SergANT/network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
network/mikrotik/base-config/dc01-sw02.rsc
Sergei Bobkov 6ddbc86f76 Added this repo
2024-09-19 13:36:34 +03:00

176 lines
7.6 KiB
Plaintext
Raw Blame History

# 2024-08-30 19:15:13 by RouterOS 7.15.3
# software id = QEDC-AGM4
#
# model = CRS312-4C+8XG
# serial number = HEQ09EBWASB
/interface bridge
add name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] l2mtu=9092 mtu=9000
set [ find default-name=combo2 ] l2mtu=9092 mtu=9000
set [ find default-name=combo3 ] l2mtu=9092 mtu=9000
set [ find default-name=combo4 ] disabled=yes l2mtu=9092 mtu=9000
set [ find default-name=ether1 ] comment="ESXi Cluster01 node01" l2mtu=9092 \
mtu=9000
set [ find default-name=ether2 ] comment="ESXi Cluster01 node02" l2mtu=9092 \
mtu=9000
set [ find default-name=ether3 ] disabled=yes l2mtu=9092 mtu=9000
set [ find default-name=ether4 ] disabled=yes l2mtu=9092 mtu=9000
set [ find default-name=ether5 ] disabled=yes l2mtu=9092 mtu=9000
set [ find default-name=ether6 ] disabled=yes l2mtu=9092 mtu=9000
set [ find default-name=ether7 ] disabled=yes l2mtu=9092 mtu=9000
set [ find default-name=ether8 ] comment=\
"Link from mgmt switch (for iLo IPMI) VLAN-0011"
set [ find default-name=ether9 ] comment=\
"Management interface for network devices (MAC server only)" name=\
ether9-mac-mgmt
/interface vlan
add comment=\
"VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
interface=bridge name=VLAN-0010 vlan-id=10
/interface bonding
add mode=802.3ad mtu=9000 name=bond_SFP slaves=combo1,combo2
/interface list
add name=interfaces-MAC-MGMT
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/system logging action
set 1 disk-file-name=log
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_SFP \
internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 \
internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=combo3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment="Link from mgmt switch (for iLo IPMI) VLAN-0011" \
frame-types=admit-only-untagged-and-priority-tagged interface=ether8 \
pvid=11
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=interfaces-MAC-MGMT
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.8.101.x\
\_ <-> 10.8.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
vlan-ids=101-255
add bridge=bridge comment="VLANs range for DMZ IPs range for use 10.11.100\
.x <-> 10.11.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
vlan-ids=3000-3255
add bridge=bridge comment="VLAN-0002 for VMWare ESXi management" tagged=\
bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=2
add bridge=bridge comment="VLAN-0003 for VMWare ESXi vMotion" tagged=\
bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=3
add bridge=bridge comment=\
"VLAN-0010 for Management interface for network devices (TCP/IP connect)" \
tagged=bridge,ether1,ether2,bond_SFP,combo3 vlan-ids=10
add bridge=bridge comment="VLAN-0011 for Management iLO IPMI" tagged=\
bridge,ether1,ether2,bond_SFP,combo3 untagged=ether8 vlan-ids=11
add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.9.0.x \
\_ <-> 10.9.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
vlan-ids=1000-1255
add bridge=bridge comment="VLANs range for INSIDE IPs range for use 10.10.0.x \
\_ <-> 10.10.255.x" tagged=bridge,ether1,ether2,bond_SFP,combo3 \
vlan-ids=2000-2255
/interface list member
add interface=ether9-mac-mgmt list=interfaces-MAC-MGMT
/ip address
add address=10.8.10.202/24 interface=VLAN-0010 network=10.8.10.0
/ip cloud
set update-time=no
/ip dns
set servers=10.8.10.11
/ip firewall address-list
add address=172.16.38.222 comment="List addr for L2TP VPN IvanovSS FID=admin-a\
ccess-l2tp-vpn-en7gdnsq ADMIN-FID" list=admin-L2TP-VPN-mgm
add address=172.16.99.222 comment="List addr for OVPN IvanovSS FID=admin-acces\
s-ovpn-vpn-en7gdnsq ADMIN-FID" disabled=yes list=admin-OpenVPN-mgm
add address=10.8.10.0/24 comment="List addr for Management only network device\
s (Mikrotik) FID=admin-mgm-amdpfyeu ADMIN-FID" list=admin-mgm-net
/ip firewall filter
add action=accept chain=input comment="allow INPUT established,related" \
connection-state=established,related
add action=accept chain=forward comment="allow FORWARD established,related" \
connection-state=established,related
add action=drop chain=input comment="deny INPUT Invalid connections" \
connection-state=invalid
add action=drop chain=forward comment="deny FORWARD Invalid connections" \
connection-state=invalid
add action=accept chain=input comment=\
"allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
in-interface=VLAN-0010 protocol=icmp src-address-list=admin-mgm-net
add action=accept chain=input comment=\
"allow INPUT from admin mgm net 10.8.10.x -->> ME" connection-state=new \
dst-port=21,22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
admin-mgm-net
add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
in-interface=VLAN-0010 protocol=icmp src-address-list=admin-L2TP-VPN-mgm
add action=accept chain=input comment="allow INPUT from L2TP VPN MGM -->> ME F\
ID=admin-access-l2tp-vpn-en7gdnsq ADMIN-FID" connection-state=new \
dst-port=22,8291 in-interface=VLAN-0010 protocol=tcp src-address-list=\
admin-L2TP-VPN-mgm
add action=reject chain=input comment=\
"deny INPUT any -->> ME TCP reject-with tcp-reset" connection-state=new \
protocol=tcp reject-with=tcp-reset
add action=reject chain=input comment=\
"deny INPUT any -->> ME UDP reject-with icmp-port-unreachable" \
connection-state=new protocol=udp reject-with=icmp-port-unreachable
add action=drop chain=input comment="deny INPUT all" connection-state=""
add action=reject chain=forward comment=\
"deny FORWARD any -->> ME TCP reject-with tcp-reset" connection-state=new \
protocol=tcp reject-with=tcp-reset
add action=reject chain=forward comment=\
"deny FORWARD any -->> ME UDP reject-with icmp-port-unreachable" \
connection-state=new protocol=udp reject-with=icmp-port-unreachable
add action=drop chain=forward comment="deny FORWARD all" connection-state=""
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.8.10.11 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Route for back for admin-L2TP-VPN FID=admin-access-l2tp-vpn-en7gd\
nsq ADMIN-FID" disabled=no distance=1 dst-address=172.16.38.0/24 gateway=\
10.8.10.11 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both host-key-size=\
4096 strong-crypto=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=dc01-sw02
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=80.240.216.155
add address=185.232.69.65
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=interfaces-MAC-MGMT
/tool mac-server ping
set enabled=no
Reference in New Issue View Git Blame Copy Permalink