kermorgant/rb-3011-config

## rb-3011-config
# dec/29/2022 10:48:03 by RouterOS 7.6
# model = RB3011UiAS
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=channel11
add band=5ghz-a/n/ac name=5ghz
/interface bridge
add admin-mac=18:FD:74:B3:0A:7D auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan1-main vlan-id=101
add interface=bridge name=vlan2-kids vlan-id=102
add interface=bridge name=vlan3-guest vlan-id=103
add interface=bridge name=vlan4-iot vlan-id=104
add interface=bridge name=vlan5-work vlan-id=105
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1 vlan-id=101 \
    vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes name=datapath2 vlan-id=102 \
    vlan-mode=use-tag
add bridge=bridge name=datapath3 vlan-id=103 vlan-mode=use-tag
add bridge=bridge name=datapath4 vlan-id=104 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=yes name=datapath5 vlan-id=105 \
    vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-main
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-kids
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-iot
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-work
/caps-man configuration
add country=finland datapath=datapath1 mode=ap name=cfg1 security=\
    security-main ssid=mt
add country=finland datapath=datapath1 name=cfg1-5ghz security=security-main \
    ssid=mt-5g
add country=finland datapath=datapath2 mode=ap name=cfg2-kids security=\
    security-kids ssid=mt-kids
add country=finland datapath=datapath3 name=cfg3-guest security=\
    security-guest ssid=mt-guest
add country=finland datapath=datapath4 name=cfg4-iot security=security-iot \
    ssid=mt-iot
add country=finland datapath=datapath5 mode=ap name=cfg5-work security=\
    security-work ssid=mt-work
add country=finland datapath=datapath5 name=cfg5-work-5ghz security=\
    security-work ssid=mt-work-5g
/interface ethernet switch port
set 1 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
set 9 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vlan1-main-pool ranges=10.1.1.10-10.1.1.254
add name=vlan2-kids-pool ranges=10.1.2.10-10.1.2.254
add name=vlan3-guest-pool ranges=10.1.3.10-10.1.3.254
add name=vlan4-iot-pool ranges=10.1.4.10-10.1.4.254
add name=vlan5-work-pool ranges=10.1.5.10-10.1.5.254
/ip dhcp-server
add address-pool=vlan1-main-pool interface=vlan1-main name=dhcp-vlan1-main
add address-pool=vlan2-kids-pool interface=vlan2-kids name=dhcp-vlan2-kids
add address-pool=vlan3-guest-pool interface=vlan3-guest name=dhcp-vlan3-guest
add address-pool=vlan4-iot-pool interface=vlan4-iot lease-time=23h59m name=\
    dhcp-vlan4-iot
add address-pool=vlan5-work-pool interface=vlan5-work name=dhcp-vlan5-work
/port
set 0 name=serial0
/routing table
add disabled=no fib name=vpn1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=ether10
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 name-format=\
    prefix-identity name-prefix=cap slave-configurations=\
    cfg2-kids,cfg3-guest,cfg4-iot,cfg5-work
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ethernet switch vlan
add independent-learning=yes ports=\
    ether6,ether7,ether8,ether9,ether10,switch2-cpu switch=switch2 vlan-id=\
    101
add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu \
    switch=switch1 vlan-id=101
add independent-learning=no ports=ether10 switch=switch2 vlan-id=102
add independent-learning=no ports=ether10 switch=switch2 vlan-id=103
add independent-learning=no ports=ether10 switch=switch2 vlan-id=104
add independent-learning=no ports=ether10 switch=switch2 vlan-id=105
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan1-main list=LAN
add interface=vlan3-guest list=LAN
add interface=vlan4-iot list=LAN
add interface=vlan5-work list=LAN
add interface=vlan2-kids list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.21.119.1/32,0.0.0.0/0 endpoint-address=a.b.c.d \
    endpoint-port=13231 interface=wireguard1 persistent-keepalive=25s \
    public-key="hjwsdgjhgwdkgfljwdhgfjlhwegjlhglsdkjhvlksadhvls="
/ip address
add address=10.1.1.1/24 interface=vlan1-main network=10.1.1.0
add address=10.1.2.1/24 interface=vlan2-kids network=10.1.2.0
add address=10.1.3.1/24 interface=vlan3-guest network=10.1.3.0
add address=10.1.4.1/24 interface=vlan4-iot network=10.1.4.0
