-
-
Save rscott78/de8c86cee010e186667cce6f463ce13e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # feb/17/2023 08:45:56 by RouterOS 7.6 | |
| # software id = 5SPY-FEEA | |
| # | |
| # model = CCR2216-1G-12XS-2XQ | |
| /interface bridge | |
| add name=bridge1 | |
| add name=loPublic | |
| /interface ethernet | |
| set [ find default-name=sfp28-1 ] comment="NitelLink - ISP1 (2 gbps inet)" | |
| set [ find default-name=sfp28-2 ] auto-negotiation=no comment=\ | |
| "Lumen - ISP2 (1 gbps)" | |
| set [ find default-name=sfp28-10 ] comment="Port to Switch (management)" | |
| set [ find default-name=sfp28-12 ] comment=\ | |
| "Dell QoE and Mikrotik Switch (access ports)" | |
| /interface wireguard | |
| add listen-port=13231 mtu=1420 name=wireguard | |
| /interface vlan | |
| add interface=sfp28-12 name=vlan-1 vlan-id=1 | |
| add comment="Main Tower" interface=sfp28-12 name=vlan-9 vlan-id=9 | |
| add comment="Port 3 from switch; Quinton" interface=sfp28-12 name=vlan-20 \ | |
| vlan-id=20 | |
| add comment="Office (af60 ptp)" interface=sfp28-12 name=vlan-30 vlan-id=30 | |
| add comment="Attic Switch" interface=sfp28-12 name=vlan-40 vlan-id=40 | |
| add comment="Garage Switch" interface=sfp28-12 name=vlan-50 vlan-id=50 | |
| add comment="Home office" interface=sfp28-12 name=vlan-78 vlan-id=78 | |
| add comment="Gets assigned static IPs" interface=sfp28-12 name=vlan-100 \ | |
| vlan-id=100 | |
| /interface list | |
| add name=WAN | |
| add name=LAN | |
| /interface wireless security-profiles | |
| set [ find default=yes ] supplicant-identity=MikroTik | |
| /ip pool | |
| add name=Vlan-78 ranges=10.10.78.10-10.10.78.250 | |
| add name=dhcp ranges=10.10.10.10-10.10.10.250 | |
| add name=vlan-30 ranges=10.10.30.10-10.10.30.250 | |
| add name=vlan-10 ranges=10.10.10.10-10.10.10.250 | |
| add name=vlan-40 ranges=10.10.40.10-10.10.40.250 | |
| add name=vlan-20 ranges=10.10.20.10-10.10.20.250 | |
| add name=vlan-50 ranges=10.10.50.10-10.10.50.250 | |
| add name=vlan-9 ranges=10.10.9.20-10.10.9.250 | |
| add name=vlan-100 ranges=x.x.x.66-x.x.x.126 | |
| /ip dhcp-server | |
| add address-pool=Vlan-78 always-broadcast=yes interface=vlan-78 lease-time=5m \ | |
| name=dhcp-vl78 server-address=10.10.78.1 | |
| add address-pool=dhcp interface=bridge1 name=dhcp1 | |
| add address-pool=vlan-30 interface=vlan-30 lease-time=5m name=dhcp-vl30 | |
| add address-pool=vlan-20 interface=vlan-20 lease-time=5m10s name=dhcp-vl20 | |
| add address-pool=vlan-40 interface=vlan-40 lease-time=4h5m name=dhcp-vl40 | |
| add address-pool=vlan-50 interface=vlan-50 lease-time=5m name=dhcp-vl50 | |
| add address-pool=vlan-9 interface=vlan-9 lease-time=5m name=dhcp-vl9 | |
| add address-pool=vlan-100 disabled=yes interface=vlan-100 name=\ | |
| dhcp-vl100-public server-address=x.x.x.65 | |
| /port | |
| set 0 name=serial0 | |
| /routing table | |
| add fib name=to_ISP1 | |
| add fib name=to_ISP2 | |
| add disabled=no fib name=nitel_bgp | |
| /routing bgp template | |
| set default address-families=ip as=asnxxx disabled=no nexthop-choice=default \ | |
| routing-table=main | |
| /interface bridge port | |
| add bridge=bridge1 interface=ether1 | |
| add bridge=bridge1 disabled=yes interface=qsfp28-1-2 | |
| add bridge=bridge1 disabled=yes interface=qsfp28-1-3 | |
| add bridge=bridge1 disabled=yes interface=qsfp28-1-4 | |
| add bridge=bridge1 disabled=yes interface=qsfp28-2-1 | |
| add bridge=bridge1 disabled=yes interface=qsfp28-2-2 | |
| add bridge=bridge1 disabled=yes interface=qsfp28-2-3 | |
| add bridge=bridge1 disabled=yes interface=qsfp28-2-4 | |
| add bridge=bridge1 disabled=yes interface=sfp28-1 | |
| add bridge=bridge1 disabled=yes interface=sfp28-2 | |
| add bridge=bridge1 disabled=yes interface=sfp28-3 | |
| add bridge=bridge1 disabled=yes interface=sfp28-4 | |
| add bridge=bridge1 disabled=yes interface=sfp28-5 | |
| add bridge=bridge1 disabled=yes interface=sfp28-6 | |
| add bridge=bridge1 disabled=yes interface=sfp28-7 | |
| add bridge=bridge1 disabled=yes interface=sfp28-8 | |
| add bridge=bridge1 disabled=yes interface=sfp28-9 | |
| add bridge=bridge1 disabled=yes interface=sfp28-10 | |
| add bridge=bridge1 disabled=yes interface=sfp28-11 | |
| add bridge=bridge1 disabled=yes interface=sfp28-12 | |
| /interface list member | |
| add interface=sfp28-1 list=WAN | |
| add interface=vlan-78 list=LAN | |
| add interface=sfp28-2 list=WAN | |
| add interface=wireguard list=LAN | |
| /interface wireguard peers | |
| add allowed-address=0.0.0.0/0 interface=wireguard public-key=\ | |
| "-redacted-" | |
| /ip address | |
| add address=y.y.y.126/30 comment=Nitel interface=sfp28-1 network=\ | |
| y.y.y.124 | |
| add address=x.x.x.65/26 disabled=yes interface=vlan-100 network=\ | |
| x.x.x.64 | |
| add address=10.0.1.1/24 comment="Dell QoE" interface=vlan-40 network=10.0.1.0 | |
| add address=10.255.3.1/30 interface=sfp28-12 network=10.255.3.0 | |
| add address=10.10.10.1/24 interface=bridge1 network=10.10.10.0 | |
| add address=10.10.78.1/24 interface=vlan-78 network=10.10.78.0 | |
| add address=10.10.1.1/24 interface=vlan-1 network=10.10.1.0 | |
| add address=10.10.20.1/24 interface=vlan-20 network=10.10.20.0 | |
| add address=10.10.30.1/24 interface=vlan-30 network=10.10.30.0 | |
| add address=10.10.40.1/24 interface=vlan-40 network=10.10.40.0 | |
| add address=10.10.50.1/24 interface=vlan-50 network=10.10.50.0 | |
| add address=10.10.9.1/24 interface=vlan-9 network=10.10.9.0 | |
| add address=z.z.z.210/30 comment="ISP2 - Lumen via ER-Pro" interface=\ | |
| sfp28-2 network=z.z.z.208 | |
| add address=10.255.1.1/30 interface=sfp28-10 network=10.255.1.0 | |
| add address=10.10.2.1/24 interface=wireguard network=10.10.2.0 | |
| add address=x.x.x.1/24 interface=loPublic network=x.x.x.0 | |
| /ip dhcp-client | |
| add disabled=yes interface=qsfp28-1-1 | |
| /ip dhcp-server lease | |
| add address=10.10.78.249 client-id=1:e0:63:da:8e:5f:d5 comment=\ | |
| "UI Home Router" mac-address=E0:63:DA:8E:5F:D5 server=dhcp-vl78 | |
| add address=10.10.50.2 client-id=1:2c:c8:1b:3f:d1:56 mac-address=\ | |
| 2C:C8:1B:3F:D1:56 server=dhcp-vl50 | |
| add address=10.10.9.2 client-id=1:fc:ec:da:dc:cb:ab mac-address=\ | |
| FC:EC:DA:DC:CB:AB server=dhcp-vl9 | |
| add address=10.10.9.3 client-id=1:fc:ec:da:dc:cb:7f mac-address=\ | |
| FC:EC:DA:DC:CB:7F server=dhcp-vl9 | |
| add address=10.10.9.4 client-id=1:fc:ec:da:dc:cb:b2 mac-address=\ | |
| FC:EC:DA:DC:CB:B2 server=dhcp-vl9 | |
| add address=10.10.9.5 client-id=1:fc:ec:da:dc:cb:4d mac-address=\ | |
