Last active
March 10, 2018 14:18
-
-
Save nbhatti/7facd5d3891314be2c6e1d2b70289a3f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# mar/10/2018 06:15:33 by RouterOS 6.41 | |
# | |
# model = 2011UiAS | |
# serial number = 771E067263D6 | |
/interface bridge | |
add name=bridge1-MGMT | |
/interface ethernet | |
set [ find default-name=ether1 ] disabled=yes | |
set [ find default-name=ether2 ] rx-flow-control=on tx-flow-control=on | |
set [ find default-name=ether3 ] disabled=yes | |
set [ find default-name=ether4 ] speed=1Gbps | |
set [ find default-name=ether6 ] disabled=yes | |
set [ find default-name=ether7 ] disabled=yes | |
set [ find default-name=ether8 ] disabled=yes | |
set [ find default-name=ether9 ] disabled=yes | |
set [ find default-name=ether10 ] disabled=yes | |
set [ find default-name=sfp1 ] disabled=yes | |
/interface vlan | |
add interface=ether2 name=VLAN-10-SRDR-SERVERS vlan-id=10 | |
add interface=bridge1-MGMT name=VLAN-11-CUSTOMERS-VMS vlan-id=11 | |
add interface=bridge1-MGMT name=VLAN-12-SRDR-VMS vlan-id=12 | |
add interface=ether5 name=VLAN-13-IPMI-iDRAC vlan-id=13 | |
/interface ethernet switch port | |
set 6 !egress-rate !ingress-rate | |
set 7 !egress-rate !ingress-rate | |
set 8 !egress-rate !ingress-rate | |
set 9 !egress-rate !ingress-rate | |
set 10 !egress-rate !ingress-rate | |
set 12 !egress-rate !ingress-rate | |
/interface wireless security-profiles | |
set [ find default=yes ] supplicant-identity=MikroTik | |
/ip pool | |
add name=iDRAC-Pool ranges=172.16.2.100-172.16.2.200 | |
add name=VPN-Pool ranges=172.16.93.60-172.16.93.200 | |
add name=IPMI-iDRAC-POOL ranges=172.16.10.40-172.16.10.200 | |
add name=CUSTOMERS-VM-POOL ranges=23.128.XXX.19-23.128.XXX.30 | |
add name=SRDR-VM-POOL ranges=23.128.XXX.35-23.128.XXX.63 | |
/ip dhcp-server | |
add address-pool=iDRAC-Pool disabled=no interface=bridge1-MGMT lease-time=40m name=DHCP-iDRAC-Net src-address=172.16.2.1 | |
add address-pool=IPMI-iDRAC-POOL disabled=no interface=VLAN-13-IPMI-iDRAC lease-time=40m name=DHCP-IMPI-iDRAC | |
add address-pool=CUSTOMERS-VM-POOL disabled=no interface=VLAN-11-CUSTOMERS-VMS lease-time=40m name=DHCP-CUSTOMERS-VMS | |
add address-pool=SRDR-VM-POOL disabled=no interface=VLAN-12-SRDR-VMS lease-time=40m name=DHCP-SRDR-VMS | |
/ppp profile | |
set *FFFFFFFE dns-server=23.128.XXX.2,8.8.8.8 local-address=VPN-Pool only-one=no remote-address=VPN-Pool use-compression=yes use-upnp=yes | |
/interface bridge port | |
add bridge=bridge1-MGMT interface=ether4 | |
add bridge=bridge1-MGMT interface=ether5 | |
add bridge=bridge1-MGMT interface=ether2 | |
/ip neighbor discovery-settings | |
set discover-interface-list=*2000011 | |
/interface l2tp-server server | |
set allow-fast-path=yes enabled=yes ipsec-secret=vpnSecret use-ipsec=required | |
/interface ovpn-server server | |
set auth=sha1 certificate=server@MikroTik cipher=aes128,aes192,aes256 default-profile=default-encryption enabled=yes port=443 require-client-certificate=yes | |
/ip address | |
add address=192.168.88.2/24 interface=ether2 network=192.168.88.0 | |
add address=23.128.XXX.2/28 interface=VLAN-10-SRDR-SERVERS network=23.128.XXX.0 | |
add address=172.16.2.1/24 interface=bridge1-MGMT network=172.16.2.0 | |
add address=172.16.10.1/24 interface=VLAN-13-IPMI-iDRAC network=172.16.10.0 | |
add address=23.128.XXX.18/28 interface=VLAN-11-CUSTOMERS-VMS network=23.128.XXX.16 | |
add address=23.128.XXX.34/27 interface=VLAN-12-SRDR-VMS network=23.128.XXX.32 | |
/ip dhcp-client | |
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 | |
/ip dhcp-server network | |
add address=23.128.XXX.16/28 dns-server=8.8.8.8 domain=SRDR.net gateway=23.128.XXX.17 netmask=28 | |
add address=23.128.XXX.32/27 dns-server=8.8.8.8 gateway=23.128.XXX.33 netmask=27 ntp-server=129.6.15.29 | |
add address=172.16.2.0/24 dns-server=172.16.2.1,8.8.8.8 domain=localdomain gateway=172.16.2.1 netmask=24 ntp-server=132.163.97.4 | |
add address=172.16.10.0/24 dns-server=172.16.10.1,8.8.8.8 domain=localdomain gateway=172.16.10.1 netmask=24 | |
/ip dns | |
set servers=8.8.4.4,8.8.8.8 | |
/ip dns static | |
add address=192.168.88.1 name=router.lan | |
/ip firewall filter | |
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!*2000011 | |
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec | |
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec | |
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related | |
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked | |
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=*2000010 | |
add chain=input comment="Allow OpenVPN" dst-port=443 protocol=tcp | |
add chain=input comment="Allow OpenVPN" dst-port=443 protocol=udp | |
add action=accept chain=input in-interface=ether1 src-address=192.168.8.0/24 | |
/ip firewall mangle | |
add action=change-ttl chain=prerouting disabled=yes new-ttl=set:64 passthrough=yes | |
/ip firewall nat | |
add action=masquerade chain=srcnat src-address=172.16.2.0/24 | |
add action=masquerade chain=srcnat src-address=172.16.93.0/24 | |
add action=dst-nat chain=dstnat disabled=yes dst-address=23.128.XXX.42 to-addresses=172.16.2.102 | |
add action=src-nat chain=srcnat disabled=yes src-address=172.16.2.102 to-addresses=23.128.XXX.42 | |
/ip route | |
add distance=1 gateway=23.128.XXX.1 | |
/ip service | |
set ftp disabled=yes | |
set api disabled=yes | |
set api-ssl disabled=yes | |
/system clock | |
set time-zone-name=America/Los_Angeles | |
/system routerboard settings | |
set cpu-frequency=700MHz | |
/tool bandwidth-server | |
set enabled=no | |
/tool sniffer | |
set filter-ip-address=23.128.XXX.2/32 filter-ip-protocol=icmp memory-limit=256KiB only-headers=yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment