SergANT/network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
network/mikrotik/base-config/dc01-sw02-terse.rsc

86 lines
8.3 KiB
Plaintext
Raw Blame History

# 2024-08-30 19:15:03 by RouterOS 7.15.3
# software id = QEDC-AGM4
#
# model = CRS312-4C+8XG
# serial number = HEQ09EBWASB
/interface bridge add name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet set [ find default-name=combo1 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=combo2 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=combo3 ] l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000
/interface ethernet set [ find default-name=ether8 ] comment="Link from mgmt switch (for iLo IPMI) VLAN-0011"
/interface ethernet set [ find default-name=ether9 ] comment="Management interface for network devices (MAC server only)" name=ether9-mac-mgmt
/interface vlan add comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" interface=bridge name=VLAN-0010 vlan-id=10
/interface bonding add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2
/interface list add name=interfaces-MAC-MGMT
/ip smb users set [ find default=yes ] disabled=yes
/port set 0 name=serial0
/system logging action set 1 disk-file-name=log
/ip smb set enabled=no
/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment="Link from mgmt switch (for iLo IPMI) VLAN-0011" frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=11
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=interfaces-MAC-MGMT
/ip settings set tcp-syncookies=yes
/ipv6 settings set disable-ipv6=yes
/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=101-255
/interface bridge vlan add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100.x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3000-3255
/interface bridge vlan add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2
/interface bridge vlan add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3
/interface bridge vlan add bridge=bridge comment="VLAN-0010 for Management interface for network devices (TCP/IP connect)" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=10
/interface bridge vlan add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=11
/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=1000-1255
/interface bridge vlan add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2000-2255
/interface list member add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT
/ip address add address=10.8.10.202/24 interface=VLAN-0010 network=10.8.10.0
/ip cloud set update-time=no
/ip dns set servers=10.8.10.11
/ip firewall address-list add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
/ip firewall address-list add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-access-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
/ip firewall address-list add address=10.8.10.0/24 comment="List addr for Management only network devices (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
/ip firewall filter add action=accept chain=input comment="allow INPUT established,related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="allow FORWARD established,related" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="deny INPUT Invalid connections" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="deny FORWARD Invalid connections" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
/ip firewall filter add action=accept chain=input comment="allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-mgm-net
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=admin-L2TP-VPN-mgm
/ip firewall filter add action=accept chain=input comment="allow INPUT from lo -->> ME " in-interface=lo
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=input comment="deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=input comment="deny INPUT all" connection-state=""
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new protocol=tcp reject-with=tcp-reset
/ip firewall filter add action=reject chain=forward comment="deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" connection-state=new protocol=udp reject-with=icmp-port-unreachable
/ip firewall filter add action=drop chain=forward comment="deny FORWARD all" connection-state=""
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/pub
/ip ssh set always-allow-password-login=yes forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/system clock set time-zone-name=Europe/Moscow
/system identity set name=dc01-sw02
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=80.240.216.155
/system ntp client servers add address=185.232.69.65
/system routerboard settings set boot-os=router-os enter-setup-on=delete-key
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=interfaces-MAC-MGMT
/tool mac-server ping set enabled=no
Reference in New Issue View Git Blame Copy Permalink