| FC:EC:DA:DC:CB:4D server=dhcp-vl9 | |
| add address=10.10.9.6 client-id=1:fc:ec:da:dc:cb:45 mac-address=\ | |
| FC:EC:DA:DC:CB:45 server=dhcp-vl9 | |
| add address=10.10.9.7 client-id=1:fc:ec:da:dc:cb:a9 mac-address=\ | |
| FC:EC:DA:DC:CB:A9 server=dhcp-vl9 | |
| add address=10.10.9.8 client-id=1:fc:ec:da:dc:cb:5a mac-address=\ | |
| FC:EC:DA:DC:CB:5A server=dhcp-vl9 | |
| add address=10.10.9.9 client-id=1:fc:ec:da:dc:cb:49 mac-address=\ | |
| FC:EC:DA:DC:CB:49 server=dhcp-vl9 | |
| add address=10.10.9.113 client-id=1:18:e8:29:70:2e:72 mac-address=\ | |
| 18:E8:29:70:2E:72 server=dhcp-vl9 | |
| add address=10.10.20.242 client-id=1:3c:37:86:50:be:a0 comment=\ | |
| "Not sure whose device this is; it's possible it is the Quintons" \ | |
| mac-address=3C:37:86:50:BE:A0 server=dhcp-vl20 | |
| add address=10.10.20.4 client-id=1:fc:ec:da:dc:cc:b7 mac-address=\ | |
| FC:EC:DA:DC:CC:B7 server=dhcp-vl20 | |
| add address=10.10.20.3 client-id=1:b4:fb:e4:5a:5:c9 mac-address=\ | |
| B4:FB:E4:5A:05:C9 server=dhcp-vl20 | |
| add address=10.10.20.2 client-id=1:b4:fb:e4:5a:6:11 mac-address=\ | |
| B4:FB:E4:5A:06:11 server=dhcp-vl20 | |
| add address=10.10.40.3 client-id=1:74:83:c2:66:75:7f mac-address=\ | |
| 74:83:C2:66:75:7F server=dhcp-vl40 | |
| add address=10.10.40.4 client-id=1:74:83:c2:66:73:ac mac-address=\ | |
| 74:83:C2:66:73:AC server=dhcp-vl40 | |
| add address=10.10.9.10 client-id=1:fc:ec:da:dc:cb:3a mac-address=\ | |
| FC:EC:DA:DC:CB:3A server=dhcp-vl9 | |
| add address=10.10.40.29 client-id=1:2a:0:3e:44:b8:cf comment="" \ | |
| mac-address=2A:00:3E:44:B8:CF server=dhcp-vl40 | |
| add address=10.10.40.21 client-id=1:2a:0:3e:44:b6:80 comment="" \ | |
| mac-address=2A:00:3E:44:B6:80 server=dhcp-vl40 | |
| add address=10.10.40.16 client-id=1:2a:0:3e:44:b4:b5 comment="" \ | |
| mac-address=2A:00:3E:44:B4:B5 server=dhcp-vl40 | |
| add address=10.10.40.22 client-id=1:2a:0:3e:44:b7:3e comment="" \ | |
| mac-address=2A:00:3E:44:B7:3E server=dhcp-vl40 | |
| add address=10.10.40.31 client-id=1:2a:0:3e:44:b8:f3 comment="" \ | |
| mac-address=2A:00:3E:44:B8:F3 server=dhcp-vl40 | |
| add address=10.10.40.28 client-id=1:2a:0:3e:44:ba:2d comment="" \ | |
| mac-address=2A:00:3E:44:BA:2D server=dhcp-vl40 | |
| add address=10.10.40.35 client-id=1:2a:0:3e:44:ba:ef comment="" \ | |
| mac-address=2A:00:3E:44:BA:EF server=dhcp-vl40 | |
| add address=10.10.40.24 client-id=1:2a:0:3e:44:b4:e9 comment="" \ | |
| mac-address=2A:00:3E:44:B4:E9 server=dhcp-vl40 | |
| add address=10.10.40.17 client-id=1:2a:0:3e:44:b9:10 comment="" \ | |
| mac-address=2A:00:3E:44:B9:10 server=dhcp-vl40 | |
| add address=10.10.40.37 client-id=1:2a:0:3e:44:b4:85 comment="" \ | |
| mac-address=2A:00:3E:44:B4:85 server=dhcp-vl40 | |
| add address=10.10.40.20 client-id=1:2a:0:3e:44:b9:78 comment=\ | |
| "" mac-address=2A:00:3E:44:B9:78 server=dhcp-vl40 | |
| add address=10.10.40.5 comment="Reserved for cnWave v3000 at house" \ | |
| mac-address=00:04:56:88:51:ED server=dhcp-vl40 | |
| add address=10.10.40.19 client-id=1:2a:0:3e:44:b8:d8 comment="" \ | |
| mac-address=2A:00:3E:44:B8:D8 server=dhcp-vl40 | |
| add address=10.10.40.2 comment="Reserved for 450m AP RRW-AP-307" mac-address=\ | |