add address=10.1.5.1/24 interface=vlan5-work network=10.1.5.0
add address=172.21.119.201/24 interface=wireguard1 network=172.21.119.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.1.1.10 client-id=1:74:4d:28:76:2d:ad mac-address=\
    74:4D:28:76:2D:AD server=dhcp-vlan1-main
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.1 gateway=10.1.1.1 ntp-server=\
    10.1.1.1
add address=10.1.2.0/24 comment="Cloudflare DNS for families" dns-server=\
    1.1.1.3,1.0.0.3 gateway=10.1.2.1
add address=10.1.3.0/24 dns-server=10.1.3.1 gateway=10.1.3.1
add address=10.1.4.0/24 dns-server=10.1.4.1 gateway=10.1.4.1
add address=10.1.5.0/24 comment="work network / external cloudflare DNS" \
    dns-server=1.1.1.1 gateway=192.168.5.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.1.1.254 comment=laptop-p14 disabled=yes list=vpn1-client
add address=10.1.0.0/16 list=mt-local
add address=10.1.1.253 list=vpn1-client
add address=172.21.119.0/24 comment="vpn users" list=admins
add address=10.1.4.0/24 list=iot_devices
/ip firewall filter
add action=accept chain=forward in-interface=wireguard1
add action=accept chain=input in-interface=wireguard1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="DROP INVALID"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    log=yes log-prefix="CAP TRAFFIC"
add action=accept chain=input comment="CAP to CAPSMAN" log=yes log-prefix=\
    "ACCEPT CAP" src-address=10.1.1.10
add action=accept chain=input comment="Accept wireguard" dst-port=13231 \
    protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix="DROP / not from LAN"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward dst-address-list=iot_devices \
    src-address-list=admins
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="DROP INVALID 2"
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix="DROP LAST"
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!mt-local \
    new-routing-mark=vpn1 passthrough=yes src-address-list=vpn1-client
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN routing-mark=!vpn1
/ip route
add gateway=wireguard1 routing-table=vpn1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=ServerCA disabled=no
set winbox disabled=yes
/lcd
set time-interval=daily
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=vpn1 table=vpn1
/system clock
set time-zone-name=Europe/Helsinki
/system identity
set name=MT-RB3011
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=0.fi.pool.ntp.org
add address=1.fi.pool.ntp.org
add address=2.fi.pool.ntp.org
add address=3.fi.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
	# dec/29/2022 10:48:03 by RouterOS 7.6
	# model = RB3011UiAS
	/caps-man channel
	add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
	frequency=2412 name=channel1
	add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
	frequency=2437 name=channel6
	add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
	frequency=2462 name=channel11
	add band=5ghz-a/n/ac name=5ghz
	/interface bridge
	add admin-mac=18:FD:74:B3:0A:7D auto-mac=no comment=defconf name=bridge
	/interface ethernet
	set [ find default-name=ether10 ] poe-out=off
	/interface wireguard
	add listen-port=13231 mtu=1420 name=wireguard1
	/interface vlan
	add interface=bridge name=vlan1-main vlan-id=101
	add interface=bridge name=vlan2-kids vlan-id=102
	add interface=bridge name=vlan3-guest vlan-id=103
	add interface=bridge name=vlan4-iot vlan-id=104
	add interface=bridge name=vlan5-work vlan-id=105
	/caps-man datapath
	add bridge=bridge client-to-client-forwarding=yes name=datapath1 vlan-id=101 \
	vlan-mode=use-tag
	add bridge=bridge client-to-client-forwarding=yes name=datapath2 vlan-id=102 \
	vlan-mode=use-tag
	add bridge=bridge name=datapath3 vlan-id=103 vlan-mode=use-tag
	add bridge=bridge name=datapath4 vlan-id=104 vlan-mode=use-tag
	add bridge=bridge client-to-client-forwarding=yes name=datapath5 vlan-id=105 \
	vlan-mode=use-tag
	/caps-man security
	add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
	security-main
	add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
	security-kids
	add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
	security-guest
	add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
	security-iot
	add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
	security-work
