Statistics: Posted by mkx — Tue Apr 02, 2024 10:40 am
/interface/bridge/host/print where vid=<vlan id>
/interface/ethernet/switch/host/print where vlan-id=<vlan id>
Statistics: Posted by mkx — Tue Apr 02, 2024 10:35 am
Statistics: Posted by normis — Tue Apr 02, 2024 10:32 am
Statistics: Posted by andressis2k — Tue Apr 02, 2024 10:18 am
Statistics: Posted by BlackVS — Tue Apr 02, 2024 10:00 am
Iam trying to look at "Log" tool (for each AP), but there is nothing interested, and no any attempts to device connection. Is there any other wireless log present?include the wireless logs when the device attempts connection
Statistics: Posted by kekraiser — Tue Apr 02, 2024 10:00 am
Statistics: Posted by patrikg — Tue Apr 02, 2024 9:55 am
Statistics: Posted by godel0914 — Tue Apr 02, 2024 9:50 am
Statistics: Posted by An5teifo — Tue Apr 02, 2024 9:42 am
Statistics: Posted by saktie — Tue Apr 02, 2024 9:38 am
Statistics: Posted by tangent — Tue Apr 02, 2024 9:37 am
That isn't a question..Question 2. Fan connector in the front of fan... it is weird
Statistics: Posted by BlackVS — Tue Apr 02, 2024 9:33 am
Statistics: Posted by An5teifo — Tue Apr 02, 2024 9:33 am
Statistics: Posted by normis — Tue Apr 02, 2024 9:31 am
Statistics: Posted by mkx — Tue Apr 02, 2024 9:24 am
Statistics: Posted by mkx — Tue Apr 02, 2024 9:17 am
Statistics: Posted by An5teifo — Tue Apr 02, 2024 9:14 am
Statistics: Posted by normis — Tue Apr 02, 2024 9:14 am
Statistics: Posted by kekraiser — Tue Apr 02, 2024 9:11 am
:global MtmTools;:set ($MtmTools->"hashing") $s;
/system/script/environment/print
Statistics: Posted by merlinthemagic7 — Tue Apr 02, 2024 9:07 am
Statistics: Posted by mkx — Tue Apr 02, 2024 9:06 am
As I already wrote, you CANNOT connect a RB941 to a new AP using station-pseudobridge. That means you CANNOT put the WiFi in the bridge.Thank you. When i changed mode on RB941 from B/G to B/G/N it connected to WiFi. Then i had problem because RB941 didn't want to get IP from DHCP. Then it got IP but i didn't get IP on my laptop that was connected to RB941 even i connected to ether port that was in the same bridge as WiFi.
You would need to buy at least a hAP ax2.Maybe the solution is to buy some news HAP's?
Statistics: Posted by tookiehr — Tue Apr 02, 2024 8:49 am
Statistics: Posted by Amm0 — Tue Apr 02, 2024 8:47 am
Statistics: Posted by jacklandan — Tue Apr 02, 2024 8:29 am
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"/ip firewall {filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"}/ipv6 firewall {address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"address-list add list=bad_ipv6 address=::1 comment="defconf: lo"address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"}
/interface listadd name=VLAN/interface list memberadd interface=VLAN10 list=VLANadd interface=VLAN11 list=VLAN
/ip firewall filteradd action=drop chain=forward comment="block vlan to lan" in-interface-list=VLAN out-interface-list=LAN/ipv6 firewall filteradd action=drop chain=forward comment="block vlan to lan" in-interface-list=VLAN out-interface-list=LAN
Statistics: Posted by CGGXANNX — Tue Apr 02, 2024 8:05 am
Statistics: Posted by nzlme — Tue Apr 02, 2024 6:53 am
Statistics: Posted by godel0914 — Tue Apr 02, 2024 6:14 am
Yes, the only issue puzzles me would be how come when i added WAN IP : 61.219.84.105 (interface sfp3) into address list,Is everything else working... and the ONLY issue why QuickSet is showing wrong LAN?
/interface bridge set [find name=BridgeLAN] comment=defconf/interface list member set [find list=LAN interface=BridgeLAN] comment=defconf/ip address set [find address=192.168.88.1/24] comment=defconf
Statistics: Posted by Amm0 — Tue Apr 02, 2024 5:30 am
Statistics: Posted by CGGXANNX — Tue Apr 02, 2024 4:58 am
Statistics: Posted by godel0914 — Tue Apr 02, 2024 4:46 am
Statistics: Posted by anav — Tue Apr 02, 2024 4:43 am
Done, thanks for the guidance.(1) Added back NAS on port 443 to the config.
Thanks again for finding out the unnecessary setting, it's inactive and removed.add bridge=BridgeLAN ingress-filtering=no interface=LAN internal-path-cost=10 \
path-cost=10[/i]
There is no such interface!! Removed.
There is a interface-list called LAN, but no interface! What goes under bridge ports are typically etherports and wifiports.
Thanks, i will check around.(3) The Routing is setup such that sfp1 is the primary WAN. Thus we need not do anything special for:
a. all users,, will thus always be routed out WAN1
b. Servers on LAN accessed via WAN1 will have traffic returned out WAN1 ( no mangling required )
c. Servers on LAN accessed via WAN2 will have traffic retured out WAN2.
Statistics: Posted by godel0914 — Tue Apr 02, 2024 4:33 am
Statistics: Posted by petardo — Tue Apr 02, 2024 4:08 am
Statistics: Posted by mantouboji — Tue Apr 02, 2024 3:57 am
Statistics: Posted by aruto77 — Tue Apr 02, 2024 3:44 am
Statistics: Posted by eypi39 — Tue Apr 02, 2024 3:41 am
Statistics: Posted by rudym88 — Tue Apr 02, 2024 2:21 am
Statistics: Posted by anav — Tue Apr 02, 2024 2:00 am
Statistics: Posted by msatter — Tue Apr 02, 2024 1:49 am
Statistics: Posted by gotsprings — Tue Apr 02, 2024 1:48 am
Statistics: Posted by emunt6 — Tue Apr 02, 2024 1:11 am
Statistics: Posted by MTNick — Tue Apr 02, 2024 12:57 am
/interface bridgeadd ingress-filtering=yes name=aBridge protocol-mode=none pvid=11 vlan-filtering=yes/interface vlanadd interface=aBridge name=VLAN100 vlan-id=10add interface=aBridge name=VLAN101 vlan-id=11/interface listadd name=WANadd name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTikadd authentication-types=wpa2-psk mode=dynamic-keys name=**** supplicant-identity=MikroTikadd authentication-types=wpa2-psk mode=dynamic-keys name=**** supplicant-identity=MikroTik/interface wirelessset [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=argentina disabled=no frequency=auto installation=indoor mode=\ ap-bridge security-profile=**** ssid=2.4 vlan-id=10 wireless-protocol=802.11set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=argentina disabled=no installation=indoor mode=ap-bridge \ security-profile=**** ssid=5.0 vlan-id=11 wireless-protocol=802.11/ip pooladd name=VLAN10_POOL ranges=192.168.10.100-192.168.10.200add name=VLAN11_POOL ranges=192.168.11.100-192.168.11.200/ip dhcp-serveradd address-pool=VLAN10_POOL disabled=no interface=VLAN10 name=VLAN10_DHCPadd address-pool=VLAN11_POOL disabled=no interface=VLAN11 name=VLAN11_DHCP/interface bridge portadd bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=10add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=11add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=11add bridge=aBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=11/interface bridge vlanadd bridge=aBridge tagged=aBridge vlan-ids=11add bridge=aBridge tagged=aBridge vlan-ids=10/interface list memberadd interface=ether1 list=WANadd interface=VLAN10 list=LANadd interface=VLAN11 list=LAN/ip addressadd address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0add address=192.168.11.1/24 interface=VLAN11 network=192.168.11.0/ip dhcp-clientadd disabled=no interface=ether1/ip dhcp-server networkadd address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1/ip dnsset allow-remote-requests=yes/ip firewall filteradd action=accept chain=input comment="Allow established and related" connection-state=established,relatedadd action=accept chain=forward connection-state=new in-interface-list=LAN out-interface-list=WAN
Statistics: Posted by 3eff — Tue Apr 02, 2024 12:24 am
# Turris Import by Blacklister and edited by Optio# 20210823 new version that directly downloads from the external server# 20240331 rewritten to fetch the whole file and write it to a local file and then import it# 20240401 avoiding perfect storm by reducing chunkSize when calculation the remainder# 20240402 adding importing new address to temporary list and swap them out with the active list avoiding the list being not active for a short time as possible# also save and display a count of static addresses present in a address-list{# import config - delay for slow routers#:delay 1m:log warning "IP-Blocker script started"/ip firewall address-list:local update do={ :if (heirule != null) do={:set $filtering ", filtering on: $heirule"} :put "Start importing address-list: $listname$filtering" :log warning "Start importing address-list: $listname$filtering" /tool fetch url=$url dst-path="/$listname.txt" as-value # delay to wait file flush after fetch :delay 1 :local filesize [/file get "$listname.txt" size] :local start 0 :local chunkSize 32767;# requested chunk size :local partnumber($filesize / $chunkSize); # how many chunk are chunkSize :local remainder($filesize % ($chunkSize-512)); # the last partly chunk and use reduced chunkSize :if ($remainder > 0) do={ :set partnumber ($partnumber + 1) }; # total number of chunks :local listCount [:len [find list=$listname dynamic]] :put "Deleting $listCount entries (dynamic) from address-list: $listname" :log warning "Deleting $listCount entries (dynamic) from address-list: $listname" :if ($heirule = null) do={:set $heirule "."} # remove the current dynamic entries completely #:do {remove [find where list=$listname dynamic]} on-error={}; :set $listnameTemp ($listname."temp") :for x from=1 to=$partnumber step=1 do={ :local data ([:file read offset=$start chunk-size=$chunkSize file="$listname.txt" as-value]->"data") # Only remove the first line only if you are not at the start of list :if ($start > 0) do={:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]} :while ([:len $data]!=0) do={ :local line [:pick $data 0 [:find $data "\n"]]; # create only once and checked twice as local variable :if ($line~"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" && $line~heirule) do={ :local addr [:pick $data 0 [:find $data $delimiter]] :do {add list=$listnameTemp address=$addr comment=$description timeout=$timeout} on-error={}; # on error avoids any panics }; # if IP address && extra filter if present :set data [:pick $data ([:find $data "\n"]+1) [:len $data]]; # removes the just added IP from the data array # Cut of the end of the chunks by removing the last lines...very dirty but it works :if (([:len $data] < 256) && (x < $partnumber)) do={:set data [:toarray ""]} }; # while #:set start ($start + $chunkSize) :set start (($start-512) + $chunkSize); # shifts the subquential starts back with 512 }; #do for x /file remove "$listname.txt" :put "Deleted downloaded file: $listname.txt" :log warning "Deleted downloaded file: $listname.txt" # Swap out temp list and active list, shorten the time the list is empty :do {set list=$listnameTemp [find list=$listname !dynamic]}; # backup any fixed IP addresses to the temporary list :do {remove [find list=$listname]} on-error={}; # empty the complete list :do {set list=$listname [find list=$listnameTemp]} on-error={ :put "Import failed: while swapping out the the old list with the temperorary list: $listname"; :log error "Import failed: while swapping out the the old list with the temperorary list: $listname" } :set $staticCount "" :if ([:len [find list=$listname !dynamic]] > 0) do={:set $staticCount "of which $[:len [find list=$listname !dynamic]] are static addresses"} :if ([:len [find list=$listnameTemp]] < 1) do={ :local listCount [:len [find list=$listname]] :put "Completed updating address-list $listname with $listCount addresses $staticCount" :log warning "Completed updating address-list $listname with $listCount addresses $staticCount" } }; # do$update url=https://iplists.firehol.org/files/firehol_level2.netset delimiter=("\n") listname=z-blocklist-FireHOL-L2 timeout=3d$update url=https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv listname=z-blocklist-Sentinel delimiter=, timeout=8d heirule=http$update url=https://www.spamhaus.org/drop/drop.txt delimiter=("\_") listname=z-blocklist-SpamHaus timeout=3d$update url=https://www.spamhaus.org/drop/edrop.txt delimiter=("\_") listname=z-blocklist-SpamHaus-edrop timeout=3d:log warning message="IP-Blocker script COMPLETED running"}
Statistics: Posted by msatter — Tue Apr 02, 2024 12:13 am
/interface ethernetset [ find default-name=sfp1 ] name=SFPset [ find default-name=ether1 ] name=ether1-NetUnoset [ find default-name=ether2 ] name=ether2-CANTVset [ find default-name=ether3 ] loop-protect=off/interface wireguardadd listen-port=13231 mtu=1420 name=wireguard1/diskset sd1 type=hardwareadd parent=sd1 partition-number=1 partition-offset="4 194 304" \ partition-size="3 960 995 840" type=partitionset usb1 type=hardware/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip pooladd name=default-dhcp ranges=192.168.88.10-192.168.88.254/ip dhcp-serveradd address-pool=default-dhcp interface=bridge lease-time=23h59m59s name=\ defconf/portset 0 name=serial0/routing tableadd disabled=no fib name=NetUnoadd fib name=useWAN2/interface bridge portadd bridge=bridge comment=defconf interface=ether3add bridge=bridge comment=defconf interface=ether4add bridge=bridge comment=defconf interface=ether5add bridge=bridge interface=SFP/ip neighbor discovery-settingsset discover-interface-list=LAN/interface detect-internetset internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN/interface list memberadd comment=defconf interface=bridge list=LANadd comment=defconf interface=ether2-CANTV list=WANadd interface=wireguard1 list=LANadd interface=ether1-NetUno list=WAN/interface wireguard peersadd allowed-address=10.20.1.2/32 interface=wireguard1 public-key=\ "VnTNWEPEIGe4ehffWqtG8GdIb+HKxcpSvACRekuVa1I="add allowed-address=10.20.1.3/32 interface=wireguard1 public-key=\ "D2bLdRCWi8QS/xznIUHNzufVZOpwX2pVdnf+0WcNr1k="/ip addressadd address=192.168.88.1/24 comment=defconf interface=bridge network=\ 192.168.88.0add address=10.20.1.1/24 interface=wireguard1 network=10.20.1.0/ip cloudset ddns-enabled=yes ddns-update-interval=5m/ip dhcp-clientadd add-default-route=no interface=ether1-NetUno use-peer-dns=no \ use-peer-ntp=noadd add-default-route=no interface=ether2-CANTV script=":if (\$bound=1) do={/i\ p route set [find dst-address=0.0.0.0/0] gateway=\$\"gateway-address\" ad\ d-distance=2}" use-peer-dns=no use-peer-ntp=no/ip dhcp-server networkadd address=192.168.88.0/24 comment=defconf dns-server=192.168.88.10,1.1.1.1 \ gateway=192.168.88.1/ip dnsset allow-remote-requests=yes servers=8.8.8.8,8.8.4.4/ip dns staticadd address=192.168.88.1 comment=defconf name=router.lan/ip firewall address-listadd address=cloud.mikrotik.com list=MyCloudadd address=cloud2.mikrotik.com list=MyCloud/ip firewall filteradd action=accept chain=input comment="allow WireGuard" dst-port=13231 \ protocol=udpadd action=accept chain=input comment="allow WireGuard traffic" src-address=\ 10.20.1.0/24add action=accept chain=input in-interface=ether1-NetUno src-address-list=\ Accessadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid disabled=yesadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid disabled=yesadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new disabled=yes in-interface-list=WAN/ip firewall mangleadd action=mark-routing chain=output dst-address-list=MyCloud dst-port=15252 \ new-routing-mark=useWAN2 passthrough=no protocol=udpadd action=mark-connection chain=input connection-mark=no-mark in-interface=\ ether2-CANTV new-connection-mark=incomingWAN2 passthrough=yesadd action=mark-routing chain=output connection-mark=incomingWAN2 \ new-routing-mark=useWAN2 passthrough=noadd action=accept chain=prerouting in-interface=ether1-NetUnoadd action=mark-connection chain=prerouting dst-address-type=!local \ new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:2/0 src-address=192.168.88.0/24add action=mark-connection chain=prerouting dst-address-type=!local \ new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:2/1 src-address=192.168.88.0/24add action=accept chain=prerouting in-interface=ether1-NetUnoadd action=mark-connection chain=prerouting dst-address-type=!local \ new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:2/0 src-address=192.168.88.0/24add action=mark-connection chain=prerouting dst-address-type=!local \ new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\ both-addresses-and-ports:2/1 src-address=192.168.88.0/24/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WANadd action=dst-nat chain=dstnat dst-port=23000 in-interface=ether1-NetUno \ protocol=tcp to-addresses=192.168.88.252 to-ports=80add action=dst-nat chain=dstnat dst-port=24000 in-interface=ether1-NetUno \ protocol=tcp to-addresses=192.168.88.247 to-ports=443add action=dst-nat chain=dstnat dst-port=25000 in-interface=ether1-NetUno \ protocol=udp to-addresses=192.168.88.247 to-ports=5060add action=dst-nat chain=dstnat disabled=yes dst-port=10000-20000 \ in-interface=ether1-NetUno protocol=udp to-addresses=192.168.88.247 \ to-ports=10000-20000/ip routeadd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.0.1 \ routing-table=main suppress-hw-offload=noadd distance=4 dst-address=0.0.0.0/0 gateway=ether2-CANTV routing-table=mainadd dst-address=0.0.0.0/0 gateway=ether2-CANTV routing-table=useWAN2
Statistics: Posted by djferdinad — Tue Apr 02, 2024 12:11 am
Statistics: Posted by emunt6 — Tue Apr 02, 2024 12:04 am
Statistics: Posted by SerZVR — Mon Apr 01, 2024 11:48 pm
Searching before posting is a good habitindefinitely even though I disconnected from the phone. Is there any way to limit this?
Statistics: Posted by Bolendox — Mon Apr 01, 2024 11:41 pm
Statistics: Posted by anav — Mon Apr 01, 2024 10:33 pm
:global MtmFacts;
Statistics: Posted by PackElend — Mon Apr 01, 2024 10:26 pm
Statistics: Posted by Amm0 — Mon Apr 01, 2024 10:25 pm
Statistics: Posted by almdandi — Mon Apr 01, 2024 10:24 pm
Statistics: Posted by und3rd06012 — Mon Apr 01, 2024 10:18 pm
With this solution, I have a result : "$ipaddress"Inside the function, ipaddress is not known so you have refer to it by :global ipaddress.Code::global ipaddress [/queue simple get 1 target];:global test [:global ipaddress; :find $ipaddress "/"];
Couple other things too:
- The first line use "get 1", however that's not an *id so it depends on print being called to establish the index of 1. Using "get ([find]->0)" or "get [find name=queue1]" instead avoid needing.