| 0A:00:3E:60:82:8E server=dhcp-vl40 | |
| add address=10.10.78.5 comment="Reserved for QoE Dell" mac-address=\ | |
| 00:00:00:00:83:03 server=dhcp-vl78 | |
| add address=10.10.78.9 comment="Dell Desktop Server UISP" mac-address=\ | |
| 8C:EC:4B:6D:DA:70 server=dhcp-vl78 | |
| add address=10.10.40.25 client-id=1:34:98:b5:59:d8:ed comment=Carlisle \ | |
| mac-address=34:98:B5:59:D8:ED server=dhcp-vl40 | |
| add address=10.10.40.6 comment=\ | |
| "Reserved for cnWave v3000 - " mac-address=\ | |
| 00:04:56:88:50:36 server=dhcp-vl40 | |
| add address=10.10.78.247 comment="DLI Power Strip" mac-address=\ | |
| 7C:E1:FF:03:B1:B7 server=dhcp-vl78 | |
| add address=10.10.78.238 client-id=1:e8:da:0:15:f9:21 comment=\ | |
| "Home Vilo Router" mac-address=E8:DA:00:15:F9:21 server=dhcp-vl78 | |
| add address=10.10.78.236 client-id=1:0:15:5d:3:18:0 mac-address=\ | |
| 00:15:5D:03:18:00 server=dhcp-vl78 | |
| add address=10.10.50.13 client-id=1:38:94:ed:6e:cf:25 comment="" \ | |
| mac-address=38:94:ED:6E:CF:25 server=dhcp-vl50 | |
| /ip dhcp-server network | |
| add address=10.10.9.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.9.1 \ | |
| netmask=24 | |
| add address=10.10.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.10.1 \ | |
| netmask=24 | |
| add address=10.10.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.20.1 \ | |
| netmask=24 | |
| add address=10.10.30.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.30.1 \ | |
| netmask=24 | |
| add address=10.10.40.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.40.1 \ | |
| netmask=24 | |
| add address=10.10.50.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.50.1 \ | |
| netmask=24 | |
| add address=10.10.78.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=10.10.78.1 \ | |
| netmask=24 | |
| add address=10.255.3.0/30 gateway=10.255.3.1 netmask=30 | |
| /ip dns | |
| set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1 | |
| /ip dns static | |
| add address=10.10.10.1 name=www.somewhere.com ttl=1d5s | |
| add address=10.10.78.9 name=unms.rdw.net | |
| /ip firewall address-list | |
| add address=x.x.x.0/24 list=bgp-networks | |
| add address=x.x.x.0/24 list=allow_to_router | |
| add address=10.4.3.0/24 list=allow_to_router | |
| add address=10.0.1.0/24 list=allow_to_router | |
| add address=10.4.3.1-10.4.3.255 list=allow_to_router | |
| add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet | |
| add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet | |
| add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet | |
| add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet | |
| add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet | |
| add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet | |
| add address=224.0.0.0/4 comment=Multicast list=not_in_internet | |
| add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet | |
| add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet | |
| add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet | |
| add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet | |
| add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet | |
| add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet | |
| add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet | |
| add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\ | |
| not_in_internet | |
| add address=10.10.10.0/24 list=allow_to_router | |
| add address=174.230.207.251 list=allow_to_router | |
| add address=10.0.3.0/24 list=allow_to_router | |
| add address=y.y.y.126 list=allow_to_router | |
| add address=10.255.3.0/24 list=allow_to_router | |
| add address=10.10.78.0/24 list=allow_to_router | |
| add address=10.10.30.0/24 list=allow_to_router | |
| add address=104.36.232.238 comment=Dustin list=allow_to_router | |
| add address=x.x.x.0/24 list=bgp_accept | |
| add address=10.10.2.0/24 list=allow_to_router | |
| /ip firewall filter | |
| add action=accept chain=input comment="Allow WireGuard" dst-port=13231 \ | |
| log-prefix=WireGuard protocol=udp | |
| add action=accept chain=input comment="default configuration" \ | |
| connection-state=established,related | |
| add action=accept chain=input src-address-list=allow_to_router | |
| add action=accept chain=input protocol=icmp | |
| add action=drop chain=input log-prefix=test | |
| add action=accept chain=forward comment=\ | |
| "Allow outgoing from public subnet VLAN 100" connection-state=new \ | |
| log-prefix="PUBLIC - VL100" out-interface-list=WAN src-address=\ | |
| x.x.x.0/24 | |
| add action=fasttrack-connection chain=forward comment=FastTrack \ | |
| connection-state=established,related hw-offload=yes | |
| add action=accept chain=forward comment="Established, Related" \ | |
| connection-state=established,related | |
| add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \ | |
| protocol=icmp | |
| add action=accept chain=icmp comment="echo reply" icmp-options=0:0 \ | |
| log-prefix="ping 10" protocol=icmp | |
| add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 log=\ | |
| yes log-prefix="ping 11" protocol=icmp | |
| add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \ | |
| log-prefix="ping 12" protocol=icmp | |
| add action=accept chain=icmp comment=\ | |
| "host unreachable fragmentation required" icmp-options=3:4 log-prefix=\ | |
| "Ping rule 13" protocol=icmp | |
| add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \ | |
| log-prefix="ping 14" protocol=icmp | |
| add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \ | |
| log-prefix="ping 15" protocol=icmp | |
| add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \ | |
| protocol=icmp | |
| add action=drop chain=icmp comment="deny all other types" | |
| add action=drop chain=forward comment="Drop invalid" connection-state=invalid \ | |
| log-prefix="rule 18 invalid" | |
| /ip firewall mangle | |
| add action=mark-connection chain=output connection-mark=no-mark \ | |
| connection-state=new new-connection-mark=ISP1_conn out-interface=sfp28-1 \ | |
| passthrough=yes | |
| add action=mark-routing chain=output connection-mark=ISP1_conn \ | |
| new-routing-mark=to_ISP1 out-interface=sfp28-1 passthrough=yes | |
| add action=mark-connection chain=output connection-mark=no-mark \ | |
| connection-state=new new-connection-mark=ISP2_conn out-interface=sfp28-2 \ | |
| passthrough=yes | |
| add action=mark-routing chain=output connection-mark=ISP2_conn \ | |
| new-routing-mark=to_ISP2 out-interface=sfp28-2 passthrough=yes | |
