On MT01:
Code: Select all
/ip address
add address=10.10.10.1/24 interface=ether2 network=10.10.10.0
/interface eoip
add local-address=10.10.10.1 mtu=1500 name=eoip-tunnel1 remote-address=10.10.10.2 tunnel-id=100 ipsec-secret=XXX
/interface bridge port
add bridge=bridgelocal interface=eoip-tunnel1
Code: Select all
/ip address
add address=10.10.10.2/24 interface=ether2 network=10.10.10.0
/interface eoip
add local-address=10.10.10.2 mtu=1500 name=eoip-tunnel1 remote-address=10.10.10.1 tunnel-id=100 ipsec-secret=XXX
/interface bridge port
add bridge=bridgelocal interface=eoip-tunnel1
Code: Select all
/ip firewall filter
add action=accept chain=input comment="CCR ALLOW established, related" connection-state=established,related
add action=drop chain=input comment="CCR DENY invalid connection states" connection-state=invalid
add action=accept chain=input comment="CCR ALLOW OpenVPN roadwarriors handshake" connection-state=new dst-port=11978 protocol=tcp
add action=accept chain=input comment="CCR ALLOW IPSEC tunnels from known endpoints" dst-port=500,4500,1701 in-interface-list=WAN protocol=tcp src-address-list=ipsec-allowed-endpoints
add action=accept chain=input comment="CCR ALLOW IPSEC tunnels from known endpoints" in-interface-list=WAN protocol=ipsec-esp src-address-list=ipsec-allowed-endpoints
add action=accept chain=input comment="CCR ALLOW DNS queries from LAN" dst-port=53 in-interface-list=INTERNAL protocol=tcp
add action=accept chain=input comment="CCR ALLOW DNS queries from LAN" dst-port=53 in-interface-list=INTERNAL protocol=udp
add action=accept chain=input comment="CCR ALLOW admins to access configuration ports" dst-port=1978,1922 protocol=tcp src-address-list=admins
add action=accept chain=input comment="CCR ALLOW ping from LAN" in-interface-list=LAN log-prefix=input_a_ping protocol=icmp
add action=accept chain=input comment="CCR ALLOW ping from WAN for Admins" log-prefix=input_a_ping protocol=icmp src-address-list=admins
add action=accept chain=input comment="CCR defcon: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="CCR Allow EoiP Tunnel" protocol=gre
add action=drop chain=input comment="CCR DENY everything else"