- There can be multiple "target" from "/queue simple get", and :find does not work with arrays & so need use get the 1st element listed as "target" first
For example,Code::global ipaddresses [/queue simple get [find name=queue1] target]:global ipaddress [:pick $ipaddresses 0 ] :global cidrmark [:find $ipaddress "/"]:put "$[:pick $ipaddress 0 $cidrmark]"
Although these could be a locals and combined:Code:{:local ipaddress ([/queue simple get [find name=queue1] target]->0); :put "$[:pick $ipaddress 0 [:find $ipaddress /]]"}
Statistics: Posted by xaviernuma — Mon Apr 01, 2024 9:53 pm
Statistics: Posted by Amm0 — Mon Apr 01, 2024 9:52 pm
Statistics: Posted by Amm0 — Mon Apr 01, 2024 9:49 pm
Statistics: Posted by ips — Mon Apr 01, 2024 9:32 pm
Statistics: Posted by hatred — Mon Apr 01, 2024 9:32 pm
Statistics: Posted by anav — Mon Apr 01, 2024 9:28 pm
Statistics: Posted by anav — Mon Apr 01, 2024 9:27 pm
Statistics: Posted by petardo — Mon Apr 01, 2024 9:17 pm
interface bridgeadd admin-mac=DC:2C:6E:3B:C7:89 auto-mac=no comment=defconf name=bridge.LAN \ priority=0x1000/interface wireguardadd listen-port=51820 mtu=1420 name=wireguard1/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=dhcp_pool1 ranges=10.0.0.100-10.0.0.199/ip dhcp-serveradd address-pool=dhcp_pool1 interface=bridge.LAN lease-time=1w1d name=dhcp1/queue typeset 0 kind=sfqadd kind=sfq name=qos/queue treeadd bucket-size=0.01 max-limit=190M name=DOWN parent=bridge.LAN queue=defaultadd name="1. VOIP" packet-mark=VOIP parent=DOWN priority=1 queue=defaultadd name="2. DNS" packet-mark=DNS parent=DOWN priority=2 queue=defaultadd name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=defaultadd name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=defaultadd name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 queue=defaultadd name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 queue=defaultadd name="7. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN priority=6 queue=\ defaultadd name="8. QUIC" packet-mark=QUIC parent=DOWN priority=7 queue=defaultadd name="9. OTHER" packet-mark=OTHER parent=DOWN queue=defaultadd bucket-size=0.01 max-limit=20M name=UP parent=ether1 queue=defaultadd name="1. VOIP_" packet-mark=VOIP parent=UP priority=1 queue=defaultadd name="2. DNS_" packet-mark=DNS parent=UP priority=2 queue=defaultadd name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=defaultadd name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=defaultadd name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=defaultadd name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=defaultadd name="7. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=6 queue=\ defaultadd name="8. QUIC_" packet-mark=QUIC parent=UP priority=7 queue=defaultadd name="9. OTHER_" packet-mark=OTHER parent=UP queue=default/interface bridge portadd bridge=bridge.LAN comment=defconf interface=ether3add bridge=bridge.LAN comment=defconf interface=ether4add bridge=bridge.LAN comment=defconf interface=ether5add bridge=bridge.LAN comment=defconf interface=ether6add bridge=bridge.LAN comment=defconf interface=ether7add bridge=bridge.LAN comment=defconf interface=ether8add bridge=bridge.LAN comment=defconf interface=sfp-sfpplus1/ip neighbor discovery-settingsset discover-interface-list=LAN/ip settingsset tcp-syncookies=yes/ipv6 settingsset disable-ipv6=yes/interface list memberadd comment=defconf interface=bridge.LAN list=LANadd comment=defconf interface=ether1 list=WANadd interface=ether2 list=WANadd interface=wireguard1 list=LAN/interface wireguard peersadd allowed-address=172.16.10.2/32 interface=wireguard1 \ public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"add allowed-address=172.16.10.3/32 interface=wireguard1 \ public-key="xxxxxxxxxxxxxxxxxxxxxxxx"/ip addressadd address=10.0.0.1/24 comment=defconf interface=bridge.LAN network=10.0.0.0add address=XXXXXXXXX interface=ether1 network=XXXXXXXXXadd address=172.16.10.1/24 interface=wireguard1 network=172.16.10.0/ip dhcp-server networkadd address=10.0.0.0/24 gateway=10.0.0.1/ip dnsset allow-remote-requests=yes servers=1.1.1.1,1.0.0.1/ip firewall address-listadd address=voips.modulus.gr list="Modulus SIP"/ip firewall filteradd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="Port Scanners to list" \ protocol=tcp psd=21,3s,3,1add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="NMAP FIN stealth scan" \ protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urgadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\ tcp tcp-flags=fin,psh,urg,!syn,!rst,!ackadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \ tcp-flags=fin,syn,rst,psh,ack,urgadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \ tcp-flags=!fin,!syn,!rst,!psh,!ack,!urgadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \ tcp-flags=fin,synadd action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \ tcp-flags=syn,rstadd action=accept chain=input comment="WG VPN Rule" dst-port=51820 protocol=\ udpadd action=accept chain=input comment="VPN Allow Rules" dst-port=1701 \ protocol=udpadd action=accept chain=input dst-port=4500 protocol=udpadd action=accept chain=input dst-port=500 protocol=udpadd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=drop chain=input src-address-list="port scanners"add action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall mangleadd action=mark-connection chain=prerouting comment=DNS connection-state=new \ new-connection-mark=DNS passthrough=yes port=53 protocol=udpadd action=mark-packet chain=prerouting connection-mark=DNS new-packet-mark=\ DNS passthrough=noadd action=mark-connection chain=postrouting connection-state=new \ new-connection-mark=DNS passthrough=yes port=53 protocol=udpadd action=mark-packet chain=postrouting connection-mark=DNS new-packet-mark=\ DNS passthrough=noadd action=mark-connection chain=prerouting comment="VOIP GW" \ new-connection-mark=VOIP passthrough=yes src-address-list="Modulus SIP"add action=mark-connection chain=prerouting comment=VOIP new-connection-mark=\ VOIP passthrough=yes port=\ 6050,5090,5060-5062,50000-50019,50020-50039,50040-50059,9000-10999 \ protocol=udpadd action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=\ VOIP passthrough=noadd action=mark-connection chain=prerouting comment=QUIC connection-state=new \ new-connection-mark=QUIC passthrough=yes port=80,443 protocol=udpadd action=mark-packet chain=prerouting connection-mark=QUIC new-packet-mark=\ QUIC passthrough=noadd action=mark-connection chain=prerouting comment=UDP connection-state=new \ new-connection-mark=UDP passthrough=yes protocol=udpadd action=mark-packet chain=prerouting connection-mark=UDP new-packet-mark=\ UDP passthrough=noadd action=mark-connection chain=prerouting comment=ICMP connection-state=new \ new-connection-mark=ICMP passthrough=yes protocol=icmpadd action=mark-packet chain=prerouting connection-mark=ICMP new-packet-mark=\ ICMP passthrough=noadd action=mark-connection chain=postrouting connection-state=new \ new-connection-mark=ICMP passthrough=yes protocol=icmpadd action=mark-packet