298 lines
15 KiB
Plaintext
298 lines
15 KiB
Plaintext
# 2024-08-30 22:38:15 by RouterOS 7.15.3
|
|
# software id = X2AJ-5BFT
|
|
#
|
|
# model = CCR2004-1G-12S+2XS
|
|
# serial number = HEW095QA6AY
|
|
/interface ethernet
|
|
set [ find default-name=ether1 ] comment=\
|
|
"Management interface for network devices (MAC server only)" name=\
|
|
ether1-mac-mgmt
|
|
set [ find default-name=sfp-sfpplus1 ] comment=\
|
|
"Link to switch dc01-sw01 [ bond ]" l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus2 ] comment=\
|
|
"Link to switch dc01-sw02 [ bond ]" l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus3 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus4 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus5 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus6 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus7 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus8 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus9 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus10 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus11 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp-sfpplus12 ] comment=\
|
|
"Link to router dc01-gw01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE" \
|
|
l2mtu=1600
|
|
set [ find default-name=sfp28-1 ] l2mtu=9092 mtu=9000
|
|
set [ find default-name=sfp28-2 ] l2mtu=9092 mtu=9000
|
|
/interface bonding
|
|
add mode=active-backup mtu=9000 name=bond_SW01_SW02 primary=sfp-sfpplus1 \
|
|
slaves=sfp-sfpplus1,sfp-sfpplus2
|
|
/interface vlan
|
|
add comment="VLAN-0002 for VMware vSphere infrastructure (vCenter server, ESXi\
|
|
\_hosts)" interface=bond_SW01_SW02 mtu=9000 name=VLAN-0002 vlan-id=2
|
|
add comment="VLAN-0003 for VMware vSphere vMotion" interface=bond_SW01_SW02 \
|
|
mtu=9000 name=VLAN-0003 vlan-id=3
|
|
add comment=\
|
|
"VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
|
|
interface=bond_SW01_SW02 name=VLAN-0010 vlan-id=10
|
|
add comment="VLAN-0011 for Management iLO IPMI" interface=bond_SW01_SW02 \
|
|
name=VLAN-0011 vlan-id=11
|
|
add comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" interface=\
|
|
bond_SW01_SW02 mtu=9000 name=VLAN-3222-DMZ vlan-id=3222
|
|
/interface list
|
|
add name=interfaces-MAC-MGMT
|
|
/ip smb users
|
|
set [ find default=yes ] disabled=yes
|
|
/port
|
|
set 0 name=serial0
|
|
/ip smb
|
|
set enabled=no
|
|
/ip firewall connection tracking
|
|
set udp-timeout=10s
|
|
/ip neighbor discovery-settings
|
|
set discover-interface-list=interfaces-MAC-MGMT
|
|
/ip settings
|
|
set tcp-syncookies=yes
|
|
/ipv6 settings
|
|
set disable-ipv6=yes
|
|
/interface list member
|
|
add interface=ether1-mac-mgmt list=interfaces-MAC-MGMT
|
|
/ip address
|
|
add address=10.12.90.254/24 comment=\
|
|
"Transport for access outside <--> inside" interface=sfp-sfpplus12 \
|
|
network=10.12.90.0
|
|
add address=10.8.2.1/24 comment="VLAN-0002 for VMware vSphere infrastructure (\
|
|
vCenter server, ESXi hosts)" interface=VLAN-0002 network=10.8.2.0
|
|
add address=10.8.3.1/24 comment="VLAN-0003 for VMware vSphere vMotion" \
|
|
interface=VLAN-0003 network=10.8.3.0
|
|
add address=10.8.10.251/24 comment=\
|
|
"VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
|
|
interface=VLAN-0010 network=10.8.10.0
|
|
add address=10.8.10.1/24 comment=\
|
|
"VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
|
|
interface=VLAN-0010 network=10.8.10.0
|
|
add address=10.8.11.1/24 comment="VLAN-0011 for Management iLO IPMI" \
|
|
interface=VLAN-0011 network=10.8.11.0
|
|
add address=10.11.222.1/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \
|
|
interface=VLAN-3222-DMZ network=10.11.222.0
|
|
/ip cloud
|
|
set update-time=no
|
|
/ip dns
|
|
set servers=77.88.8.8,77.88.8.1
|
|
/ip firewall address-list
|
|
add address=10.8.10.0/24 comment="List addr for Management network devices FID\
|
|
=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
|
|
add address=192.168.24.0/24 comment="List addr OpenVPN FID=ovp8nkdb4cxkq1ms" \
|
|
list=all-ovpn
|
|
add address=10.8.0.0/13 comment=\
|
|
"all-all network dmz + inside + transport + ovpn + l2pt etc" list=\
|
|
all-networks
|
|
add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
|
|
ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
|
|
add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
|
|
s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
|
|
add address=10.11.0.0/16 comment="all DMZ networks (VLANs range 3000-3255)" \
|
|
list=all-dmz
|
|
add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \
|
|
list=all-inside
|
|
add address=10.12.90.0/24 comment=\
|
|
"List subnetwork transport VLAN-4090 for access outside <--> inside" \
|
|
list=transport-sfp-sfpplus12
|
|
add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
|
|
add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \
|
|
list=all-inside
|
|
add address=10.10.0.0/16 comment=\
|
|
"all INSIDE networks (VLANs range 2000-2255)" list=all-inside
|
|
