425 lines
23 KiB
Plaintext
425 lines
23 KiB
Plaintext
# 2024-08-30 22:34:52 by RouterOS 7.15.3
|
|
# software id = 6HAJ-6CUK
|
|
#
|
|
# model = RB4011iGS+
|
|
# serial number = HEH08H8P0GS
|
|
/interface ethernet
|
|
set [ find default-name=ether1 ] name=ether1-outside
|
|
set [ find default-name=ether2 ] disabled=yes
|
|
set [ find default-name=ether3 ] disabled=yes
|
|
set [ find default-name=ether4 ] disabled=yes
|
|
set [ find default-name=ether5 ] disabled=yes
|
|
set [ find default-name=ether6 ] disabled=yes
|
|
set [ find default-name=ether7 ] disabled=yes
|
|
set [ find default-name=ether8 ] comment=\
|
|
"Management interface for network devices (TCP/IP connect)" name=\
|
|
ether8-mgmt
|
|
set [ find default-name=ether9 ] comment=\
|
|
"Management interface for network devices (MAC server only)" name=\
|
|
ether9-mac-mgmt
|
|
set [ find default-name=ether10 ] disabled=yes
|
|
set [ find default-name=sfp-sfpplus1 ] comment=\
|
|
"Link to dc01-ccr01 INSIDE <--> TRANSPORT LINK <--> OUTSIDE"
|
|
/interface list
|
|
add name=interfaces-MGM
|
|
add name=interfaces-outside
|
|
add name=interfaces-VPN-ptp
|
|
/ip smb users
|
|
set [ find default=yes ] disabled=yes
|
|
/port
|
|
set 0 name=serial0
|
|
set 1 name=serial1
|
|
/ppp profile
|
|
add change-tcp-mss=yes comment=\
|
|
"For L2TP VPN MGM admins FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" \
|
|
name=L2TP_VPN_Profile_mgm only-one=no use-compression=yes use-encryption=\
|
|
yes use-ipv6=no use-mpls=no use-upnp=no
|
|
/ip smb
|
|
set enabled=no
|
|
/ip firewall connection tracking
|
|
set udp-timeout=10s
|
|
/ip neighbor discovery-settings
|
|
set discover-interface-list=interfaces-MGM
|
|
/ip settings
|
|
set tcp-syncookies=yes
|
|
/ipv6 settings
|
|
set disable-ipv6=yes
|
|
/interface l2tp-server server
|
|
set authentication=mschap2 enabled=yes use-ipsec=yes
|
|
/interface list member
|
|
add interface=ether9-mac-mgmt list=interfaces-MGM
|
|
add interface=ether1-outside list=interfaces-outside
|
|
/ip address
|
|
add address=10.12.90.1/24 comment="Transport for access outside <--> inside" \
|
|
interface=sfp-sfpplus1 network=10.12.90.0
|
|
add address=11.11.11.122/29 comment="Outside IPs" interface=ether1-outside \
|
|
network=11.11.11.120
|
|
add address=10.8.10.11/24 comment=\
|
|
"Management interface for network devices (TCP/IP connect)" interface=\
|
|
ether8-mgmt network=10.8.10.0
|
|
/ip cloud
|
|
set update-time=no
|
|
/ip dns
|
|
set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1
|
|
/ip firewall address-list
|
|
add address=127.0.0.1 comment=\
|
|
"List addr for allow Internet access [UDP:53 ] FID=n1fk4do7we2ah5uz" \
|
|
list=allow_inet_DNS
|
|
add address=127.0.0.1 comment=\
|
|
"List addr for allow Internet access [TCP:22] FID=pq9dm54nwj4ah6ee" list=\
|
|
allow_inet_SSH
|
|
add address=11.11.11.122 comment="List addr OUTSIDE IPs" list=all-outside
|
|
add address=11.11.11.122 comment="List addr OUTSIDE IP=22.22.22.122" list=\
|
|
outside-only-22.22.22.122
|
|
add address=127.0.0.1 comment=\
|
|
"List addr for allow Internet access [ICMP] FID=zpfju4q8wn2hj5n7" list=\
|
|
allow_inet_icmp
|
|
add address=192.168.24.0/24 comment="List addr OpenVPN" disabled=yes list=\
|
|
all-ovpn
|
|
add address=11.11.11.123 comment="List addr OUTSIDE IPs" list=all-outside
|
|
add address=11.11.11.123 comment="List addr OUTSIDE IP=22.22.22.123" list=\
|
|
outside-only-22.22.22.123
|
|
add address=11.11.11.124 comment="List addr OUTSIDE IP=22.22.22.124" list=\
|
|
outside-only-22.22.22.124
|
|
add address=11.11.11.125 comment="List addr OUTSIDE IP=22.22.22.125" list=\
|
|
outside-only-22.22.22.125
|
|
add address=10.99.99.99 comment="List addr clients from inside network to loca\
|
|
l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
|
|
add address=10.99.99.77 comment="List addr clients from inside network to loca\
