# 2024-09-04 13:07:44 by RouterOS 7.15.3 # software id = 73EZ-45GQ # # model = RB750Gr3 # serial number = 6F380862DC41 /interface bridge add name=bridge-local /interface ethernet set [ find default-name=ether1 ] name=ether1-outside /interface list add name=interfaces-MAC-MGMT add name=interfaces-outside /ppp profile add bridge=bridge-local change-tcp-mss=yes local-address=172.20.1.1 name=\ emergency only-one=yes use-ipv6=no use-mpls=no use-upnp=no /ip smb set enabled=no /interface bridge port add bridge=bridge-local interface=ether2 add bridge=bridge-local interface=ether3 add bridge=bridge-local interface=ether4 add bridge=bridge-local interface=ether5 /ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT /ip settings set tcp-syncookies=yes /ipv6 settings set disable-ipv6=yes /interface list member add interface=ether2 list=interfaces-MAC-MGMT add interface=ether3 list=interfaces-MAC-MGMT add interface=ether4 list=interfaces-MAC-MGMT add interface=ether5 list=interfaces-MAC-MGMT add interface=ether1-outside list=interfaces-outside /interface ovpn-server server set auth=sha1 certificate=ovpn-server cipher=aes256-cbc default-profile=\ emergency enabled=yes mode=ethernet port=40004 protocol=udp \ require-client-certificate=yes tls-version=only-1.2 /ip address add address=11.11.11.123/29 interface=ether1-outside network=11.11.11.120 /ip cloud set update-time=no /ip dns set servers=8.8.8.8 /ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\ outside-only-22.22.22.123 add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon /ip firewall filter add action=accept chain=input comment="allow INPUT established,related" \ connection-state=established,related add action=accept chain=forward comment="allow FORWARD established,related" \ connection-state=established,related add action=drop chain=input comment="deny INPUT Invalid connections" \ connection-state=invalid add action=drop chain=forward comment="deny FORWARD Invalid connections" \ connection-state=invalid add action=drop chain=input comment=\ "deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \ connection-state="" in-interface-list=interfaces-outside \ src-address-list=all-bogon add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\ \_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\ all-bogon out-interface-list=interfaces-outside add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\ \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \ in-interface-list=interfaces-outside src-address-list=all-bogon add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\ \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \ dst-address-list=all-bogon out-interface-list=interfaces-outside add action=drop chain=forward comment="deny FORWARD from inside -->> outside F\ ID=SERVICE-RULES FID=SERVICE-RULES" connection-nat-state=!dstnat \ connection-state=new in-interface=ether1-outside add action=accept chain=input comment=\ "allow INPUT from outside -->> ME [ICMP]" connection-state=new \ in-interface=ether1-outside protocol=icmp add action=accept chain=input comment=\ "allow INPUT from outside -->> ME OVPN server [UDP:40004]" \ connection-state=new dst-port=40004 in-interface=ether1-outside protocol=\ udp add action=accept chain=input connection-state=new dst-port=22,8291 \ in-interface=ether1-outside protocol=tcp src-address=62.212.68.103 add action=accept chain=input connection-state=new dst-port=22,8291 \ in-interface=ether1-outside protocol=tcp src-address=213.141.150.29 add action=accept chain=input dst-address=172.20.1.0/24 in-interface=\ bridge-local protocol=icmp src-address=172.20.1.0/24 add action=accept chain=input connection-state=new dst-address=172.20.1.0/24 \ dst-port=22,8291 in-interface=bridge-local protocol=tcp src-address=\ 172.20.1.0/24 add action=reject chain=input comment=\ "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \ protocol=tcp reject-with=tcp-reset add action=reject chain=input comment=\ "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \ connection-state=new protocol=udp reject-with=icmp-port-unreachable add action=drop chain=input comment="deny INPUT all" connection-state="" add action=reject chain=forward comment=\ "deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\ new protocol=tcp reject-with=tcp-reset add action=reject chain=forward comment=\ "deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\ new log-prefix=reject_fw_udp protocol=udp reject-with=\ icmp-port-unreachable add action=drop chain=forward comment="deny FORWARD all" connection-state="" /ip hotspot profile set [ find default=yes ] html-directory=hotspot /ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\ main suppress-hw-offload=no add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ distance=249 dst-address=10.0.0.0/8 add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ distance=249 dst-address=169.254.0.0/16 add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ distance=249 dst-address=172.16.0.0/12 add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ distance=249 dst-address=192.168.0.0/16 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes /ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=\ 4096 strong-crypto=yes /ppp secret add name=ivanov_ovpn profile=emergency remote-address=172.20.1.2 service=ovpn /system clock set time-zone-name=Europe/Moscow /system identity set name=dc01-emer01 /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=0.pool.ntp.org add address=1.pool.ntp.org add address=2.pool.ntp.org add address=3.pool.ntp.org /tool bandwidth-server set enabled=no /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT /tool mac-server ping set enabled=no