| /ip firewall nat | |
| add action=dst-nat chain=dstnat comment="Required for Incoming to hit khootz w\ | |
| eb server (not valid since switching to static ip for home router)" \ | |
| dst-address=x.x.x.126 log-prefix=TimeTracker to-addresses=\ | |
| 10.10.78.236 | |
| add action=dst-nat chain=dstnat comment="Incoming to Office" dst-address=\ | |
| x.x.x.20 log-prefix=RYAN_HTTP to-addresses=10.10.78.136 | |
| add action=dst-nat chain=dstnat comment="STATIC Incoming to " \ | |
| dst-address=x.x.x.12 log-prefix=TED to-addresses=10.10.40.31 | |
| add action=dst-nat chain=dstnat comment="STATIC Incoming to " \ | |
| dst-address=x.x.x.13 log-prefix=TED to-addresses=10.10.9.29 | |
| add action=dst-nat chain=dstnat comment="Required for Incoming to hit UISP" \ | |
| dst-address=x.x.x.10 to-addresses=10.10.78.9 | |
| add action=src-nat chain=srcnat comment=\ | |
| "Outgoing VLAN 78 (Home office) to x.x.x.20" out-interface-list=WAN \ | |
| src-address=10.10.78.0/24 to-addresses=x.x.x.20 | |
| add action=src-nat chain=srcnat comment="STATIC OUT for " \ | |
| out-interface-list=WAN src-address=10.10.40.31 to-addresses=x.x.x.12 | |
| add action=src-nat chain=srcnat comment="STATIC OUT for " \ | |
| out-interface-list=WAN src-address=10.10.9.29 to-addresses=x.x.x.13 | |
| add action=src-nat chain=srcnat comment="Outgoing VLAN 9 to x.x.x.209" \ | |
| out-interface-list=WAN src-address=10.10.9.0/24 to-addresses=\ | |
| x.x.x.209 | |
| add action=src-nat chain=srcnat comment="Outgoing VLAN 20 to x.x.x.220" \ | |
| out-interface=sfp28-1 src-address=10.10.20.0/24 to-addresses=\ | |
| x.x.x.220 | |
| add action=src-nat chain=srcnat comment=\ | |
| "Outgoing Office (vlan 30) to x.x.x.20" out-interface=sfp28-1 \ | |
| src-address=10.10.30.0/24 to-addresses=x.x.x.20 | |
| add action=src-nat chain=srcnat comment="Outgoing VLAN 40 to x.x.x.240" \ | |
| out-interface-list=WAN src-address=10.10.40.0/24 to-addresses=\ | |
| x.x.x.240 | |
| add action=src-nat chain=srcnat comment="Outgoing VLAN 50 to x.x.x.50" \ | |
| out-interface-list=WAN src-address=10.10.50.0/24 to-addresses=\ | |
| x.x.x.50 | |
| add action=masquerade chain=srcnat comment=\ | |
| "Hairpin NAT for internal traffic to hit khootz" dst-address=10.10.78.249 \ | |
| out-interface-list=LAN src-address=10.10.78.0/24 | |
| add action=masquerade chain=srcnat comment=\ | |
| "Hairpin NAT for internal traffic to hit " dst-address=10.10.78.9 \ | |
| out-interface-list=LAN src-address=10.0.0.0/8 | |
| add action=masquerade chain=srcnat comment=\ | |
| "Hairpin NAT for internal traffic to hit via VLAN 100 (public IPs)" \ | |
| dst-address=10.10.78.9 out-interface-list=LAN src-address=x.x.x.0/24 | |
| add action=accept chain=srcnat comment=\ | |
| "Outgoing rule for static-assigned public IPs" disabled=yes log=yes \ | |
| log-prefix="pub static NAT" out-interface-list=WAN src-address=\ | |
| x.x.x.64/26 | |
| add action=accept chain=srcnat comment=\ | |
| "Outgoing rule for static-assigned public IPs" log-prefix="pub static" \ | |
| out-interface-list=WAN src-address=x.x.x.0/24 | |
| add action=masquerade chain=srcnat comment="Regular masqerade out" disabled=\ | |
| yes out-interface-list=WAN | |
| add action=masquerade chain=srcnat out-interface=sfp28-1 | |
