123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303
/interface bridge
add name=lanBR
add name=pubBR
add name=serverBR
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=rtonly
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-ful\
l,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" name=vmbr0
set [ find default-name=ether3 ] advertise="10M-half,10M-full,100M-half,100M-ful\
l,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" loop-protect=off \
name=vmbr1
set [ find default-name=ether4 ] advertise="10M-half,10M-full,100M-half,100M-ful\
l,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" name=vmbr2
set [ find default-name=ether5 ] advertise="10M-half,10M-full,100M-half,100M-ful\
l,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" name=vmbr3
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\
mtu=1280 name=sit1 remote-address=
/interface wireguard
add listen-port=13231 mtu=1420 name=de
/interface vlan
add interface=vmbr2 name=arch vlan-id=904
add interface=vmbr2 name=gameserver vlan-id=903
add interface=vmbr0 name=mega vlan-id=799
add interface=vmbr1 name=nginx vlan-id=906
add interface=vmbr0 name=proxy vlan-id=902
add interface=vmbr1 name=pub800 vlan-id=800
add interface=vmbr1 name=pub801 vlan-id=801
add interface=vmbr1 name=pub802 vlan-id=802
add interface=vmbr1 name=pub803 vlan-id=803
add interface=vmbr1 name=pub899test vlan-id=899
add interface=vmbr0 name=smtp vlan-id=905
add interface=vmbr2 name=stunnel vlan-id=901
add interface=vmbr2 name=stunnel-main vlan-id=900
add interface=vmbr3 name=torr1000 vlan-id=1000
/disk
set sata1 disabled=no
/interface list
add name=ndp_disable
add name=br_drop
add name=all_br
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=landhcp ranges=10.1.200.0-10.1.255.254
add name=pubdhcp ranges=10.2.200.0-10.2.255.254
add name=serverdhcp ranges=10.11.200.0-10.11.255.254
/ip dhcp-server
add add-arp=yes address-pool=landhcp always-broadcast=yes interface=lanBR \
lease-time=2d name=lanDHCP
add address-pool=pubdhcp interface=pubBR lease-time=2d name=pubDHCP
add address-pool=serverdhcp interface=serverBR lease-time=2d name=serverDHCP
/ipv6 pool
add name=a000 prefix=2001:470:xxxx:a000::/52 prefix-length=52
add name=0000 prefix=2001:470:xxxx::/52 prefix-length=52
add name=2000 prefix=2001:470:xxxx:2000::/52 prefix-length=52
add name=3000 prefix=2001:470:xxxx:3000::/52 prefix-length=52
add name=4000 prefix=2001:470:xxxx:4000::/52 prefix-length=52
add name=5000 prefix=2001:470:xxxx:5000::/52 prefix-length=52
/port
set 0 name=serial0
/queue simple
add max-limit=0/3670016 name=1 target=10.2.0.202/32
/routing table
add disabled=no fib name=megagw
add disabled=no fib name=rt_and_mega
add disabled=no fib name=de
/snmp community
set [ find default=yes ] addresses=10.11.0.2/32 disabled=yes name=zab security=\
private write-access=yes
add addresses=0.0.0.0/0 name="\$cUFw!7Zt" write-access=yes
/interface bridge port
add bridge=lanBR interface=vmbr3
add bridge=lanBR interface=torr1000
add bridge=pubBR interface=pub800
add bridge=pubBR interface=pub801
add bridge=pubBR interface=pub802
add bridge=pubBR interface=pub803
add bridge=pubBR interface=pub899test
add bridge=serverBR interface=arch
add bridge=serverBR interface=gameserver
add bridge=serverBR interface=nginx
add bridge=serverBR interface=proxy
add bridge=serverBR interface=smtp
add bridge=serverBR interface=stunnel
add bridge=serverBR interface=stunnel-main
/ip neighbor discovery-settings
set discover-interface-list=!ndp_disable
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add interface=serverBR list=br_drop
add interface=pubBR list=br_drop
add interface=serverBR list=all_br
add interface=pubBR list=all_br
add interface=lanBR list=all_br
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=1.1.1.1 endpoint-port=41 \
interface=de persistent-keepalive=10s public-key=\
""
/ip address
add address=10.1.0.1/16 interface=lanBR network=10.1.0.0
add address=10.2.0.1/16 interface=pubBR network=10.2.0.0
add address=10.11.0.1/16 interface=serverBR network=10.11.0.0
add address=10.250.255.129/25 interface=de network=10.250.255.128
/ip dhcp-client
add add-default-route=no interface=rtonly use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=lte
/ip dhcp-server lease
add address=10.2.0.43 mac-address= server=pubDHCP
add address=10.2.0.202 mac-address= server=pubDHCP