	/caps-man configuration
	add country=finland datapath=datapath1 mode=ap name=cfg1 security=\
	security-main ssid=mt
	add country=finland datapath=datapath1 name=cfg1-5ghz security=security-main \
	ssid=mt-5g
	add country=finland datapath=datapath2 mode=ap name=cfg2-kids security=\
	security-kids ssid=mt-kids
	add country=finland datapath=datapath3 name=cfg3-guest security=\
	security-guest ssid=mt-guest
	add country=finland datapath=datapath4 name=cfg4-iot security=security-iot \
	ssid=mt-iot
	add country=finland datapath=datapath5 mode=ap name=cfg5-work security=\
	security-work ssid=mt-work
	add country=finland datapath=datapath5 name=cfg5-work-5ghz security=\
	security-work ssid=mt-work-5g
	/interface ethernet switch port
	set 1 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
	set 2 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
	set 3 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
	set 4 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
	set 5 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
	set 6 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
	set 7 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
	set 8 default-vlan-id=101 vlan-header=always-strip vlan-mode=secure
	set 9 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=secure
	set 10 vlan-mode=secure
	set 11 vlan-mode=secure
	/interface list
	add comment=defconf name=WAN
	add comment=defconf name=LAN
	/interface lte apn
	set [ find default=yes ] ip-type=ipv4 use-network-apn=no
	/interface wireless security-profiles
	set [ find default=yes ] supplicant-identity=MikroTik
	/ip pool
	add name=default-dhcp ranges=192.168.88.10-192.168.88.254
	add name=vlan1-main-pool ranges=10.1.1.10-10.1.1.254
	add name=vlan2-kids-pool ranges=10.1.2.10-10.1.2.254
	add name=vlan3-guest-pool ranges=10.1.3.10-10.1.3.254
	add name=vlan4-iot-pool ranges=10.1.4.10-10.1.4.254
	add name=vlan5-work-pool ranges=10.1.5.10-10.1.5.254
	/ip dhcp-server
	add address-pool=vlan1-main-pool interface=vlan1-main name=dhcp-vlan1-main
	add address-pool=vlan2-kids-pool interface=vlan2-kids name=dhcp-vlan2-kids
	add address-pool=vlan3-guest-pool interface=vlan3-guest name=dhcp-vlan3-guest
	add address-pool=vlan4-iot-pool interface=vlan4-iot lease-time=23h59m name=\
	dhcp-vlan4-iot
	add address-pool=vlan5-work-pool interface=vlan5-work name=dhcp-vlan5-work
	/port
	set 0 name=serial0
	/routing table
	add disabled=no fib name=vpn1
	/caps-man manager
	set ca-certificate=auto certificate=auto enabled=yes
	/caps-man manager interface
	add disabled=no interface=ether10
	/caps-man provisioning
	add action=create-dynamic-enabled master-configuration=cfg1 name-format=\
	prefix-identity name-prefix=cap slave-configurations=\
	cfg2-kids,cfg3-guest,cfg4-iot,cfg5-work
	/interface bridge port
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
	add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
	add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
	/ip neighbor discovery-settings
	set discover-interface-list=LAN
	/ip settings
	set max-neighbor-entries=8192
	/ipv6 settings
	set disable-ipv6=yes max-neighbor-entries=8192
	/interface ethernet switch vlan
	add independent-learning=yes ports=\
	ether6,ether7,ether8,ether9,ether10,switch2-cpu switch=switch2 vlan-id=\
	101
	add independent-learning=yes ports=ether2,ether3,ether4,ether5,switch1-cpu \
	switch=switch1 vlan-id=101
	add independent-learning=no ports=ether10 switch=switch2 vlan-id=102
	add independent-learning=no ports=ether10 switch=switch2 vlan-id=103
	add independent-learning=no ports=ether10 switch=switch2 vlan-id=104
	add independent-learning=no ports=ether10 switch=switch2 vlan-id=105
	/interface list member
	add comment=defconf interface=bridge list=LAN
	add comment=defconf interface=ether1 list=WAN
	add interface=vlan1-main list=LAN
	add interface=vlan3-guest list=LAN
	add interface=vlan4-iot list=LAN
	add interface=vlan5-work list=LAN
	add interface=vlan2-kids list=LAN
	/interface ovpn-server server
	set auth=sha1,md5
	/interface wireguard peers
	add allowed-address=172.21.119.1/32,0.0.0.0/0 endpoint-address=a.b.c.d \
	endpoint-port=13231 interface=wireguard1 persistent-keepalive=25s \
	public-key="hjwsdgjhgwdkgfljwdhgfjlhwegjlhglsdkjhvlksadhvls="
	/ip address
	add address=10.1.1.1/24 interface=vlan1-main network=10.1.1.0
	add address=10.1.2.1/24 interface=vlan2-kids network=10.1.2.0
	add address=10.1.3.1/24 interface=vlan3-guest network=10.1.3.0
	add address=10.1.4.1/24 interface=vlan4-iot network=10.1.4.0
	add address=10.1.5.1/24 interface=vlan5-work network=10.1.5.0
	add address=172.21.119.201/24 interface=wireguard1 network=172.21.119.0
	/ip dhcp-client
	add comment=defconf interface=ether1
	/ip dhcp-server lease
	add address=10.1.1.10 client-id=1:74:4d:28:76:2d:ad mac-address=\
	74:4D:28:76:2D:AD server=dhcp-vlan1-main
	/ip dhcp-server network
	add address=10.1.1.0/24 dns-server=10.1.1.1 gateway=10.1.1.1 ntp-server=\
	10.1.1.1
	add address=10.1.2.0/24 comment="Cloudflare DNS for families" dns-server=\
	1.1.1.3,1.0.0.3 gateway=10.1.2.1
	add address=10.1.3.0/24 dns-server=10.1.3.1 gateway=10.1.3.1
	add address=10.1.4.0/24 dns-server=10.1.4.1 gateway=10.1.4.1
	add address=10.1.5.0/24 comment="work network / external cloudflare DNS" \
	dns-server=1.1.1.1 gateway=192.168.5.1
	/ip dns
	set allow-remote-requests=yes
	/ip dns static
	add address=192.168.88.1 comment=defconf name=router.lan
	/ip firewall address-list
	add address=10.1.1.254 comment=laptop-p14 disabled=yes list=vpn1-client
	add address=10.1.0.0/16 list=mt-local
	add address=10.1.1.253 list=vpn1-client
	add address=172.21.119.0/24 comment="vpn users" list=admins
	add address=10.1.4.0/24 list=iot_devices
	/ip firewall filter
	add action=accept chain=forward in-interface=wireguard1
	add action=accept chain=input in-interface=wireguard1
	add action=accept chain=input comment=\
	"defconf: accept established,related,untracked" connection-state=\
	established,related,untracked
	add action=drop chain=input comment="defconf: drop invalid" connection-state=\
	invalid log=yes log-prefix="DROP INVALID"
	add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
	add action=accept chain=input comment=\
	"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
	log=yes log-prefix="CAP TRAFFIC"
	add action=accept chain=input comment="CAP to CAPSMAN" log=yes log-prefix=\
	"ACCEPT CAP" src-address=10.1.1.10
	add action=accept chain=input comment="Accept wireguard" dst-port=13231 \
	protocol=udp
	add action=drop chain=input comment="defconf: drop all not coming from LAN" \
	in-interface-list=!LAN log=yes log-prefix="DROP / not from LAN"
	add action=accept chain=forward comment="defconf: accept in ipsec policy" \
	ipsec-policy=in,ipsec
	add action=accept chain=forward comment="defconf: accept out ipsec policy" \
	ipsec-policy=out,ipsec
	add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
	connection-state=established,related hw-offload=yes
	add action=accept chain=forward comment=\
	"defconf: accept established,related, untracked" connection-state=\
	established,related,untracked
	add action=accept chain=forward dst-address-list=iot_devices \
	src-address-list=admins
	add action=drop chain=forward comment="defconf: drop invalid" \
	connection-state=invalid log=yes log-prefix="DROP INVALID 2"
	add action=drop chain=forward comment=\
	"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
	connection-state=new in-interface-list=WAN log=yes log-prefix="DROP LAST"
	/ip firewall mangle
	add action=mark-routing chain=prerouting dst-address-list=!mt-local \
	new-routing-mark=vpn1 passthrough=yes src-address-list=vpn1-client
	/ip firewall nat
	add action=masquerade chain=srcnat comment="defconf: masquerade" \
	ipsec-policy=out,none out-interface-list=WAN routing-mark=!vpn1
	/ip route
	add gateway=wireguard1 routing-table=vpn1
	/ip service
	set telnet disabled=yes
	set ftp disabled=yes
	set www-ssl certificate=ServerCA disabled=no
	set winbox disabled=yes
	/lcd
	set time-interval=daily
	/routing rule
	add action=lookup-only-in-table disabled=no routing-mark=vpn1 table=vpn1
	/system clock
	set time-zone-name=Europe/Helsinki
	/system identity
	set name=MT-RB3011
	/system ntp client
	set enabled=yes
	/system ntp server
	set enabled=yes multicast=yes
	/system ntp client servers
	add address=0.fi.pool.ntp.org
	add address=1.fi.pool.ntp.org
	add address=2.fi.pool.ntp.org
	add address=3.fi.pool.ntp.org
	/tool mac-server
	set allowed-interface-list=LAN
	/tool mac-server mac-winbox
	set allowed-interface-list=LAN