|
|
l DNS service (for spoofing DNS). " list=allow-INSDIE-to-local-DNS
|
|
add address=127.0.0.1 comment="List addr for allow Internet access [TCP:80,443\
|
|
] servername.local FID=q5tst1p6o3jrdnb9" list=allow_inet_HTTPS
|
|
add address=127.0.0.1 comment=\
|
|
"List addr for allow Internet access [ALL:ALL] FID=allan3smjenrbtq3" \
|
|
list=allow_inet_all
|
|
add address=127.0.0.1 comment="List addr for allow Internet access [TCP:25,465\
|
|
,587] FID=alld1nrr9nabdnt1" list=allow_inet_SMTP
|
|
add address=10.8.0.0/13 comment=\
|
|
"all-all network dmz + inside + transport + ovpn + l2pt etc" list=\
|
|
all-networks
|
|
add address=127.0.0.1 comment=\
|
|
"List addr for allow Internet access [TCP:143,993] FID=izmp3domfei9qnae" \
|
|
list=allow_inet_IMAP
|
|
add address=127.0.0.1 comment=\
|
|
"List addr for allow Internet access [TCP:43] FID=ivnusgh98hs98wh9" list=\
|
|
allow_inet_WHOIS
|
|
add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
|
|
ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
|
|
add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
|
|
s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
|
|
add address=127.0.0.1 comment="List addr for allow Internet access [UDP:500,17\
|
|
01,4500] FID=sjf93jamc39jfi8g" list=allow_inet_IPsec
|
|
add address=127.0.0.1 comment="List addr for allow Internet access [All ICMP,T\
|
|
CP,UDP] FID=h7nlarwndc5dr8zc" list=allow_inet
|
|
add address=0.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
|
|
add address=127.0.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
add address=10.0.0.0/8 comment="List addr BOGON networks" list=all-bogon
|
|
add address=172.16.0.0/12 comment="List addr BOGON networks" list=all-bogon
|
|
add address=192.168.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
add address=169.254.0.0/16 comment="List addr BOGON networks" list=all-bogon
|
|
add address=192.0.2.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
add address=198.51.100.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
add address=203.0.113.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
add address=198.18.0.0/15 comment="List addr BOGON networks" list=all-bogon
|
|
add address=192.88.99.0/24 comment="List addr BOGON networks" list=all-bogon
|
|
add address=100.64.0.0/10 comment="List addr BOGON networks" list=all-bogon
|
|
add address=240.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
|
|
add address=224.0.0.0/4 comment="List addr BOGON networks" list=all-bogon
|
|
add address=255.255.255.255 comment="List addr BOGON networks" list=all-bogon
|
|
add address=10.11.0.0/16 comment=\
|
|
"all DMZ networks (VLANs range 3000-3255)" list=all-dmz
|
|
add address=10.8.0.0/16 comment="all INSIDE networks (VLANs range 0002-0255)" \
|
|
list=all-inside
|
|
add address=10.12.90.0/24 comment=\
|
|
"List subnetwork transport VLAN-4090 for access outside <--> inside" \
|
|
list=transport-sfp-sfpplus1
|
|
add address=10.8.10.0/24 comment="List addr for Management network devices FID\
|
|
=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
|
|
add address=127.0.0.1 comment=\
|
|
"List addr for allow Internet access [UDP:123] FID=ab2ntprroam3e5fd" \
|
|
list=allow_inet_NTP
|
|
add address=127.0.0.1 list=x-OFFICE-MSK01-all-networks
|
|
add address=11.11.11.124 comment="List addr OUTSIDE IPs" list=all-outside
|
|
add address=11.11.11.125 comment="List addr OUTSIDE IPs" list=all-outside
|
|
add address=10.12.90.254 comment="List addr for allow Internet access [All ICM\
|
|
P,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-ccr01 ]" list=allow_inet
|
|
add address=10.8.10.201 comment="List addr for allow Internet access [All ICMP\
|
|
,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw01 ]" list=allow_inet
|
|
add address=10.8.10.202 comment="List addr for allow Internet access [All ICMP\
|
|
