=udp add action=accept chain=input comment="allow INPUT established,related" \ connection-state=established,related add action=accept chain=forward comment="allow FORWARD established,related" \ connection-state=established,related add action=drop chain=input comment="deny INPUT Invalid connections" \ connection-state=invalid add action=drop chain=forward comment="deny FORWARD Invalid connections" \ connection-state=invalid add action=accept chain=input comment="allow INPUT from VLAN-0002 -->> ME [ICM\ P] for VMware vSphere infrastructure (vCenter server, ESXi hosts)" \ connection-state=new dst-address-list=inside-VLAN-0002 in-interface=\ VLAN-0002 protocol=icmp src-address-list=inside-VLAN-0002 add action=accept chain=input comment=\ "allow INPUT from VLAN-0003 -->> ME [ICMP] for VMware vSphere vMotion" \ connection-state=new dst-address-list=inside-VLAN-0003 in-interface=\ VLAN-0003 protocol=icmp src-address-list=inside-VLAN-0003 add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICM\ P] for Management interface for network devices (TCP/IP connect)" \ connection-state=new dst-address-list=inside-VLAN-0010 in-interface=\ VLAN-0010 protocol=icmp src-address-list=inside-VLAN-0010 add action=accept chain=input comment=\ "allow INPUT from VLAN-0003 -->> ME [ICMP] for Management iLO IPMI" \ connection-state=new dst-address-list=inside-VLAN-0011 in-interface=\ VLAN-0011 protocol=icmp src-address-list=inside-VLAN-0011 add action=accept chain=input comment=\ "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net add action=accept chain=input comment=\ "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\ admin-mgm-net add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\ admin-L2TP-VPN-mgm add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ in-interface=sfp-sfpplus12 protocol=icmp src-address-list=\ admin-L2TP-VPN-mgm add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \ connection-state=new dst-address-list=all-inside in-interface=\ sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \ connection-state=new dst-address-list=all-inside dst-port=\ 22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp \ src-address-list=admin-L2TP-VPN-mgm add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\ new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp \ src-address-list=admin-L2TP-VPN-mgm add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\ new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 \ in-interface=sfp-sfpplus12 protocol=tcp src-address-list=\ admin-L2TP-VPN-mgm add action=accept chain=allow_icmp_tcp_udp comment=\ "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp add action=accept chain=allow_icmp_tcp_udp comment=\ "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp add action=accept chain=allow_icmp_tcp_udp comment=\ "Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp add action=accept chain=allow-default-for-all protocol=icmp add action=accept chain=allow-default-buh protocol=icmp add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSP\ ORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new \ dst-address-list=!all-networks out-interface=sfp-sfpplus12 \ src-address-list=all-networks add action=reject chain=input comment=\ "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \ protocol=tcp reject-with=tcp-reset add action=reject chain=input comment=\ "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \ connection-state=new protocol=udp reject-with=icmp-port-unreachable add action=drop chain=input comment="deny INPUT all" connection-state="" add action=reject chain=forward comment=\ "deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \ protocol=tcp reject-with=tcp-reset add action=reject chain=forward comment=\ "deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \ connection-state=new protocol=udp reject-with=icmp-port-unreachable add action=drop chain=forward comment="deny FORWARD all" connection-state="" add action=jump chain=forward connection-state=new dst-address-list=\ inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 \ src-address-list=allow-to-VLAN-0002-adm-ALL add action=jump chain=forward connection-state=new dst-address-list=\ inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=\ allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL add action=accept chain=forward connection-state=new dst-address-list=\ inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \ protocol=icmp src-address-list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH add action=accept chain=forward connection-state=new dst-address-list=\ inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=\ VLAN-0002 protocol=tcp src-address-list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH add action=accept chain=forward connection-state=new dst-address-list=\ inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \ protocol=icmp src-address-list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs add action=accept chain=forward connection-state=new dst-address-list=\ inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=80,443 \ out-interface=VLAN-0002 protocol=tcp src-address-list=\ allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.90.1 \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\ nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\ 10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \ target-scope=10 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes /ip smb shares set [ find default=yes ] directory=/pub /ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=\ 4096 strong-crypto=yes /system clock set time-zone-name=Europe/Moscow /system identity set name=dc01-ccr01 /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=80.240.216.155 add address=185.232.69.65 /system routerboard settings set enter-setup-on=delete-key /tool bandwidth-server set enabled=no /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT /tool mac-server ping set enabled=no