# 2024-08-30 19:14:38 by RouterOS 7.15.3 # software id = 1Y74-1PQS # # model = CRS312-4C+8XG # serial number = HEQ0941H7M6 /interface bridge add name=bridge port-cost-mode=short priority=0x4000 vlan-filtering=yes /interface ethernet set [ find default-name=combo1 ] l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=combo2 ] l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=combo3 ] l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000 /interface ethernet set [ find default-name=ether8 ] comment="Link from dc01-gw01 for Management interface for network devices (TCP/IP connect)" /interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt /interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bridge name=VLAN-0010 vlan-id=10 /interface bonding add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2 /interface list add name=interfaces-MAC-MGMT /ip smb users set [ find default=yes ] disabled=yes /port set 0 name=serial0 /system logging action set 1 disk-file-name=log /ip smb set enabled=no /interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP internal-path-cost=10 path-cost=10 /interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10 /interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10 /interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 internal-path-cost=10 path-cost=10 /interface bridge port add bridge=bridge comment="Link from dc01-gw01 for Management interface for network devices (TCP/IP connect) VLAN-0010" frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10 /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT /ip settings set tcp-syncookies=yes /ipv6 settings set disable-ipv6=yes /interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=101-255 /interface bridge vlan add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100.x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3000-3255 /interface bridge vlan add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2 /interface bridge vlan add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3 /interface bridge vlan add bridge=bridge comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=10 /interface bridge vlan add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=11 /interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=1000-1255 /interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2000-2255 /interface list member add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT /ip address add address=10.8.10.201/24 interface=VLAN-0010 network=10.8.10.0 /ip cloud set update-time=no /ip dns set servers=10.8.10.11 /ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm /ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm /ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management only network devices (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related /ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related /ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid /ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid /ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state="" /ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset /ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable /ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state="" /ip hotspot profile set [ find default=yes ] html-directory=hotspot /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 /ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 /ip service set telnet disabled=yes /ip service set ftp disabled=yes /ip service set www disabled=yes /ip service set api disabled=yes /ip service set api-ssl disabled=yes /ip smb shares set [ find default=yes ] directory=/pub /ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes /system clock set time-zone-name=Europe/Moscow /system identity set name=dc01-sw01 /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=80.240.216.155 /system ntp client servers add address=185.232.69.65 /system routerboard settings set boot-os=router-os enter-setup-on=delete-key /tool bandwidth-server set enabled=no /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT /tool mac-server ping set enabled=no