chain=postrouting connection-mark=ICMP \ new-packet-mark=ICMP passthrough=noadd action=mark-packet chain=postrouting comment=ACK new-packet-mark=ACK \ packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ackadd action=mark-packet chain=prerouting new-packet-mark=ACK packet-size=0-123 \ passthrough=no protocol=tcp tcp-flags=ackadd action=mark-connection chain=prerouting comment=HTTP connection-mark=\ no-mark connection-state=new new-connection-mark=HTTP passthrough=yes \ port=80,443 protocol=tcpadd action=mark-connection chain=prerouting connection-bytes=5000000-0 \ connection-mark=HTTP connection-rate=2M-200M new-connection-mark=HTTP_BIG \ passthrough=yes protocol=tcpadd action=mark-packet chain=prerouting connection-mark=HTTP_BIG \ new-packet-mark=HTTP_BIG passthrough=noadd action=mark-packet chain=prerouting connection-mark=HTTP new-packet-mark=\ HTTP passthrough=noadd action=mark-connection chain=prerouting comment=OTHER connection-state=\ new new-connection-mark=POP3 passthrough=yes port=995,465,587 protocol=\ tcpadd action=mark-packet chain=prerouting connection-mark=POP3 new-packet-mark=\ OTHER passthrough=noadd action=mark-connection chain=prerouting connection-mark=no-mark \ new-connection-mark=OTHER passthrough=yesadd action=mark-packet chain=prerouting connection-mark=OTHER \ new-packet-mark=OTHER passthrough=no/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN/ip firewall rawadd action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes \ log-prefix="WAN DNS" protocol=udp/ip firewall service-portset sip disabled=yes/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=XXXXXXXXX routing-table=\ main suppress-hw-offload=no/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yesset api disabled=yesset api-ssl disabled=yes/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" disabled=yes list=\ bad_ipv6add address=::1/128 comment="defconf: lo" disabled=yes list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" disabled=yes list=\ bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" disabled=yes \ list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" disabled=yes list=bad_ipv6add address=100::/64 comment="defconf: discard only " disabled=yes list=\ bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" disabled=yes list=\ bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" disabled=yes list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" disabled=yes list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked disabled=yesadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid disabled=yesadd action=accept chain=input comment="defconf: accept ICMPv6" disabled=yes \ protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" \ disabled=yes port=33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=\ 546 protocol=udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" disabled=yes \ dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes \ protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" disabled=\ yes protocol=ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" disabled=yes \ ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" disabled=yes \ in-interface-list=!LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked disabled=yesadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid disabled=yesadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" disabled=yes src-address-list=\ bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=\ bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ disabled=yes hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes \ protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" disabled=yes \ protocol=139add action=accept chain=forward comment="defconf: accept IKE" disabled=yes \ dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" disabled=\ yes protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=\ yes protocol=ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" disabled=yes \ ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" disabled=yes \ in-interface-list=!LAN/snmpset enabled=yes/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN
[Interface]PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxListenPort = 51820Address = 172.16.10.2/32DNS = 1.1.1.1[Peer]PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAllowedIPs = 10.0.0.0/24, 172.16.10.1/32, 0.0.0.0/0Endpoint = xxxxxxxxx:51820
Statistics: Posted by haris013 — Mon Apr 01, 2024 8:33 pm
Statistics: Posted by mman1982 — Mon Apr 01, 2024 8:17 pm
Statistics: Posted by sirbryan — Mon Apr 01, 2024 8:16 pm
Statistics: Posted by GiovanniG — Mon Apr 01, 2024 8:08 pm
Statistics: Posted by r00t — Mon Apr 01, 2024 8:03 pm
Statistics: Posted by morphema — Mon Apr 01, 2024 7:58 pm
Statistics: Posted by Amm0 — Mon Apr 01, 2024 7:52 pm
Statistics: Posted by GiovanniG — Mon Apr 01, 2024 7:46 pm
Statistics: Posted by GiovanniG — Mon Apr 01, 2024 7:38 pm
Statistics: Posted by jaclaz — Mon Apr 01, 2024 7:38 pm
Statistics: Posted by Amm0 — Mon Apr 01, 2024 7:28 pm
Statistics: Posted by Amm0 — Mon Apr 01, 2024 7:22 pm
# Turris Import by Blacklister and edited by Optio# 20210823 new version that directly downloads from the external server# 20240331 rewritten to fetch the whole file and write it to a local file and then import it# 20240401 avoiding perfect storm by reducing chunkSize when calculation the remainder{# import config - delay for slow routers:delay 1m:log warning "IP-Blocker script is running..."/ip firewall address-list:local update do={ :put "Starting import of address-list: $listname" :log warning "Starting import of address-list: $listname" /tool fetch url=$url dst-path="/$listname.txt" as-value # delay to wait file flush after fetch :delay 1 :local filesize [/file get "$listname.txt" size] :local start 0 :local chunkSize 32767;# requested chunk size :local partnumber($filesize / $chunkSize); # how many chunk are chunkSize :local remainder($filesize % ($chunkSize-512)); # the last partly chunk and use reduced chunkSize :if ($remainder > 0) do={ :set partnumber ($partnumber + 1) }; # total number of chunks :put "Deleting all Dynamic enties in address-list: $listname" :log warning "Deleting all Dynamic entries in address-list: $listname" :local listCount [:len [find list=$listname dynamic]] :put "Completed deleting $listname, added addresses count: $listCount" :log warning "Completed deleting $listname, deleted addresses count: $listCount" :if (heirule != null) do={:put "Using as extra filtering: $heirule"} :if ($heirule = null) do={:set $heirule "."} # remove the current list completely :do {remove [find where list=$listname dynamic]} on-error={}; :for x from=1 to=$partnumber step=1 do={ :local data ([:file read offset=$start chunk-size=$chunkSize file="$listname.txt" as-value]->"data") # Only remove the first line only if you are not at the start of list :if ($start > 0) do={:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]} :while ([:len $data]!