add address=10.2.0.203 mac-address= server=pubDHCP
add address=10.2.1.0 mac-address= server=pubDHCP
add address=10.2.2.0 mac-address= server=pubDHCP
add address=10.2.3.0 mac-address= server=pubDHCP
add address=10.2.99.1 mac-address= server=pubDHCP
add address=10.2.99.2 mac-address= server=pubDHCP
add address=10.1.0.5 mac-address= server=lanDHCP
/ip dhcp-server network
add address=10.1.0.0/16 dns-server=10.1.100.0 domain=arpa gateway=10.1.0.1
add address=10.2.0.0/16 dns-server=10.1.100.0 domain=arpa gateway=10.2.0.1
add address=10.11.0.0/16 dns-server=10.1.100.0 domain=arpa gateway=10.11.0.1
/ip dns
set servers=2001:470:xxxx::baba,10.1.100.0
/ip firewall address-list
add address=10.0.0.0/8 list=localv4
add address=192.168.0.0/16 list=localv4
add address=172.16.0.0/12 list=localv4
add address=10.1.11.1 list="ping local"
add address=10.2.0.200 list="ping local"
add address=10.2.0.199 list="ping local"
add address=10.2.0.201 list="ping local"
add address=10.1.50.10 list="ping local"
add address=10.2.0.0/16 list=rt
add address=10.1.0.0/16 list=de
add address=10.1.0.2 list=prom
add address=10.1.0.4 list=prom
add address=10.1.99.0 list=prom
/ip firewall filter
add action=accept chain=forward dst-address=10.1.100.0 dst-port=53 \
in-interface-list=br_drop protocol=udp
add action=accept chain=forward comment=nginx dst-address=10.11.0.5 dst-port=\
443 in-interface=rtonly protocol=tcp
add action=accept chain=forward dst-address=10.11.0.5 dst-port=80 in-interface=\
rtonly protocol=tcp
add action=accept chain=forward dst-address=10.11.0.5 dst-port=443 \
in-interface=rtonly protocol=udp
add action=accept chain=forward dst-address=10.11.0.2 dst-port=\
332,334,8080,8084 protocol=tcp src-address=10.11.0.5
add action=accept chain=forward dst-address=10.11.0.4 dst-port=443 protocol=tcp \
src-address=10.11.0.5
add action=accept chain=forward comment=torrent dst-address=10.1.100.1 \
dst-port=25000 in-interface=rtonly protocol=tcp
add action=accept chain=forward dst-address=10.1.100.1 dst-port=25000 \
in-interface=rtonly protocol=udp
add action=accept chain=forward in-interface=lanBR
add action=accept chain=input comment=e-connection connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input in-interface=rtonly protocol=icmp
add action=accept chain=forward dst-address=10.11.0.4 dst-port=587 \
in-interface=serverBR protocol=tcp
add action=accept chain=forward comment=arch dst-address-list="ping local" \
protocol=icmp src-address=10.11.0.2
add action=accept chain=forward dst-address=10.1.11.1 dst-port=161 protocol=udp \
src-address=10.11.0.2
add action=accept chain=forward dst-address=10.1.0.4 dst-port=8006 protocol=tcp \
src-address=10.11.0.2
add action=accept chain=forward dst-address=10.1.100.1 dst-port=9001 protocol=\
tcp src-address=10.11.0.2
add action=accept chain=forward dst-address=10.11.0.4 dst-port=9001 protocol=\
tcp src-address=10.11.0.2
add action=accept chain=forward dst-address=10.250.255.128 protocol=icmp \
src-address=10.11.0.2
add action=accept chain=input dst-address=10.11.0.1 dst-port=161 protocol=udp \
src-address=10.11.0.2
add action=accept chain=input dst-address=10.11.0.1 protocol=icmp src-address=\
10.11.0.2
add action=accept chain=forward dst-address=10.11.0.2 dst-port=8086 protocol=\
tcp src-address=10.11.0.5
add action=accept chain=forward dst-address-list=prom dst-port=9100 protocol=\
tcp src-address=10.11.0.2
add action=drop chain=forward dst-address-list=localv4 \
in-interface=pubBR
add action=drop chain=forward dst-address-list=localv4 in-interface=serverBR
add action=accept chain=forward in-interface=serverBR
add action=accept chain=forward in-interface=pubBR
add action=drop chain=forward
add action=drop chain=input
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=de protocol=tcp \
tcp-flags=syn tcp-mss=1381-65535
add action=accept chain=prerouting comment=defautl dst-address=10.0.0.0/12
add action=accept chain=prerouting dst-address=91.240.1.1 src-address=\
10.11.0.2
add action=accept chain=prerouting dst-address=0.0.0.0/0 src-address=10.1.100.1
add action=mark-routing chain=prerouting new-routing-mark=de src-address=\
10.11.0.2
add action=mark-routing chain=prerouting comment=zabbix-ping dst-address=\
78.41.103.19 new-routing-mark=megagw src-address=10.11.0.2
add action=mark-routing chain=prerouting comment="rt and mega" \
new-routing-mark=rt_and_mega src-address=10.2.0.0/16
add action=mark-routing chain=prerouting comment=de-lan new-routing-mark=de \
src-address-list=de
/ip firewall nat
add action=netmap chain=dstnat comment=nginx dst-port=443 in-interface=ttconly \
protocol=tcp to-addresses=10.11.0.5 to-ports=443
add action=netmap chain=dstnat dst-port=80 in-interface=ttconly protocol=tcp \
to-addresses=10.11.0.5 to-ports=80
add action=netmap chain=dstnat dst-port=443 in-interface=ttconly protocol=udp \
to-addresses=10.11.0.5 to-ports=443
add action=netmap chain=dstnat comment=torrent dst-port=25000 in-interface=\
ttconly protocol=tcp to-addresses=10.1.100.1 to-ports=25000
add action=netmap chain=dstnat dst-port=25000 in-interface=ttconly protocol=udp \
to-addresses=10.1.100.1 to-ports=25000
add action=masquerade chain=srcnat dst-address=10.2.0.200
add action=masquerade chain=srcnat dst-address=10.2.0.201
add action=masquerade chain=srcnat out-interface=rt
add action=masquerade chain=srcnat out-interface=mega
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.9.1 \
routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.1 pref-src=\
0.0.0.0 routing-table=megagw scope=30 suppress-hw-offload=no target-scope=\
10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.1 pref-src=\
0.0.0.0 routing-table=ttc_and_mega scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=ttconly routing-table=main \
suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=ttconly routing-table=\
ttc_and_mega suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=de pref-src=0.0.0.0 \
routing-table=de scope=30 suppress-hw-offload=no target-scope=10
/ipv6 route
add comment=docker disabled=no distance=1 dst-address=2001:470:xxxx:b001::/64 \
gateway=2001:470:xxxx::2 routing-table=main scope=30 target-scope=10
add comment="zabbix ipv6" disabled=no distance=1 dst-address=\
2001:470:xxxx:b002::/64 gateway=2001:470:xxxx:5000::c routing-table=main \
scope=30 target-scope=10
add comment=psql disabled=no distance=1 dst-address=2001:470:xxxx:b003::/64 \
gateway=2001:470:xxxx:5000::c routing-table=main scope=30 target-scope=10
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:27:1bf::1 \
scope=30 target-scope=10
/ipv6 address
add address=2001:470:xxxx::/52 advertise=no interface=lanBR
add address=2001:470:27:1bf::2 advertise=no interface=sit1
add address=2001:470:xxxx:5000::1/52 advertise=no interface=serverBR
add address=2001:470:xxxx:5ffe:: interface=serverBR
add address=2001:470:xxxx:2000::/52 advertise=no interface=pubBR
add address=2001:470:xxxx:2ffe:: interface=pubBR
add address=2001:470:xxxx:ffe:: interface=lanBR
/ipv6 firewall address-list
add address=2001:470:xxxx::/48 list=localv6
add address=2001:470:27:1bf::/64 list=localv6
add address=fe80::/64 list=localv6
/ipv6 firewall filter
add action=accept chain=forward comment=nginx dst-address=\
2001:470:xxxx:5000::aaaa/128 dst-port=443 protocol=tcp
add action=accept chain=forward dst-address=2001:470:xxxx:5000::aaaa/128 \
dst-port=443 protocol=udp
add action=accept chain=forward dst-address=2001:470:xxxx:5000::aaaa/128 \
dst-port=80 protocol=tcp
add action=accept chain=forward comment=torrent dst-address=\
2001:470:xxxx:b001::2/128 dst-port=25000 protocol=tcp
add action=accept chain=forward dst-address=2001:470:xxxx:b001::2/128 dst-port=\
25000 protocol=udp
add action=accept chain=forward comment=zabbix dst-address=\
2001:470:27:1bf::1/128 protocol=icmpv6 src-address=\
2001:470:xxxx:b002::4/128
add action=accept chain=forward comment=established-connection \
connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=input comment=ipv6-nd dst-port=5678 in-interface-list=\
all_br protocol=udp src-address-list=fe80::/10
add action=accept chain=input in-interface-list=all_br protocol=icmpv6
add action=accept chain=input comment=cli-access dst-port=8291 \
in-interface-list=all_br protocol=tcp src-address=2001:470:xxxx::1000/128
add action=drop chain=forward dst-address-list=localv6 \
in-interface-list=br_drop
add action=accept chain=forward in-interface-list=all_br
add action=drop chain=forward
add action=drop chain=input
/ipv6 nd
set [ find default=yes ] dns=2001:470:xxxx::baba ra-preference=high
/snmp
set enabled=yes trap-version=3
/system hardware
set allow-x86-64=yes
/system package update
set channel=testing
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no