,TCP,UDP] FID=h7nlarwndc5dr8zc [ dc01-sw02 ]" list=allow_inet
|
|
add address=10.9.0.0/16 comment="all INSIDE networks (VLANs range 1000-1255)" \
|
|
list=all-inside
|
|
add address=10.10.0.0/16 comment=\
|
|
"all INSIDE networks (VLANs range 2000-2255)" list=all-inside
|
|
/ip firewall filter
|
|
add action=fasttrack-connection chain=forward connection-state=\
|
|
established,related hw-offload=yes protocol=tcp
|
|
add action=fasttrack-connection chain=forward connection-state=\
|
|
established,related hw-offload=yes protocol=udp
|
|
add action=accept chain=input comment="allow INPUT established,related" \
|
|
connection-state=established,related
|
|
add action=accept chain=forward comment="allow FORWARD established,related" \
|
|
connection-state=established,related
|
|
add action=drop chain=input comment="deny INPUT Invalid connections" \
|
|
connection-state=invalid
|
|
add action=drop chain=forward comment="deny FORWARD Invalid connections" \
|
|
connection-state=invalid
|
|
add action=drop chain=input comment=\
|
|
"deny INPUT outside ->> ME [ BOGON IP addresses ] FID=SERVICE-RULES" \
|
|
connection-state="" in-interface=ether1-outside src-address-list=\
|
|
all-bogon
|
|
add action=drop chain=output comment="deny OUTPUT from ME -->> outside [ BOGON\
|
|
\_IP addresses ] FID=SERVICE-RULES" connection-state="" dst-address-list=\
|
|
all-bogon out-interface=ether1-outside
|
|
add action=drop chain=forward comment="deny FORWARD from outside -->> inside [\
|
|
\_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
|
|
in-interface=ether1-outside src-address-list=all-bogon
|
|
add action=drop chain=forward comment="deny FORWARD from inside -->> outside [\
|
|
\_BOGON IP addresses ] FID=SERVICE-RULES" connection-state="" \
|
|
dst-address-list=all-bogon out-interface=ether1-outside
|
|
add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
|
|
e -->> VLAN-3001-DMZ DNAT (UDP 22211 -> 10.91.1.11:22211) FID=2hfs38dq1jr\
|
|
42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \
|
|
dst-address=10.91.1.11 dst-port=22211 in-interface=ether1-outside \
|
|
out-interface=sfp-sfpplus1 protocol=udp src-address-list=!all-networks
|
|
add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
|
|
e -->> VLAN-3001-DMZ DNAT (TCP 22212 -> 10.91.1.12:22212) FID=2hfs38dq1jr\
|
|
42rwe" connection-nat-state=dstnat connection-state=new disabled=yes \
|
|
dst-address=10.91.1.12 dst-port=22212 in-interface=ether1-outside \
|
|
out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
|
|
add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
|
|
e to frontweb01.dmz-3002.company.local DNAT (22.22.22.124 TCP 80,443 -->>\
|
|
\_10.91.2.10 TCP 80,443) FID=web-cuc76crsswg2z3h1rg33e" \
|
|
connection-nat-state=dstnat connection-state=new disabled=yes \
|
|
dst-address=10.91.2.10 dst-port=80,443 in-interface=ether1-outside \
|
|
out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
|
|
add action=accept chain=forward comment="EXAMPLE !!! allow FORWARD from outsid\
|
|
e to front mail server frontmail01.dmz-3003.rvision.local (22.22.22.124 \
|
|
TCP 25 465 -->> 10.91.3.11 DNAT TCP 25 465) FID=ewojf9q8twef86gp" \
|
|
connection-nat-state=dstnat connection-state=new disabled=yes \
|
|
dst-address=10.91.3.11 dst-port=25,465,993 in-interface=ether1-outside \
|
|
out-interface=sfp-sfpplus1 protocol=tcp src-address-list=!all-networks
|
|
add action=jump chain=forward comment="allow FORWARD from inside -->> outside \
|
|
SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \
|
|
in-interface=sfp-sfpplus1 jump-target=allow_icmp_tcp_udp out-interface=\
|
|
ether1-outside src-address-list=allow_inet
|
|
add action=jump chain=forward comment="allow FORWARD from inside MGM -->> outs\
|
|
ide SNAT [All ICMP,TCP,UDP] FID=h7nlarwndc5dr8zc" connection-state=new \
|
|
in-interface=ether8-mgmt jump-target=allow_icmp_tcp_udp out-interface=\