add address=10.8.2.0/24 comment="VLAN-0002 for VMware vSphere infrastructure (\
|
|
vCenter server, ESXi hosts)" list=inside-VLAN-0002
|
|
add address=10.8.3.0/24 comment="VLAN-0003 for VMware vSphere vMotion" list=\
|
|
inside-VLAN-0003
|
|
add address=127.0.0.1 list=allow-default-for-all
|
|
add address=127.0.0.1 list=allow-default-buh
|
|
add address=10.8.10.0/24 comment=\
|
|
"VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
|
|
list=inside-VLAN-0010
|
|
add address=10.8.11.0/24 comment="VLAN-0011 for Management iLO IPMI" list=\
|
|
inside-VLAN-0011
|
|
add address=10.8.2.5 comment="VLAN-0002 [ dc01-vcsrv01-infr.comp.loc ]" list=\
|
|
inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc
|
|
add address=10.8.2.11 comment=\
|
|
"VLAN-0002 [ host01.cluster01.esxi.comp.loc ] ESXI" list=\
|
|
inside-VLAN-0002-ESXi-Cluster01-hosts
|
|
add address=10.8.2.12 comment=\
|
|
"VLAN-0002 [ host02.cluster01.esxi.comp.loc ] ESXI" list=\
|
|
inside-VLAN-0002-ESXi-Cluster01-hosts
|
|
add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-IT
|
|
add address=127.0.0.1 comment="allow [All ICMP,TCP,UDP] [ivanov_ovpn]" list=\
|
|
allow-to-VLAN-0002-adm-ALL
|
|
add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [All ICMP,T\
|
|
CP,UDP] [ivanov_ovpn] [VPN]" list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
|
|
add address=127.0.0.1 list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-IT
|
|
add address=127.0.0.1 comment="allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:8\
|
|
0,443] [ivanov_ovpn] [VPN] FID=1234567890" list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
|
|
add address=127.0.0.1 disabled=yes list=allow-to-VLAN-0002-adm-SEC
|
|
add address=127.0.0.1 list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-SEC
|
|
add address=127.0.0.1 comment=\
|
|
"allow -> dc01-vcsrv01-infr.comp.loc [ICMP TCP:22] [ivanov_ovpn] [VPN]" \
|
|
list=allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
|
|
add address=10.11.222.0/24 comment="VLAN-3222-DMZ for ABC FID=EXAMPLE-DELETE" \
|
|
list=dmz-VLAN-3222
|
|
/ip firewall filter
|
|
add action=fasttrack-connection chain=forward connection-state=\
|
|
established,related hw-offload=yes protocol=tcp
|
|
add action=fasttrack-connection chain=forward connection-state=\
|
|
established,related hw-offload=yes protocol=udp
|
|
add action=accept chain=input comment="allow INPUT established,related" \
|
|
connection-state=established,related
|
|
add action=accept chain=forward comment="allow FORWARD established,related" \
|
|
connection-state=established,related
|
|
add action=drop chain=input comment="deny INPUT Invalid connections" \
|
|
connection-state=invalid
|
|
add action=drop chain=forward comment="deny FORWARD Invalid connections" \
|
|
connection-state=invalid
|
|
add action=accept chain=input comment="allow INPUT from VLAN-0002 -->> ME [ICM\
|
|
P] for VMware vSphere infrastructure (vCenter server, ESXi hosts)" \
|
|
connection-state=new dst-address-list=inside-VLAN-0002 in-interface=\
|
|
VLAN-0002 protocol=icmp src-address-list=inside-VLAN-0002
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from VLAN-0003 -->> ME [ICMP] for VMware vSphere vMotion" \
|
|
connection-state=new dst-address-list=inside-VLAN-0003 in-interface=\
|
|
VLAN-0003 protocol=icmp src-address-list=inside-VLAN-0003
|
|
add action=accept chain=input comment="allow INPUT from VLAN-0003 -->> ME [ICM\
|
|
P] for Management interface for network devices (TCP/IP connect)" \
|
|
connection-state=new dst-address-list=inside-VLAN-0010 in-interface=\
|
|
VLAN-0010 protocol=icmp src-address-list=inside-VLAN-0010
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from VLAN-0003 -->> ME [ICMP] for Management iLO IPMI" \
|
|
connection-state=new dst-address-list=inside-VLAN-0011 in-interface=\
|
|
VLAN-0011 protocol=icmp src-address-list=inside-VLAN-0011
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
|
|
in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
|
|
dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
|
|
admin-mgm-net
|
|
add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
|
|
ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
|
|
in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
|
|
add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
|
|
ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
|
|
dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
|
|
admin-L2TP-VPN-mgm
|
|
add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
|
|
ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
|
|
in-interface=sfp-sfpplus12 protocol=icmp src-address-list=\
|
|
admin-L2TP-VPN-mgm
|
|
add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
|
|
ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
|
|
connection-state=new dst-address-list=all-inside in-interface=\
|
|
sfp-sfpplus12 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
|
|
add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
|
|
