# 2024-08-30 22:34:52 by RouterOS 7.15.3 # software id = 6HAJ-6CUK # # model = RB4011iGS+ # serial number = HEH08H8P0GS /interface ethernet set [ find default-name=ether1 ] name=ether1-outside set [ find default-name=ether2 ] disabled=yes set [ find default-name=ether3 ] disabled=yes set [ find default-name=ether4 ] disabled=yes set [ find default-name=ether5 ] disabled=yes set [ find default-name=ether6 ] disabled=yes set [ find default-name=ether7 ] disabled=yes set [ find default-name=ether8 ] comment=\ "Management interface for network devices (TCP/IP connect)" name=\ ether8-mgmt set [ find default-name=ether9 ] comment=\ "Management interface for network devices (MAC server only)" name=\ ether9-mac-mgmt set [ find default-name=ether10 ] disabled=yes set [ find default-name=sfp-sfpplus1 ] comment=\ "Link to dc01-ccr01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE" /interface list add name=interfaces-MGM add name=interfaces-outside add name=interfaces-VPN-ptp /ip smb users set [ find default=yes ] disabled=yes /port set 0 name=serial0 set 1 name=serial1 /ppp profile add change-tcp-mss=yes comment=\ "For L2TP VPN MGM admins FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \ name=L2TP_VPN_Profile_mgm only-one=no use-compression=yes use-encryption=\ yes use-ipv6=no use-mpls=no use-upnp=no /ip smb set enabled=no /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=interfaces-MGM /ip settings set tcp-syncookies=yes /ipv6 settings set disable-ipv6=yes /interface l2tp-server server set authentication=mschap2 enabled=yes use-ipsec=yes /interface list member add interface=ether9-mac-mgmt list=interfaces-MGM add interface=ether1-outside list=interfaces-outside /ip address add address=10.12.90.1/24 comment="Transport for access outside <--> inside" \ interface=sfp-sfpplus1 network=10.12.90.0 add address=11.11.11.122/29 comment="Outside IPs" interface=ether1-outside \ network=11.11.11.120 add address=10.8.10.11/24 comment=\ "Management interface for network devices (TCP/IP connect)" interface=\ ether8-mgmt network=10.8.10.0 /ip cloud set update-time=no /ip dns set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1 /ip firewall address-list add address=127.0.0.1 comment=\ "List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" \ list=allow_inet_DNS add address=127.0.0.1 comment=\ "List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=\ allow_inet_SSH add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=\ outside-only-22.22.22.122 add address=127.0.0.1 comment=\ "List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=\ allow_inet_icmp add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=\ all-ovpn add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\ outside-only-22.22.22.123 add address=11.11.11.124 comment="List addr OUTSIDE IP=22.22.22.124" list=\ outside-only-22.22.22.124 add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=\ outside-only-22.22.22.125 add address=10.99.99.99 comment="List addr clients from inside network to loca\ l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS add address=10.99.99.77 comment="List addr clients from inside network to loca\ l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443\ ] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS add address=127.0.0.1 comment=\ "List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" \ list=allow_inet_all add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465\ ,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP add address=10.8.0.0/13 comment=\ "all-all network dmz + inside + transport + ovpn + l2pt etc" list=\ all-networks add address=127.0.0.1 comment=\ "List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" \ list=allow_inet_IMAP add address=127.0.0.1 comment=\ "List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=\ allow_inet_WHOIS add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\ ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\ s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,17\ 01,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,T\ CP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon add address=10.11.0.0/16 comment=\ "all DMZ networks (VLANs range 3000-3255)" list=all-dmz add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \ list=all-inside add address=10.12.90.0/24 comment=\ "List subnetwork transport VLAN-4090 for access outside <--> inside" \ list=transport-sfp-sfpplus1 add address=10.8.10.0/24 comment="List addr for Management network devices FID\ =admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net add address=127.0.0.1 comment=\ "List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" \ list=allow_inet_NTP add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside add address=10.12.90.254 comment="List addr for allow Internet access [All ICM\ P,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP\ ,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP\ ,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \ list=all-inside add address=10.10.0.0/16 comment=\ "all INSIDE networks (VLANs range 2000-2255)" list=all-inside /ip firewall filter add action=fasttrack-connection chain=forward connection-state=\ established,related hw-offload=yes protocol=tcp add action=fasttrack-connection chain=forward connection-state=\ established,related hw-offload=yes protocol=udp add action=accept chain=input comment="allow INPUT established,related" \ connection-state=established,related add action=accept chain=forward comment="allow FORWARD established,related" \ connection-state=established,related add action=drop chain=input comment="deny INPUT Invalid connections" \ connection-state=invalid add action=drop chain=forward comment="deny FORWARD Invalid connections" \ connection-state=invalid add action=drop chain=input