|
|
ether1-outside src-address-list=allow_inet
|
|
add action=accept chain=forward comment=\
|
|
"allow FORWARD from inside -->> outside SNAT [ICMP] FID=zpfju4q8wn2hj5n7" \
|
|
connection-nat-state="" connection-state=new in-interface=sfp-sfpplus1 \
|
|
out-interface=ether1-outside protocol=icmp src-address-list=\
|
|
allow_inet_icmp
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [TCP:22] FID=pq9dm54nwj4ah6ee" connection-nat-state="" \
|
|
connection-state=new dst-port=22 in-interface=sfp-sfpplus1 out-interface=\
|
|
ether1-outside protocol=tcp src-address-list=allow_inet_SSH
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [TCP:143,993] FID=izmp3domfei9qnae" connection-nat-state="" \
|
|
connection-state=new dst-port=143,993 in-interface=sfp-sfpplus1 \
|
|
out-interface=ether1-outside protocol=tcp src-address-list=\
|
|
allow_inet_IMAP
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [TCP:25,465,587] FID=alld1nrr9nabdnt1" connection-nat-state="" \
|
|
connection-state=new dst-port=25,465,587 in-interface=sfp-sfpplus1 \
|
|
out-interface=ether1-outside protocol=tcp src-address-list=\
|
|
allow_inet_SMTP
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [UDP:53] FID=n1fk4do7we2ah5uz" connection-nat-state="" \
|
|
connection-state=new dst-port=53 in-interface=sfp-sfpplus1 out-interface=\
|
|
ether1-outside protocol=udp src-address-list=allow_inet_DNS
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [UDP:123] FID=ab2ntprroam3e5fd" connection-nat-state="" \
|
|
connection-state=new dst-port=123 in-interface=sfp-sfpplus1 \
|
|
out-interface=ether1-outside protocol=udp src-address-list=allow_inet_NTP
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [TCP:43] FID=ivnusgh98hs98wh9" connection-nat-state="" \
|
|
connection-state=new dst-port=43 in-interface=sfp-sfpplus1 out-interface=\
|
|
ether1-outside protocol=tcp src-address-list=allow_inet_WHOIS
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [TCP:80,443] FID=q5tst1p6o3jrdnb9" connection-nat-state="" \
|
|
connection-state=new dst-port=80,443 in-interface=sfp-sfpplus1 \
|
|
out-interface=ether1-outside protocol=tcp src-address-list=\
|
|
allow_inet_HTTPS
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [UDP:500,1701,4500] FID=sjf93jamc39jfi8g" connection-nat-state="" \
|
|
connection-state=new dst-port=500,1701,4500 in-interface=sfp-sfpplus1 \
|
|
out-interface=ether1-outside protocol=udp src-address-list=\
|
|
allow_inet_IPsec
|
|
add action=accept chain=forward comment="allow FORWARD from inside -->> outsid\
|
|
e SNAT [ALL:ALL] FID=allan3smjenrbtq3" connection-nat-state="" \
|
|
connection-state=new in-interface=sfp-sfpplus1 out-interface=\
|
|
ether1-outside src-address-list=allow_inet_all
|
|
add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
|
|
ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
|
|
dst-address-list=admin-mgm-net in-interface-list=dynamic out-interface=\
|
|
ether8-mgmt protocol=icmp src-address-list=admin-L2TP-VPN-mgm
|
|
add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
|
|
ME FID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
|
|
dst-address-list=admin-mgm-net dst-port=22,80,443,8291 in-interface-list=\
|
|
dynamic out-interface=ether8-mgmt protocol=tcp src-address-list=\
|
|
admin-L2TP-VPN-mgm
|
|
add action=accept chain=forward comment="allow FORWARD from L2TP VPN MGM -->> \
|
|
ALL-NETWORK !!!WARNING - All ACL Firewall in DC01-CCR01!!! FID=admin-acces\
|
|
s-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new dst-address-list=\
|
|
all-networks in-interface-list=dynamic out-interface=sfp-sfpplus1 \
|
|
src-address-list=admin-L2TP-VPN-mgm
|
|
add action=accept chain=allow_icmp_tcp_udp comment=\
|
|
"Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=icmp
|
|
add action=accept chain=allow_icmp_tcp_udp comment=\
|
|
"Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=tcp
