169 lines
24 KiB
Plaintext
169 lines
24 KiB
Plaintext
# 2024-08-30 22:34:45 by RouterOS 7.15.3
|
|
# software id = 6HAJ-6CUK
|
|
#
|
|
# model = RB4011iGS+
|
|
# serial number = HEH08H8P0GS
|
|
/interface ethernet set [ find default-name=ether1 ] name=ether1-outside
|
|
/interface ethernet set [ find default-name=ether2 ] disabled=yes
|
|
/interface ethernet set [ find default-name=ether3 ] disabled=yes
|
|
/interface ethernet set [ find default-name=ether4 ] disabled=yes
|
|
/interface ethernet set [ find default-name=ether5 ] disabled=yes
|
|
/interface ethernet set [ find default-name=ether6 ] disabled=yes
|
|
/interface ethernet set [ find default-name=ether7 ] disabled=yes
|
|
/interface ethernet set [ find default-name=ether8 ] comment="Management interface for network devices (TCP/IP connect)" name=ether8-mgmt
|
|
/interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt
|
|
/interface ethernet set [ find default-name=ether10 ] disabled=yes
|
|
/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="Link to dc01-ccr01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE"
|
|
/interface list add name=interfaces-MGM
|
|
/interface list add name=interfaces-outside
|
|
/interface list add name=interfaces-VPN-ptp
|
|
/ip smb users set [ find default=yes ] disabled=yes
|
|
/port set 0 name=serial0
|
|
/port set 1 name=serial1
|
|
/ppp profile add change-tcp-mss=yes comment="For L2TP VPN MGM admins FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" name=L2TP_VPN_Profile_mgm only-one=no use-compression=yes use-encryption=yes use-ipv6=no use-mpls=no use-upnp=no
|
|
/ip smb set enabled=no
|
|
/ip firewall connection tracking set udp-timeout=10s
|
|
/ip neighbor discovery-settings set discover-interface-list=interfaces-MGM
|
|
/ip settings set tcp-syncookies=yes
|
|
/ipv6 settings set disable-ipv6=yes
|
|
/interface l2tp-server server set authentication=mschap2 enabled=yes use-ipsec=yes
|
|
/interface list member add interface=ether9-mac-mgmt list=interfaces-MGM
|
|
/interface list member add interface=ether1-outside list=interfaces-outside
|
|
/ip address add address=10.12.90.1/24 comment="Transport for access outside <--> inside" interface=sfp-sfpplus1 network=10.12.90.0
|
|
/ip address add address=11.11.11.122/29 comment="Outside IPs" interface=ether1-outside network=11.11.11.120
|
|
/ip address add address=10.8.10.11/24 comment="Management interface for network devices (TCP/IP connect)" interface=ether8-mgmt network=10.8.10.0
|
|
/ip cloud set update-time=no
|
|
/ip dns set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" list=allow_inet_DNS
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=allow_inet_SSH
|
|
/ip firewall address-list add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside
|
|
/ip firewall address-list add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=outside-only-22.22.22.122
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=allow_inet_icmp
|
|
/ip firewall address-list add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=all-ovpn
|
|
/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
|
|
/ip firewall address-list add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=outside-only-22.22.22.123
|
|
/ip firewall address-list add address=11.11.11.124 comment="List addr OUTSIDE IP=22.22.22.124" list=outside-only-22.22.22.124
|
|
/ip firewall address-list add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=outside-only-22.22.22.125
|
|
/ip firewall address-list add address=10.99.99.99 comment="List addr clients from inside network to local DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
|
|
/ip firewall address-list add address=10.99.99.77 comment="List addr clients from inside network to local DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" list=allow_inet_all
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP
|
|
/ip firewall address-list add address=10.8.0.0/13 comment="all-all network dmz + inside + transport + ovpn + l2pt etc" list=all-networks
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" list=allow_inet_IMAP
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=allow_inet_WHOIS
|
|
/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
|
|
/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet
|
|
/ip firewall address-list add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
|
|
/ip firewall address-list add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" list=all-dmz
|
|
/ip firewall address-list add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" list=all-inside
|
|
/ip firewall address-list add address=10.12.90.0/24 comment="List subnetwork transport VLAN-4090 for access outside <--> inside" list=transport-sfp-sfpplus1
|
|
/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management network devices FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
|
|
/ip firewall address-list add address=127.0.0.1 comment="List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" list=allow_inet_NTP
|
|
/ip firewall address-list add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
|
|
/ip firewall address-list add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside
|
|
/ip firewall address-list add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside
|
|
/ip firewall address-list add address=10.12.90.254 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet
|
|
/ip firewall address-list add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet
|
|
/ip firewall address-list add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet
|
|
/ip firewall address-list add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" list=all-inside
|
|
/ip firewall address-list add address=10.10.0.0/16 comment="all INSIDE networks (VLANs range 2000-2255)" list=all-inside
|
|
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
|
|
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=udp
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
|
|
/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
|
|
/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
|
|
/ip firewall filter add action=drop chain=input comment="deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon
|
|
/ip firewall filter add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside
|
|
/ip firewall filter add action=drop chain=forward comment="deny FORWARD from outside -->> inside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" in-interface=ether1-outside src-address-list=all-bogon
|
|
/ip firewall filter add action=drop chain=forward comment="deny FORWARD from inside -->> outside [ BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=all-bogon out-interface=ether1-outside
|
|
/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside -->> VLAN-3001-DMZ DNAT (UDP 22211 -> 10.91.1.11:22211) FID=2hfs38dq1jr42rwe" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.1.11 dst-port=22211 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=udp src-address-list=!all-networks
|
|
/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside -->> VLAN-3001-DMZ DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr42rwe" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
|
|
/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->> 10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