comment=\ "deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \ connection-state="" in-interface=ether1-outside src-address-list=\ all-bogon add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\ \_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\ all-bogon out-interface=ether1-outside add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\ \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \ in-interface=ether1-outside src-address-list=all-bogon add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\ \_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \ dst-address-list=all-bogon out-interface=ether1-outside add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\ e -->> VLAN-3001-DMZ DNAT (UDP 22211 -> 10.91.1.11:22211) FID=2hfs38dq1jr\ 42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \ dst-address=10.91.1.11 dst-port=22211 in-interface=ether1-outside \ out-interface=sfp-sfpplus1 protocol=udp src-address-list=!all-networks add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\ e -->> VLAN-3001-DMZ DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr\ 42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \ dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside \ out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\ e to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->>\ \_10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" \ connection-nat-state=dstnat connection-state=new disabled=yes \ dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside \ out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\ e to front mail server frontmail01.dmz-3003.rvision.local (22.22.22.124 \ TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" \ connection-nat-state=dstnat connection-state=new disabled=yes \ dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside \ out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks add action=jump chain=forward comment="allow FORWARD from inside -->> outside \ SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \ in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=\ ether1-outside src-address-list=allow_inet add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outs\ ide SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \ in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=\ ether1-outside src-address-list=allow_inet add action=accept chain=forward comment=\ "allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" \ connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 \ out-interface=ether1-outside protocol=icmp src-address-list=\ allow_inet_icmp add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" \ connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=\ ether1-outside protocol=tcp src-address-list=allow_inet_SSH add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" \ connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 \ out-interface=ether1-outside protocol=tcp src-address-list=\ allow_inet_IMAP add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" \ connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 \ out-interface=ether1-outside protocol=tcp src-address-list=\ allow_inet_SMTP add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" \ connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=\ ether1-outside protocol=udp src-address-list=allow_inet_DNS add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" \ connection-state=new dst-port=123 in-interface=sfp-sfpplus1 \ out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" \ connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=\ ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" \ connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 \ out-interface=ether1-outside protocol=tcp src-address-list=\ allow_inet_HTTPS add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" \ connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 \ out-interface=ether1-outside protocol=udp src-address-list=\ allow_inet_IPsec add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\ e SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" \ connection-state=new in-interface=sfp-sfpplus1 out-interface=\ ether1-outside src-address-list=allow_inet_all add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=\ ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=\ dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=\ admin-L2TP-VPN-mgm add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \ ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-acces\ s-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=\ all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 \ src-address-list=admin-L2TP-VPN-mgm add action=accept chain=allow_icmp_tcp_udp comment=\ "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp add action=accept chain=allow_icmp_tcp_udp comment=\ "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp add action=accept chain=allow_icmp_tcp_udp comment=\ "Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp add action=accept chain=input comment=\ "allow INPUT from outside -->> ME [ICMP]" connection-state=new \ dst-address-list=all-outside in-interface=ether1-outside protocol=icmp add action=accept chain=input comment=\ "allow INPUT from outside -->> ME [GRE]" connection-state=new \ dst-address-list=all-outside in-interface=ether1-outside protocol=gre add action=accept chain=input comment=\ "allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new \ dst-address-list=all-outside in-interface=ether1-outside protocol=\ ipsec-esp add action=accept chain=input comment=\ "allow INPUT from outside -->> ME [IPsec-ah]" connection-state=new \ dst-address-list=all-outside in-interface=ether1-outside protocol=\ ipsec-ah add action=accept chain=input comment=\ "allow INPUT from outside -->> ME (UDP:500,1701,4500]" connection-state=\ new dst-address-list=outside-only-22.22.22.122 dst-port=500,1701,4500 \ in-interface=ether1-outside protocol=udp add action=accept chain=input comment=\ "allow INPUT from transport sfp-sfpplus1 -->> ME [ICMP]" \ connection-state=new dst-address-list=transport-sfp-sfpplus1 \ in-interface=sfp-sfpplus1 protocol=icmp src-address-list=\ transport-sfp-sfpplus1 add action=accept chain=input comment=\ "allow INPUT from inside -->> ME [UDP:53 DNS] for spoofing DNS" \ connection-state=new dst-port=53 in-interface=sfp-sfpplus1 protocol=udp \ src-address-list=allow-INSDIE-to-local-DNS add action=accept chain=input comment=\ "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ in-interface=ether8-mgmt protocol=icmp src-address-list=admin-mgm-net add action=accept chain=input comment=\ "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ dst-port=53 in-interface=ether8-mgmt protocol=udp src-address-list=\ admin-mgm-net add action=accept chain=input comment=\ "allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \ dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp \ src-address-list=admin-mgm-net add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp \ src-address-list=admin-L2TP-VPN-mgm add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\ ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \ dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic \ protocol=tcp src-address-list=admin-L2TP-VPN-mgm add action=reject chain=input comment=\ "deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \ protocol=tcp reject-with=tcp-reset add action=reject chain=input comment=\ "deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \ connection-state=new protocol=udp reject-with=icmp-port-unreachable add action=drop chain=input comment="deny INPUT all" connection-state="" add action=reject chain=forward comment=\ "deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\ new protocol=tcp reject-with=tcp-reset add action=reject chain=forward comment=\ "deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\ new log-prefix=reject_fw_udp protocol=udp reject-with=\ icmp-port-unreachable add action=drop chain=forward comment="deny FORWARD all" connection-state="" /ip firewall nat add action=src-nat chain=srcnat comment=\ "EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" \ dst-address-list=!all-networks out-interface=ether1-outside \ src-address-list=all-networks to-addresses=11.11.11.122 add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail sys\ tems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes \ dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=\ 10.91.3.11 to-addresses=22.22.22.123 add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\ -3001-DMZ (22.22.22.122 UDP 22211 -->> 10.91.1.11 UDP 22211) OpenVPN 01 F\ ID=2hfs38dq1jr42rwe" disabled=yes dst-address-list=\ outside-only-22.22.22.122 dst-port=22211 in-interface=ether1-outside \ protocol=udp src-address-list=!all-networks to-addresses=10.91.1.11 \ to-ports=22211 add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\ -3001-DMZ (22.22.22.122 TCP 22212 -->> 10.91.1.12 TCP 22212) OpenVPN 02 F\ ID=hf92hfh38dh1jr421we" disabled=yes dst-address-list=\ outside-only-22.22.22.122 dst-port=22212 in-interface=ether1-outside \ protocol=tcp src-address-list=!all-networks to-addresses=10.91.1.12 \ to-ports=22212 add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\ \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 25 -->> 10.\ 91.3.11 TCP 25) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\ outside-only-22.22.22.125 dst-port=25 in-interface=ether1-outside \ protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \ to-ports=25 add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\ \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 465 -->> 10\ .91.3.11 TCP 465) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\ outside-only-22.22.22.125 dst-port=465 in-interface=ether1-outside \ protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \ to-ports=465 add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\ \_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 993 -->> 10\ .91.3.11 TCP 993) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\ outside-only-22.22.22.125 dst-port=993 in-interface=ether1-outside \ protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \ to-ports=993 /ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ distance=249 dst-address=10.0.0.0/8 add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ distance=249 dst-address=169.254.0.0/16 add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ distance=249 dst-address=172.16.0.0/12 add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \ distance=249 dst-address=192.168.0.0/16 add comment="Route to DC01-CCR01 all networks" disabled=no distance=1 \ dst-address=10.8.0.0/13 gateway=10.12.90.254 pref-src="" routing-table=\ main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\ main suppress-hw-offload=no /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes /ip smb shares set [ find default=yes ] directory=/pub /ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=\ 4096 strong-crypto=yes /ppp secret add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" \ local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm \ remote-address=172.16.38.222 service=l2tp /system clock set time-zone-name=Europe/Moscow /system identity set name=dc01-gw01 /system note set show-at-login=no /system ntp client set enabled=yes /system ntp client servers add address=80.240.216.155 add address=185.232.69.65 /system routerboard settings set enter-setup-on=delete-key /tool bandwidth-server set enabled=no /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=interfaces-MGM /tool mac-server ping set enabled=no