|
|
add action=accept chain=allow_icmp_tcp_udp comment=\
|
|
"Chain allow icmp_tcp_udp [All ICMP,TCP,UDP]" protocol=udp
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from outside -->> ME [ICMP]" connection-state=new \
|
|
dst-address-list=all-outside in-interface=ether1-outside protocol=icmp
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from outside -->> ME [GRE]" connection-state=new \
|
|
dst-address-list=all-outside in-interface=ether1-outside protocol=gre
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from outside -->> ME [IPsec-esp]" connection-state=new \
|
|
dst-address-list=all-outside in-interface=ether1-outside protocol=\
|
|
ipsec-esp
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from outside -->> ME [IPsec-ah]" connection-state=new \
|
|
dst-address-list=all-outside in-interface=ether1-outside protocol=\
|
|
ipsec-ah
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from outside -->> ME (UDP:500,1701,4500]" connection-state=\
|
|
new dst-address-list=outside-only-22.22.22.122 dst-port=500,1701,4500 \
|
|
in-interface=ether1-outside protocol=udp
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from transport sfp-sfpplus1 -->> ME [ICMP]" \
|
|
connection-state=new dst-address-list=transport-sfp-sfpplus1 \
|
|
in-interface=sfp-sfpplus1 protocol=icmp src-address-list=\
|
|
transport-sfp-sfpplus1
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from inside -->> ME [UDP:53 DNS] for spoofing DNS" \
|
|
connection-state=new dst-port=53 in-interface=sfp-sfpplus1 protocol=udp \
|
|
src-address-list=allow-INSDIE-to-local-DNS
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
|
|
in-interface=ether8-mgmt protocol=icmp src-address-list=admin-mgm-net
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
|
|
dst-port=53 in-interface=ether8-mgmt protocol=udp src-address-list=\
|
|
admin-mgm-net
|
|
add action=accept chain=input comment=\
|
|
"allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
|
|
dst-port=21,22,8291 in-interface=ether8-mgmt protocol=tcp \
|
|
src-address-list=admin-mgm-net
|
|
add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
|
|
ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
|
|
dst-address-list=admin-mgm-net in-interface-list=dynamic protocol=icmp \
|
|
src-address-list=admin-L2TP-VPN-mgm
|
|
add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
|
|
ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
|
|
dst-address-list=admin-mgm-net dst-port=22,8291 in-interface-list=dynamic \
|
|
protocol=tcp src-address-list=admin-L2TP-VPN-mgm
|
|
add action=reject chain=input comment=\
|
|
"deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
|
|
protocol=tcp reject-with=tcp-reset
|
|
add action=reject chain=input comment=\
|
|
"deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
|
|
connection-state=new protocol=udp reject-with=icmp-port-unreachable
|
|
add action=drop chain=input comment="deny INPUT all" connection-state=""
|
|
add action=reject chain=forward comment=\
|
|
"deny FORWARD any -->> any TCP reject-with tcp-reset" connection-state=\
|
|
new protocol=tcp reject-with=tcp-reset
|
|
add action=reject chain=forward comment=\
|
|
"deny FORWARD any -->> any UDP reject-with tcp-reset" connection-state=\
|
|
new log-prefix=reject_fw_udp protocol=udp reject-with=\
|
|
icmp-port-unreachable
|
|
add action=drop chain=forward comment="deny FORWARD all" connection-state=""
|
|
/ip firewall nat
|
|
add action=src-nat chain=srcnat comment=\
|
|
"EXAMPLE !!! SNAT from inside all networks (outside IP = 11.11.11.122)" \
|
|
dst-address-list=!all-networks out-interface=ether1-outside \
|
|
src-address-list=all-networks to-addresses=11.11.11.122
|
|
add action=src-nat chain=srcnat comment="EXAMPLE !!! SNAT from inside mail sys\
|
|
tems for SPF rec TCP 25,465 (outside IP = 22.22.22.125) " disabled=yes \