|
|
/ip firewall filter add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outside to front mail server frontmail01.dmz-3003.rvision.local (22.22.22.124 TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" connection-nat-state=dstnat connection-state=new disabled=yes dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
|
|
/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=ether1-outside src-address-list=allow_inet
|
|
/ip firewall filter add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outside SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=ether1-outside src-address-list=allow_inet
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=icmp src-address-list=allow_inet_icmp
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_SSH
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_IMAP
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_SMTP
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_DNS
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" connection-state=new dst-port=123 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=tcp src-address-list=allow_inet_HTTPS
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 out-interface=ether1-outside protocol=udp src-address-list=allow_inet_IPsec
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from inside -->> outside SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 out-interface=ether1-outside src-address-list=allow_inet_all
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=admin-L2TP-VPN-mgm
|
|
/ip firewall filter add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 src-address-list=admin-L2TP-VPN-mgm
|
|
/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp
|
|
/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp
|
|
/ip firewall filter add action=accept chain=allow_icmp_tcp_udp comment="Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [ICMP]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=icmp
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [GRE]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=gre
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=ipsec-esp
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME [IPsec-ah]" connection-state=new dst-address-list=all-outside in-interface=ether1-outside protocol=ipsec-ah
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from outside -->> ME (UDP:500,1701,4500]" connection-state=new dst-address-list=outside-only-22.22.22.122 dst-port=500,1701,4500 in-interface=ether1-outside protocol=udp
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from transport sfp-sfpplus1 -->> ME [ICMP]" connection-state=new dst-address-list=transport-sfp-sfpplus1 in-interface=sfp-sfpplus1 protocol=icmp src-address-list=transport-sfp-sfpplus1
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from inside -->> ME [UDP:53 DNS] for spoofing DNS" connection-state=new dst-port=53 in-interface=sfp-sfpplus1 protocol=udp src-address-list=allow-INSDIE-to-local-DNS
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=ether8-mgmt protocol=icmp src-address-list=admin-mgm-net
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=53 in-interface=ether8-mgmt protocol=udp src-address-list=admin-mgm-net
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp src-address-list=admin-mgm-net
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp src-address-list=admin-L2TP-VPN-mgm
|
|
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic protocol=tcp src-address-list=admin-L2TP-VPN-mgm
|
|
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
|
|
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
|
|
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
|
|
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
|
|
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=new log-prefix=reject_fw_udp protocol=udp reject-with=icmp-port-unreachable
|
|
/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
|
|
/ip firewall nat add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" dst-address-list=!all-networks out-interface=ether1-outside src-address-list=all-networks to-addresses=11.11.11.122
|
|
/ip firewall nat add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail systems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=10.91.3.11 to-addresses=22.22.22.123
|
|
/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN-3001-DMZ (22.22.22.122 UDP 22211 -->> 10.91.1.11 UDP 22211) OpenVPN 01 FID=2hfs38dq1jr42rwe" disabled=yes dst-address-list=outside-only-22.22.22.122 dst-port=22211 in-interface=ether1-outside protocol=udp src-address-list=!all-networks to-addresses=10.91.1.11 to-ports=22211
|
|
/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN-3001-DMZ (22.22.22.122 TCP 22212 -->> 10.91.1.12 TCP 22212) OpenVPN 02 FID=hf92hfh38dh1jr421we" disabled=yes dst-address-list=outside-only-22.22.22.122 dst-port=22212 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.1.12 to-ports=22212
|
|
/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 25 -->> 10.91.3.11 TCP 25) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=25 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=25
|
|
/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 465 -->> 10.91.3.11 TCP 465) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=465 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=465
|
|
/ip firewall nat add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 993 -->> 10.91.3.11 TCP 993) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=outside-only-22.22.22.125 dst-port=993 in-interface=ether1-outside protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 to-ports=993
|
|
/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=10.0.0.0/8
|
|
/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=169.254.0.0/16
|
|
/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=172.16.0.0/12
|
|
/ip route add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" distance=249 dst-address=192.168.0.0/16
|
|
/ip route add comment="Route to DC01-CCR01 all networks" disabled=no distance=1 dst-address=10.8.0.0/13 gateway=10.12.90.254 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
|
|
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=main suppress-hw-offload=no
|
|
/ip service set telnet disabled=yes
|
|
/ip service set ftp disabled=yes
|
|
/ip service set www disabled=yes
|
|
/ip service set api disabled=yes
|
|
/ip service set api-ssl disabled=yes
|
|
/ip smb shares set [ find default=yes ] directory=/pub
|
|
/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
|
|
/ppp secret add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm remote-address=172.16.38.222 service=l2tp
|
|
/system clock set time-zone-name=Europe/Moscow
|
|
/system identity set name=dc01-gw01
|
|
/system note set show-at-login=no
|
|
/system ntp client set enabled=yes
|
|
/system ntp client servers add address=80.240.216.155
|
|
/system ntp client servers add address=185.232.69.65
|
|
/system routerboard settings set enter-setup-on=delete-key
|
|
/tool bandwidth-server set enabled=no
|
|
/tool mac-server set allowed-interface-list=none
|
|
/tool mac-server mac-winbox set allowed-interface-list=interfaces-MGM
|
|
/tool mac-server ping set enabled=no
|