ALL-INSIDE FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
|
|
connection-state=new dst-address-list=all-inside dst-port=\
|
|
22,80,443,5480,3389,8291 in-interface=sfp-sfpplus12 protocol=tcp \
|
|
src-address-list=admin-L2TP-VPN-mgm
|
|
add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
|
|
ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\
|
|
new dst-address-list=all-dmz in-interface=sfp-sfpplus12 protocol=icmp \
|
|
src-address-list=admin-L2TP-VPN-mgm
|
|
add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
|
|
ALL-DMZ FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=\
|
|
new dst-address-list=all-dmz dst-port=22,80,443,5480,3389,8291 \
|
|
in-interface=sfp-sfpplus12 protocol=tcp src-address-list=\
|
|
admin-L2TP-VPN-mgm
|
|
add action=accept chain=allow_icmp_tcp_udp comment=\
|
|
"Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=icmp
|
|
add action=accept chain=allow_icmp_tcp_udp comment=\
|
|
"Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=tcp
|
|
add action=accept chain=allow_icmp_tcp_udp comment=\
|
|
"Chain allow icmp_tcp_udp (allow all ICMP TCP UDP)" protocol=udp
|
|
add action=accept chain=allow-default-for-all protocol=icmp
|
|
add action=accept chain=allow-default-buh protocol=icmp
|
|
add action=accept chain=forward comment="allow FORWARD from INSIDE <--> TRANSP\
|
|
ORT LINK <--> OUTSIDE (to dc01-gw01)" connection-state=new \
|
|
dst-address-list=!all-networks out-interface=sfp-sfpplus12 \
|
|
src-address-list=all-networks
|
|
add action=reject chain=input comment=\
|
|
"deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
|
|
protocol=tcp reject-with=tcp-reset
|
|
add action=reject chain=input comment=\
|
|
"deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
|
|
connection-state=new protocol=udp reject-with=icmp-port-unreachable
|
|
add action=drop chain=input comment="deny INPUT all" connection-state=""
|
|
add action=reject chain=forward comment=\
|
|
"deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \
|
|
protocol=tcp reject-with=tcp-reset
|
|
add action=reject chain=forward comment=\
|
|
"deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \
|
|
connection-state=new protocol=udp reject-with=icmp-port-unreachable
|
|
add action=drop chain=forward comment="deny FORWARD all" connection-state=""
|
|
add action=jump chain=forward connection-state=new dst-address-list=\
|
|
inside-VLAN-0002 jump-target=allow_icmp_tcp_udp out-interface=VLAN-0002 \
|
|
src-address-list=allow-to-VLAN-0002-adm-ALL
|
|
add action=jump chain=forward connection-state=new dst-address-list=\
|
|
inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc jump-target=\
|
|
allow_icmp_tcp_udp out-interface=VLAN-0002 src-address-list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-adm-ALL
|
|
add action=accept chain=forward connection-state=new dst-address-list=\
|
|
inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \
|
|
protocol=icmp src-address-list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
|
|
add action=accept chain=forward connection-state=new dst-address-list=\
|
|
inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=22 out-interface=\
|
|
VLAN-0002 protocol=tcp src-address-list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-SSH
|
|
add action=accept chain=forward connection-state=new dst-address-list=\
|
|
inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc out-interface=VLAN-0002 \
|
|
protocol=icmp src-address-list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
|
|
add action=accept chain=forward connection-state=new dst-address-list=\
|
|
inside-VLAN-0002-dc01-vcsrv01-infr.comp.loc dst-port=80,443 \
|
|
out-interface=VLAN-0002 protocol=tcp src-address-list=\
|
|
allow-to-VLAN-0002-dc01-vcsrv01-infr.comp.loc-HTTPs
|
|
/ip route
|
|
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.12.90.1 \
|
|
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
|
|
add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\
|
|
nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\
|
|
10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \
|
|
target-scope=10
|
|
/ip service
|
|
set telnet disabled=yes
|
|
set ftp disabled=yes
|
|
set www disabled=yes
|
|
set api disabled=yes
|
|
set api-ssl disabled=yes
|
|
/ip smb shares
|
|
set [ find default=yes ] directory=/pub
|
|
/ip ssh
|
|
set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
|
|
4096 strong-crypto=yes
|
|
/system clock
|
|
set time-zone-name=Europe/Moscow
|
|
/system identity
|
|
set name=dc01-ccr01
|
|
/system note
|
|
set show-at-login=no
|
|
/system ntp client
|
|
set enabled=yes
|
|
/system ntp client servers
|
|
add address=80.240.216.155
|
|
add address=185.232.69.65
|
|
/system routerboard settings
|
|
set enter-setup-on=delete-key
|
|
/tool bandwidth-server
|
|
set enabled=no
|
|
/tool mac-server
|
|
set allowed-interface-list=none
|
|
/tool mac-server mac-winbox
|
|
set allowed-interface-list=interfaces-MAC-MGMT
|
|
/tool mac-server ping
|
|
set enabled=no
|