|
|
dst-port=25,465 out-interface=ether1-outside protocol=tcp src-address=\
|
|
10.91.3.11 to-addresses=22.22.22.123
|
|
add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\
|
|
-3001-DMZ (22.22.22.122 UDP 22211 -->> 10.91.1.11 UDP 22211) OpenVPN 01 F\
|
|
ID=2hfs38dq1jr42rwe" disabled=yes dst-address-list=\
|
|
outside-only-22.22.22.122 dst-port=22211 in-interface=ether1-outside \
|
|
protocol=udp src-address-list=!all-networks to-addresses=10.91.1.11 \
|
|
to-ports=22211
|
|
add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to VLAN\
|
|
-3001-DMZ (22.22.22.122 TCP 22212 -->> 10.91.1.12 TCP 22212) OpenVPN 02 F\
|
|
ID=hf92hfh38dh1jr421we" disabled=yes dst-address-list=\
|
|
outside-only-22.22.22.122 dst-port=22212 in-interface=ether1-outside \
|
|
protocol=tcp src-address-list=!all-networks to-addresses=10.91.1.12 \
|
|
to-ports=22212
|
|
add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
|
|
\_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 25 -->> 10.\
|
|
91.3.11 TCP 25) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
|
|
outside-only-22.22.22.125 dst-port=25 in-interface=ether1-outside \
|
|
protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
|
|
to-ports=25
|
|
add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
|
|
\_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 465 -->> 10\
|
|
.91.3.11 TCP 465) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
|
|
outside-only-22.22.22.125 dst-port=465 in-interface=ether1-outside \
|
|
protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
|
|
to-ports=465
|
|
add action=dst-nat chain=dstnat comment="EXAMPLE !!! DNAT from outside to main\
|
|
\_server frontmail01.dmz-3003.rvision.local (22.22.22.125 TCP 993 -->> 10\
|
|
.91.3.11 TCP 993) FID=ewojf9q8twef86gp" disabled=yes dst-address-list=\
|
|
outside-only-22.22.22.125 dst-port=993 in-interface=ether1-outside \
|
|
protocol=tcp src-address-list=!all-networks to-addresses=10.91.3.11 \
|
|
to-ports=993
|
|
/ip route
|
|
add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
|
|
distance=249 dst-address=10.0.0.0/8
|
|
add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
|
|
distance=249 dst-address=169.254.0.0/16
|
|
add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
|
|
distance=249 dst-address=172.16.0.0/12
|
|
add blackhole comment="Blackhole [ BOGON IP addresses ] FID=SERVICE-ROUTE" \
|
|
distance=249 dst-address=192.168.0.0/16
|
|
add comment="Route to DC01-CCR01 all networks" disabled=no distance=1 \
|
|
dst-address=10.8.0.0/13 gateway=10.12.90.254 pref-src="" routing-table=\
|
|
main scope=30 suppress-hw-offload=no target-scope=10
|
|
add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.121 routing-table=\
|
|
main suppress-hw-offload=no
|
|
/ip service
|
|
set telnet disabled=yes
|
|
set ftp disabled=yes
|
|
set www disabled=yes
|
|
set api disabled=yes
|
|
set api-ssl disabled=yes
|
|
/ip smb shares
|
|
set [ find default=yes ] directory=/pub
|
|
/ip ssh
|
|
set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
|
|
4096 strong-crypto=yes
|
|
/ppp secret
|
|
add comment="L2TP VPN IvanovSS FID=admin-access-l2tp-vpn-en7gdnsq" \
|
|
local-address=172.16.38.1 name=ivanov_mgm profile=L2TP_VPN_Profile_mgm \
|
|
remote-address=172.16.38.222 service=l2tp
|
|
/system clock
|
|
set time-zone-name=Europe/Moscow
|
|
/system identity
|
|
set name=dc01-gw01
|
|
/system note
|
|
set show-at-login=no
|
|
/system ntp client
|
|
set enabled=yes
|
|
/system ntp client servers
|
|
add address=80.240.216.155
|
|
add address=185.232.69.65
|
|
/system routerboard settings
|
|
set enter-setup-on=delete-key
|
|
/tool bandwidth-server
|
|
set enabled=no
|
|
/tool mac-server
|
|
set allowed-interface-list=none
|
|
/tool mac-server mac-winbox
|
|
set allowed-interface-list=interfaces-MGM
|
|
/tool mac-server ping
|
|
set enabled=no
|