| add action=masquerade chain=srcnat out-interface=sfp28-2 | |
| /ip route | |
| add comment="Legit default route with no failover (disable this for failover l\ | |
| ogic to work)" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\ | |
| y.y.y.125 pref-src="" routing-table=main scope=30 suppress-hw-offload=\ | |
| no target-scope=10 | |
| add blackhole comment="I created this, but I don't remember why - for failover I think?" disabled=no \ | |
| distance=1 dst-address=x.x.x.0/24 gateway="" pref-src="" \ | |
| routing-table=main scope=30 suppress-hw-offload=no target-scope=10 | |
| add disabled=yes distance=5 dst-address=0.0.0.0/0 gateway=10.255.2.2 \ | |
| pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \ | |
| target-scope=10 | |
| add comment="Monitor host via ISP 1 (Nitel)" disabled=no distance=1 \ | |
| dst-address=1.0.0.1/32 gateway=y.y.y.125 pref-src="" routing-table=\ | |
| main scope=10 suppress-hw-offload=no target-scope=10 | |
| add comment="Monitor host via ISP 2 (Lumen)" disabled=no distance=1 \ | |
| dst-address=4.2.2.2/32 gateway=z.z.z.209 pref-src="" routing-table=\ | |
| main scope=10 suppress-hw-offload=no target-scope=10 | |
| add check-gateway=ping comment="Default Route Main / ISP1 (Nitel)" disabled=\ | |
| no distance=1 dst-address=0.0.0.0/0 gateway=1.0.0.1 pref-src=0.0.0.0 \ | |
| routing-table=main scope=30 suppress-hw-offload=no target-scope=11 | |
| add check-gateway=ping comment="Default Route Backup / ISP2 (Lumen)" \ | |
| disabled=no distance=2 dst-address=0.0.0.0/0 gateway=4.2.2.2 pref-src="" \ | |
| routing-table=main scope=30 suppress-hw-offload=no target-scope=11 | |
| add disabled=yes distance=1 dst-address=z.z.z.208/30 gateway=\ | |
| z.z.z.209 pref-src="" routing-table=main scope=30 \ | |
| suppress-hw-offload=no target-scope=10 | |
| /ipv6 firewall filter | |
| add action=drop chain=input | |
| /routing bgp connection | |
| add as=asnxxx disabled=no input.accept-nlri=bgp_accept local.role=ebgp name=\ | |
| ToNitel output.network=bgp-networks remote.address=y.y.y.125/32 .as=\ | |
| 3356 router-id=y.y.y.126 routing-table=main | |
| add as=asnxxx disabled=no input.accept-nlri=bgp_accept local.role=ebgp .ttl=2 \ | |
| multihop=no name=ToLumen-ISP2 output.filter-chain=To-Lumen-Secondary-Out \ | |
| .network=bgp-networks remote.address=z.z.z.209/32 .as=209 .ttl=2 \ | |
| router-id=y.y.y.126 routing-table=main | |
| /routing filter community-list | |
| add comment="Used to set Lumen to 90% affinity (use as a backup)" \ | |
| communities=208:90 disabled=no list=lumen-secondary | |
| /routing filter rule | |
| add chain=BGP-Nitel-In disabled=no rule=reject | |
| add chain=To-Lumen-Secondary-Out disabled=no rule="if (dst== x.x.x.0/24) \ | |
| { set bgp-communities 209:80; accept } else {reject}" | |
| /system clock | |
| set time-zone-name=America/Chicago | |
| /system identity | |
| set name=MikroTik-Core-Router | |
| /system ntp client | |
| set enabled=yes | |
| /system ntp client servers | |
| add address=pool.ntp.org | |
| /tool sniffer | |
| set file-limit=10000KiB file-name=ps-vl100-ping filter-interface=vlan-100 \ | |
| filter-ip-protocol=udp,icmp filter-port=bootps,bootpc,ircu |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment