/interface bridge add name=lanBR add name=pubBR add name=serverBR /interface ethernet set [ find default-name=ether1 ] disable-running-check=no name=rtonly set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-ful\ l,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" name=vmbr0 set [ find default-name=ether3 ] advertise="10M-half,10M-full,100M-half,100M-ful\ l,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" loop-protect=off \ name=vmbr1 set [ find default-name=ether4 ] advertise="10M-half,10M-full,100M-half,100M-ful\ l,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" name=vmbr2 set [ find default-name=ether5 ] advertise="10M-half,10M-full,100M-half,100M-ful\ l,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full" name=vmbr3 /interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\ mtu=1280 name=sit1 remote-address= /interface wireguard add listen-port=13231 mtu=1420 name=de /interface vlan add interface=vmbr2 name=arch vlan-id=904 add interface=vmbr2 name=gameserver vlan-id=903 add interface=vmbr0 name=mega vlan-id=799 add interface=vmbr1 name=nginx vlan-id=906 add interface=vmbr0 name=proxy vlan-id=902 add interface=vmbr1 name=pub800 vlan-id=800 add interface=vmbr1 name=pub801 vlan-id=801 add interface=vmbr1 name=pub802 vlan-id=802 add interface=vmbr1 name=pub803 vlan-id=803 add interface=vmbr1 name=pub899test vlan-id=899 add interface=vmbr0 name=smtp vlan-id=905 add interface=vmbr2 name=stunnel vlan-id=901 add interface=vmbr2 name=stunnel-main vlan-id=900 add interface=vmbr3 name=torr1000 vlan-id=1000 /disk set sata1 disabled=no /interface list add name=ndp_disable add name=br_drop add name=all_br /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=landhcp ranges=10.1.200.0-10.1.255.254 add name=pubdhcp ranges=10.2.200.0-10.2.255.254 add name=serverdhcp ranges=10.11.200.0-10.11.255.254 /ip dhcp-server add add-arp=yes address-pool=landhcp always-broadcast=yes interface=lanBR \ lease-time=2d name=lanDHCP add address-pool=pubdhcp interface=pubBR lease-time=2d name=pubDHCP add address-pool=serverdhcp interface=serverBR lease-time=2d name=serverDHCP /ipv6 pool add name=a000 prefix=2001:470:xxxx:a000::/52 prefix-length=52 add name=0000 prefix=2001:470:xxxx::/52 prefix-length=52 add name=2000 prefix=2001:470:xxxx:2000::/52 prefix-length=52 add name=3000 prefix=2001:470:xxxx:3000::/52 prefix-length=52 add name=4000 prefix=2001:470:xxxx:4000::/52 prefix-length=52 add name=5000 prefix=2001:470:xxxx:5000::/52 prefix-length=52 /port set 0 name=serial0 /queue simple add max-limit=0/3670016 name=1 target=10.2.0.202/32 /routing table add disabled=no fib name=megagw add disabled=no fib name=rt_and_mega add disabled=no fib name=de /snmp community set [ find default=yes ] addresses=10.11.0.2/32 disabled=yes name=zab security=\ private write-access=yes add addresses=0.0.0.0/0 name="\$cUFw!7Zt" write-access=yes /interface bridge port add bridge=lanBR interface=vmbr3 add bridge=lanBR interface=torr1000 add bridge=pubBR interface=pub800 add bridge=pubBR interface=pub801 add bridge=pubBR interface=pub802 add bridge=pubBR interface=pub803 add bridge=pubBR interface=pub899test add bridge=serverBR interface=arch add bridge=serverBR interface=gameserver add bridge=serverBR interface=nginx add bridge=serverBR interface=proxy add bridge=serverBR interface=smtp add bridge=serverBR interface=stunnel add bridge=serverBR interface=stunnel-main /ip neighbor discovery-settings set discover-interface-list=!ndp_disable /ip settings set max-neighbor-entries=8192 /ipv6 settings set max-neighbor-entries=8192 /interface list member add interface=serverBR list=br_drop add interface=pubBR list=br_drop add interface=serverBR list=all_br add interface=pubBR list=all_br add interface=lanBR list=all_br /interface ovpn-server server set auth=sha1,md5 /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=1.1.1.1 endpoint-port=41 \ interface=de persistent-keepalive=10s public-key=\ "" /ip address add address=10.1.0.1/16 interface=lanBR network=10.1.0.0 add address=10.2.0.1/16 interface=pubBR network=10.2.0.0 add address=10.11.0.1/16 interface=serverBR network=10.11.0.0 add address=10.250.255.129/25 interface=de network=10.250.255.128 /ip dhcp-client add add-default-route=no interface=rtonly use-peer-dns=no use-peer-ntp=no add add-default-route=no interface=lte /ip dhcp-server lease add address=10.2.0.43 mac-address= server=pubDHCP add address=10.2.0.202 mac-address= server=pubDHCP add address=10.2.0.203 mac-address= server=pubDHCP add address=10.2.1.0 mac-address= server=pubDHCP add address=10.2.2.0 mac-address= server=pubDHCP add address=10.2.3.0 mac-address= server=pubDHCP add address=10.2.99.1 mac-address= server=pubDHCP add address=10.2.99.2 mac-address= server=pubDHCP add address=10.1.0.5 mac-address= server=lanDHCP /ip dhcp-server network add address=10.1.0.0/16 dns-server=10.1.100.0 domain=arpa gateway=10.1.0.1 add address=10.2.0.0/16 dns-server=10.1.100.0 domain=arpa gateway=10.2.0.1 add address=10.11.0.0/16 dns-server=10.1.100.0 domain=arpa gateway=10.11.0.1 /ip dns set servers=2001:470:xxxx::baba,10.1.100.0 /ip firewall address-list add address=10.0.0.0/8 list=localv4 add address=192.168.0.0/16 list=localv4 add address=172.16.0.0/12 list=localv4 add address=10.1.11.1 list="ping local" add address=10.2.0.200 list="ping local" add address=10.2.0.199 list="ping local" add address=10.2.0.201 list="ping local" add address=10.1.50.10 list="ping local" add address=10.2.0.0/16 list=rt add address=10.1.0.0/16 list=de add address=10.1.0.2 list=prom add address=10.1.0.4 list=prom add address=10.1.99.0 list=prom /ip firewall filter add action=accept chain=forward dst-address=10.1.100.0 dst-port=53 \ in-interface-list=br_drop protocol=udp add action=accept chain=forward comment=nginx dst-address=10.11.0.5 dst-port=\ 443 in-interface=rtonly protocol=tcp add action=accept chain=forward dst-address=10.11.0.5 dst-port=80 in-interface=\ rtonly protocol=tcp add action=accept chain=forward dst-address=10.11.0.5 dst-port=443 \ in-interface=rtonly protocol=udp add action=accept chain=forward dst-address=10.11.0.2 dst-port=\ 332,334,8080,8084 protocol=tcp src-address=10.11.0.5 add action=accept chain=forward dst-address=10.11.0.4 dst-port=443 protocol=tcp \ src-address=10.11.0.5 add action=accept chain=forward comment=torrent dst-address=10.1.100.1 \ dst-port=25000 in-interface=rtonly protocol=tcp add action=accept chain=forward dst-address=10.1.100.1 dst-port=25000 \ in-interface=rtonly protocol=udp add action=accept chain=forward in-interface=lanBR add action=accept chain=input comment=e-connection connection-state=\ established,related add action=accept chain=forward connection-state=established,related add action=accept chain=input in-interface=rtonly protocol=icmp add action=accept chain=forward dst-address=10.11.0.4 dst-port=587 \ in-interface=serverBR protocol=tcp add action=accept chain=forward comment=arch dst-address-list="ping local" \ protocol=icmp src-address=10.11.0.2 add action=accept chain=forward dst-address=10.1.11.1 dst-port=161 protocol=udp \ src-address=10.11.0.2 add action=accept chain=forward dst-address=10.1.0.4 dst-port=8006 protocol=tcp \ src-address=10.11.0.2 add action=accept chain=forward dst-address=10.1.100.1 dst-port=9001 protocol=\ tcp src-address=10.11.0.2 add action=accept chain=forward dst-address=10.11.0.4 dst-port=9001 protocol=\ tcp src-address=10.11.0.2 add action=accept chain=forward dst-address=10.250.255.128 protocol=icmp \ src-address=10.11.0.2 add action=accept chain=input dst-address=10.11.0.1 dst-port=161 protocol=udp \ src-address=10.11.0.2 add action=accept chain=input dst-address=10.11.0.1 protocol=icmp src-address=\ 10.11.0.2 add action=accept chain=forward dst-address=10.11.0.2 dst-port=8086 protocol=\ tcp src-address=10.11.0.5 add action=accept chain=forward dst-address-list=prom dst-port=9100 protocol=\ tcp src-address=10.11.0.2 add action=drop chain=forward dst-address-list=localv4 \ in-interface=pubBR add action=drop chain=forward dst-address-list=localv4 in-interface=serverBR add action=accept chain=forward in-interface=serverBR add action=accept chain=forward in-interface=pubBR add action=drop chain=forward add action=drop chain=input /ip firewall mangle add action=change-mss chain=forward new-mss=1380 out-interface=de protocol=tcp \ tcp-flags=syn tcp-mss=1381-65535 add action=accept chain=prerouting comment=defautl dst-address=10.0.0.0/12 add action=accept chain=prerouting dst-address=91.240.1.1 src-address=\ 10.11.0.2 add action=accept chain=prerouting dst-address=0.0.0.0/0 src-address=10.1.100.1 add action=mark-routing chain=prerouting new-routing-mark=de src-address=\ 10.11.0.2 add action=mark-routing chain=prerouting comment=zabbix-ping dst-address=\ 78.41.103.19 new-routing-mark=megagw src-address=10.11.0.2 add action=mark-routing chain=prerouting comment="rt and mega" \ new-routing-mark=rt_and_mega src-address=10.2.0.0/16 add action=mark-routing chain=prerouting comment=de-lan new-routing-mark=de \ src-address-list=de /ip firewall nat add action=netmap chain=dstnat comment=nginx dst-port=443 in-interface=ttconly \ protocol=tcp to-addresses=10.11.0.5 to-ports=443 add action=netmap chain=dstnat dst-port=80 in-interface=ttconly protocol=tcp \ to-addresses=10.11.0.5 to-ports=80 add action=netmap chain=dstnat dst-port=443 in-interface=ttconly protocol=udp \ to-addresses=10.11.0.5 to-ports=443 add action=netmap chain=dstnat comment=torrent dst-port=25000 in-interface=\ ttconly protocol=tcp to-addresses=10.1.100.1 to-ports=25000 add action=netmap chain=dstnat dst-port=25000 in-interface=ttconly protocol=udp \ to-addresses=10.1.100.1 to-ports=25000 add action=masquerade chain=srcnat dst-address=10.2.0.200 add action=masquerade chain=srcnat dst-address=10.2.0.201 add action=masquerade chain=srcnat out-interface=rt add action=masquerade chain=srcnat out-interface=mega /ip route add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.9.1 \ routing-table=main suppress-hw-offload=no add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.1 pref-src=\ 0.0.0.0 routing-table=megagw scope=30 suppress-hw-offload=no target-scope=\ 10 add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.1 pref-src=\ 0.0.0.0 routing-table=ttc_and_mega scope=30 suppress-hw-offload=no \ target-scope=10 add disabled=no dst-address=0.0.0.0/0 gateway=ttconly routing-table=main \ suppress-hw-offload=no add disabled=no dst-address=0.0.0.0/0 gateway=ttconly routing-table=\ ttc_and_mega suppress-hw-offload=no add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=de pref-src=0.0.0.0 \ routing-table=de scope=30 suppress-hw-offload=no target-scope=10 /ipv6 route add comment=docker disabled=no distance=1 dst-address=2001:470:xxxx:b001::/64 \ gateway=2001:470:xxxx::2 routing-table=main scope=30 target-scope=10 add comment="zabbix ipv6" disabled=no distance=1 dst-address=\ 2001:470:xxxx:b002::/64 gateway=2001:470:xxxx:5000::c routing-table=main \ scope=30 target-scope=10 add comment=psql disabled=no distance=1 dst-address=2001:470:xxxx:b003::/64 \ gateway=2001:470:xxxx:5000::c routing-table=main scope=30 target-scope=10 add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:27:1bf::1 \ scope=30 target-scope=10 /ipv6 address add address=2001:470:xxxx::/52 advertise=no interface=lanBR add address=2001:470:27:1bf::2 advertise=no interface=sit1 add address=2001:470:xxxx:5000::1/52 advertise=no interface=serverBR add address=2001:470:xxxx:5ffe:: interface=serverBR add address=2001:470:xxxx:2000::/52 advertise=no interface=pubBR add address=2001:470:xxxx:2ffe:: interface=pubBR add address=2001:470:xxxx:ffe:: interface=lanBR /ipv6 firewall address-list add address=2001:470:xxxx::/48 list=localv6 add address=2001:470:27:1bf::/64 list=localv6 add address=fe80::/64 list=localv6 /ipv6 firewall filter add action=accept chain=forward comment=nginx dst-address=\ 2001:470:xxxx:5000::aaaa/128 dst-port=443 protocol=tcp add action=accept chain=forward dst-address=2001:470:xxxx:5000::aaaa/128 \ dst-port=443 protocol=udp add action=accept chain=forward dst-address=2001:470:xxxx:5000::aaaa/128 \ dst-port=80 protocol=tcp add action=accept chain=forward comment=torrent dst-address=\ 2001:470:xxxx:b001::2/128 dst-port=25000 protocol=tcp add action=accept chain=forward dst-address=2001:470:xxxx:b001::2/128 dst-port=\ 25000 protocol=udp add action=accept chain=forward comment=zabbix dst-address=\ 2001:470:27:1bf::1/128 protocol=icmpv6 src-address=\ 2001:470:xxxx:b002::4/128 add action=accept chain=forward comment=established-connection \ connection-state=established,related add action=accept chain=input connection-state=established,related add action=accept chain=input comment=ipv6-nd dst-port=5678 in-interface-list=\ all_br protocol=udp src-address-list=fe80::/10 add action=accept chain=input in-interface-list=all_br protocol=icmpv6 add action=accept chain=input comment=cli-access dst-port=8291 \ in-interface-list=all_br protocol=tcp src-address=2001:470:xxxx::1000/128 add action=drop chain=forward dst-address-list=localv6 \ in-interface-list=br_drop add action=accept chain=forward in-interface-list=all_br add action=drop chain=forward add action=drop chain=input /ipv6 nd set [ find default=yes ] dns=2001:470:xxxx::baba ra-preference=high /snmp set enabled=yes trap-version=3 /system hardware set allow-x86-64=yes /system package update set channel=testing /tool bandwidth-server set authenticate=no /tool mac-server set allowed-interface-list=none /tool mac-server ping set enabled=no