=0) do={ :local line [:pick $data 0 [:find $data "\n"]]; # create only once and checked twice as local variable :if ($line~"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}" && $line~heirule) do={ :local addr [:pick $data 0 [:find $data $delimiter]] #:put "Adding address: $addr" :do {add list=$listname address=$addr comment=$description timeout=$timeout} on-error={}; # on error avoids any panics }; # if IP address && extra filter if present :set data [:pick $data ([:find $data "\n"]+1) [:len $data]]; # removes the just added IP from the data array # Cut of the end of the chunks by removing the last lines...very dirty but it works :if (([:len $data] < 256) && (x < $partnumber)) do={:set data [:toarray ""]} }; # while #:set start ($start + $chunkSize) :set start (($start-512) + $chunkSize); # shifts the subquential starts back with 512 }; #do for x /file remove "$listname.txt" :put "Completed importing $listname." :local listCount [:len [find list=$listname dynamic]] :put "Completed importing $listname, added addresses count: $listCount" :log warning "Completed importing $listname, added addresses count: $listCount" :put "Completed delete of downloaded file $listname" :log warning "Completed delete of downloaded file $listname"}; # do$update url=https://iplists.firehol.org/files/firehol_level2.netset delimiter=("\n") listname=z-blocklist-FireHOL-L2 timeout=3d$update url=https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv listname=z-blocklist-Sentinel delimiter=, timeout=3d heirule=http$update url=https://www.spamhaus.org/drop/drop.txt delimiter=("\_") listname=z-blocklist-SpamHaus timeout=3d$update url=https://www.spamhaus.org/drop/edrop.txt delimiter=("\_") listname=z-blocklist-SpamHaus-edrop timeout=3d}:log warning message="IP-Blocker script is COMPLETE"
Statistics: Posted by MTNick — Mon Apr 01, 2024 7:13 pm
Statistics: Posted by dalami — Mon Apr 01, 2024 7:05 pm
/ip firewall filteradd action=accept chain=input comment="allow WireGuard" dst-port=51820 protocol=udp
Statistics: Posted by erlinden — Mon Apr 01, 2024 6:57 pm
Statistics: Posted by msatter — Mon Apr 01, 2024 6:56 pm
Line 458: add action=dst-nat chain=dstnat comment="Wireguard hairpin nat" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address dst-address-list=WANs !dst-address-type !dst-limit dst-port=51820 !fragment !hotspot \Line 460: !packet-size !per-connection-classifier !port !priority protocol=udp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.1 to-ports=51820 !ttlLine 510: add action=dst-nat chain=dstnat comment=Wireguard !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=51820 !fragment !hotspot !icmp-options \Line 512: !per-connection-classifier !port !priority protocol=udp !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=192.168.200.11 to-ports=51820 !ttl
Statistics: Posted by slaz — Mon Apr 01, 2024 6:47 pm
Line 458: add action=dst-nat chain=dstnat comment="Wireguard hairpin nat" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address dst-address-list=WANs !dst-address-type !dst-limit dst-port=51820 !fragment !hotspot \Line 460: !packet-size !per-connection-classifier !port !priority protocol=udp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.1 to-ports=51820 !ttlLine 510: add action=dst-nat chain=dstnat comment=Wireguard !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=51820 !fragment !hotspot !icmp-options \Line 512: !per-connection-classifier !port !priority protocol=udp !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=192.168.200.11 to-ports=51820 !ttl
Statistics: Posted by erlinden — Mon Apr 01, 2024 6:44 pm
Statistics: Posted by GiovanniG — Mon Apr 01, 2024 6:42 pm
# 2024-04-01 15:31:22 by RouterOS 7.14.2# software id = WCPF-BHYF## model = RB5009UG+S+# serial number = ECXXX/caps-man channeladd band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=ch6 tx-power=10add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=ch1 tx-power=20add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=ch11 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2427 name=ch4 tx-power=10add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2417 name=ch2 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2422 name=ch3 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=ch5 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=ch6 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2442 name=ch7 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2447 name=ch8 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=ch9 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=ch10 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=ch12 tx-power=15add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=ch13 tx-power=15add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5180 name=ch38 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5220 name=ch46 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5260 name=ch54 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5300 name=ch62 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5500 name=ch102 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5540 name=ch110 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5580 name=ch118 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5620 name=ch126 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5660 name=ch134 tx-power=40add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee frequency=5180 name=ch42 tx-power=40add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee frequency=5260 name=ch58 tx-power=40add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee frequency=5500 name=ch106 tx-power=40add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee frequency=5580 name=ch122 tx-power=40add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee frequency=5660 name=ch138 tx-power=40add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee frequency=5745 name=ch155 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5700 name=ch142 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5745 name=ch151 tx-power=40add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce frequency=5785 name=ch159 tx-power=40/interface bridgeadd ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no disabled=no fast-forward=yes forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto name=bridge-dmz port-cost-mode=short priority=0x8000 protocol-mode=rstp transmit-hold-count=6 \ vlan-filtering=noadd ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no disabled=no fast-forward=yes forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto name=bridge-guest port-cost-mode=short priority=0x8000 protocol-mode=rstp transmit-hold-count=6 \ vlan-filtering=noadd ageing-time=5m arp=enabled arp-timeout=auto auto-mac=yes dhcp-snooping=no disabled=no fast-forward=yes forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto name=bridge-lan port-cost-mode=short priority=0x8000 protocol-mode=rstp transmit-hold-count=6 \ vlan-filtering=no/interface ethernetset [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,2.5G-baseT arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default \ loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:E9 mtu=1500 name=eth1-wan orig-mac-address=2C:C8:1B:FF:D5:E9 rx-flow-control=off tx-flow-control=offset [ find default-name=ether2 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default \ loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:EA mtu=1500 name=eth2-lan orig-mac-address=2C:C8:1B:FF:D5:EA rx-flow-control=off tx-flow-control=offset [ find default-name=ether3 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default \ loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:EB mtu=1500 name=eth3-lan orig-mac-address=2C:C8:1B:FF:D5:EB rx-flow-control=off tx-flow-control=offset [ find default-name=ether4 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default \ loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:EC mtu=1500 name=eth4-lan orig-mac-address=2C:C8:1B:FF:D5:EC rx-flow-control=off tx-flow-control=offset [ find default-name=ether5 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default \ loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:ED mtu=1500 name=eth5-lan orig-mac-address=2C:C8:1B:FF:D5:ED rx-flow-control=off tx-flow-control=offset [ find default-name=ether6 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default \ loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:EE mtu=1500 name=eth6-lan orig-mac-address=2C:C8:1B:FF:D5:EE rx-flow-control=off tx-flow-control=offset [ find default-name=ether7 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default \ loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:EF mtu=1500 name=eth7-lan orig-mac-address=2C:C8:1B:FF:D5:EF rx-flow-control=off tx-flow-control=offset [ find default-name=ether8 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default \ loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:F0 mtu=1500 name=eth8-lan orig-mac-address=2C:C8:1B:FF:D5:F0 rx-flow-control=off tx-flow-control=offset [ find default-name=sfp-sfpplus1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=\ unlimited/unlimited disabled=no l2mtu=1514 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:FF:D5:F1 mtu=1500 name=sfp-sfpplus1 orig-mac-address=2C:C8:1B:FF:D5:F1 rx-flow-control=off sfp-rate-select=high \ sfp-shutdown-temperature=95C tx-flow-control=off/interface wireguardadd disabled=no listen-port=51821 mtu=1420 name=Wireguard_piVPNadd disabled=no listen-port=51820 mtu=1420 name=Wireguard_wg0/queue interfaceset Wireguard_piVPN queue=no-queueset Wireguard_wg0 queue=no-queueset bridge-dmz queue=no-queueset bridge-guest queue=no-queueset bridge-lan queue=no-queue/interface vlanadd arp=enabled arp-timeout=auto disabled=no interface=eth2-lan loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=eth2-vlan-dmz use-service-tag=no vlan-id=20add arp=enabled arp-timeout=auto disabled=no interface=eth2-lan loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=eth2-vlan-guest use-service-tag=no vlan-id=15add arp=enabled arp-timeout=auto disabled=no interface=eth8-lan loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=eth8-vlan-dmz use-service-tag=no vlan-id=20add arp=enabled arp-timeout=auto disabled=no interface=eth8-lan loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=eth8-vlan-guest use-service-tag=no vlan-id=15/caps-man datapathadd bridge=bridge-guest local-forwarding=yes name=SSD_guest_path vlan-id=15 vlan-mode=use-tagadd bridge=bridge-lan client-to-client-forwarding=yes local-forwarding=yes name=SSD_pathadd bridge=bridge-dmz local-forwarding=yes name=SSD_dmz_path vlan-id=20 vlan-mode=use-tag/queue interfaceset eth2-vlan-dmz queue=no-queueset eth2-vlan-guest queue=no-queueset eth8-vlan-dmz queue=no-queueset eth8-vlan-guest queue=no-queue/caps-man ratesadd basic=6Mbps name=gn_only_no_b_rates supported=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps/caps-man securityadd authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=SSD_secadd authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=SSD_guest_secadd authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=SSD_dmz_sec/caps-man configurationadd channel=ch6 country=romania datapath=SSD_path mode=ap name=SSD_2g4 rates=gn_only_no_b_rates security=SSD_sec ssid=SSDadd channel=ch62 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch62 security=SSD_sec ssid=SSDadd country=romania datapath=SSD_guest_path mode=ap name=SSD_guest security=SSD_guest_sec ssid=SSD_guestadd channel=ch62 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch52 security=SSD_sec ssid=SSDadd channel=ch110 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch110 security=SSD_sec ssid=SSDadd channel=ch11 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch11 rates=gn_only_no_b_rates security=SSD_sec ssid=SSDadd channel=ch4 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch4 rates=gn_only_no_b_rates security=SSD_sec ssid=SSDadd channel=ch118 country=romania datapath=SSD_path mode=ap name=SSD_5g_ch118 security=SSD_sec ssid=SSDadd channel.band=5ghz-n/ac .control-channel-width=20mhz .extension-channel=XXXX country=romania datapath.client-to-client-forwarding=yes .local-forwarding=yes name=cfg-5ghz-ac security=SSD_sec ssid=""add channel.band=5ghz-onlyn .control-channel-width=20mhz .extension-channel=XX country=romania datapath.client-to-client-forwarding=yes .local-forwarding=yes name=cfg-5ghz-an security=SSD_sec ssid=""add channel=ch10 country=romania datapath=SSD_path mode=ap name=SSD_2g4_ch10 security=SSD_sec ssid=SSDadd country=romania datapath=SSD_dmz_path mode=ap name=SSD_dmz security=SSD_dmz_sec ssid=SSD_dmz/interface ethernet switchset 0 cpu-flow-control=yes mirror-egress-target=none name=switch1/interface ethernet switch portset 0 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 1 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 2 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 3 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 4 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 5 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 6 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 7 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 8 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=noneset 9 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no mirror-ingress-target=none/interface ethernet switch port-isolationset 0 !forwarding-overrideset 1 !forwarding-overrideset 2 !forwarding-overrideset 3 !forwarding-overrideset 4 !forwarding-overrideset 5 !forwarding-overrideset 6 !forwarding-overrideset 7 !forwarding-overrideset 8 !forwarding-overrideset 9 !forwarding-override/interface listset [ find name=all ] comment="contains all interfaces" exclude="" include="" name=allset [ find name=none ] comment="contains no interfaces" exclude="" include="" name=noneset [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamicset [ find name=static ] comment="contains static interfaces" exclude="" include="" name=staticadd exclude="" include="" name=WANadd exclude="" include="" name=LANadd exclude="" include="" name=MULLVAN-VPN/interface lte apnset [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default use-network-apn=yes use-peer-dns=yes/interface macsec profileset [ find default-name=default ] name=default server-priority=10/interface wireless security-profilesset [ find default=yes ] authentication-types="" disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s management-protection=disabled mode=none mschapv2-username="" name=default radius-called-format=mac:ssid radius-eap-accounting=no \ radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-sta-private-algo=none static-transmit-key=\ key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm/ip dhcp-client optionset clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"set hostname code=12 name=hostname value="\$(HOSTNAME)"/ip hotspot profileset [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=0.0.0.0:0 install-hotspot-queue=yes login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \ use-radius=no/ip hotspot user profileset [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no/ip ipsec mode-configset [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively/ip ipsec policy groupset [ find default=yes ] name=default/ip ipsec profileset [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey/ip ipsec proposalset [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024/ip pooladd name=dhcp ranges=192.168.200.150-192.168.200.200add name=pool-guest ranges=50.0.0.2-50.0.0.100add name=pool-vpn ranges=10.10.10.2-10.10.10.7add name=vpn ranges=192.168.89.2-192.168.89.255add name=pool-dmz ranges=51.0.0.2-51.0.0.200/ip dhcp-serveradd address-pool=dhcp authoritative=yes disabled=no interface=bridge-lan lease-script="" lease-time=10m name=dhcp-lan use-radius=noadd address-pool=pool-guest authoritative=yes disabled=no interface=bridge-guest lease-script="" lease-time=10m name=dhcp-guest use-radius=noadd address-pool=pool-dmz authoritative=yes disabled=no interface=bridge-dmz lease-script="" lease-time=10m name=dhcp-dmz use-radius=no/ip smb usersset [ find default=yes ] disabled=yes name=guest read-only=yes/ppp profileset *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \ !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default use-ipv6=yes use-mpls=default use-upnp=default !wins-serverset *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list local-address=192.168.89.1 name=default-encryption on-down="" \ on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit remote-address=vpn !session-timeout use-compression=default use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server/interface pppoe-clientadd ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 default-route-distance=1 dial-on-demand=no disabled=no interface=eth1-wan keepalive-timeout=10 max-mru=auto max-mtu=1500 mrru=disabled name=digi profile=default service-name="" use-peer-dns=no user=TMxxx/queue interfaceset digi queue=no-queue/queue typeset 0 kind=pfifo name=default pfifo-limit=50set 1 kind=pfifo name=ethernet-default pfifo-limit=50set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiBset 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiBset 7 kind=none name=only-hardware-queueset 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-defaultset 9 kind=pfifo name=default-small pfifo-limit=10/queue interfaceset eth1-wan queue=only-hardware-queueset eth2-lan queue=only-hardware-queueset eth3-lan queue=only-hardware-queueset eth4-lan queue=only-hardware-queueset eth5-lan queue=only-hardware-queueset eth6-lan queue=only-hardware-queueset eth7-lan queue=only-hardware-queueset eth8-lan queue=only-hardware-queueset sfp-sfpplus1 queue=only-hardware-queue/queue simpleadd bucket-size=0.1/0.1 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s disabled=no dst=digi limit-at=0/0 max-limit=50M/50M name=guest_traffic packet-marks="" parent=none priority=8/8 queue=default/default target=50.0.0.0/24,2a02:2f09:3418:f303::/64 !time total-queue=\ defaultadd bucket-size=0.1/0.1 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s disabled=no dst=digi limit-at=0/0 max-limit=50M/50M name=dmz_traffic packet-marks="" parent=none priority=8/8 queue=default/default target=51.0.0.0/24,2a02:2f09:3418:f303::/64 !time total-queue=default/routing bgp templateset default as=65530 name=default/snmp communityset [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=none write-access=no/system logging actionset 0 memory-lines=5000 memory-stop-on-full=no name=memory target=memoryset 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=diskset 2 name=echo remember=yes target=echoset 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=bsd-syslog target=remoteadd email-start-tls=no email-to=samuellazea1990@gmail.com name=GMAIL target=emailadd email-start-tls=no email-to=samuellazea@yahoo.com name=YAHOO target=email/user groupset read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=defaultset write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=defaultset full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=defaultadd name=prometheus policy=read,test,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!rest-api skin=default/caps-man aaaset called-format=mac:ssid interim-update=disabled mac-caching=disabled mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username/caps-man manager# bad package pathset ca-certificate=none certificate=none enabled=yes package-path=/downloads/ require-peer-certificate=no upgrade-policy=suggest-same-version/caps-man manager interfaceset [ find default=yes ] disabled=no forbid=yes interface=alladd disabled=no forbid=no interface=bridge-lan/caps-man provisioningadd action=create-dynamic-enabled comment=2g4_802.11g_capable_radios common-name-regexp="" disabled=no hw-supported-modes=g identity-regexp=CAPac_Etaj ip-address-ranges="" master-configuration=SSD_2g4_ch11 name-format=prefix-identity name-prefix=2g4_ch11 radio-mac=\ 00:00:00:00:00:00 slave-configurations=SSD_guest,SSD_dmzadd action=create-dynamic-enabled comment=2g4_802.11g_capable_radios common-name-regexp="" disabled=no hw-supported-modes=g identity-regexp=CAPac_Parter ip-address-ranges="" master-configuration=SSD_2g4_ch4 name-format=prefix-identity name-prefix=2g4_ch4 radio-mac=\ 00:00:00:00:00:00 slave-configurations=SSD_guest,SSD_dmzadd action=create-dynamic-enabled comment=5g_ch118_802.11ac_capable_radios common-name-regexp="" disabled=no hw-supported-modes=ac identity-regexp=CAPac_Etaj ip-address-ranges="" master-configuration=SSD_5g_ch118 name-format=prefix-identity name-prefix=5g_ch118 radio-mac=\ 00:00:00:00:00:00 slave-configurations=SSD_guest,SSD_dmzadd action=create-dynamic-enabled comment=5g_ch110_802.11ac_capable_radios common-name-regexp="" disabled=no hw-supported-modes=ac identity-regexp=CAPac_Parter ip-address-ranges="" master-configuration=SSD_5g_ch110 name-format=prefix-identity name-prefix=5g_ch110 radio-mac=\ 00:00:00:00:00:00 slave-configurations=SSD_dmz,SSD_guestadd action=create-dynamic-enabled common-name-regexp="" disabled=no hw-supported-modes=g identity-regexp=HAP ip-address-ranges="" master-configuration=SSD_2g4_ch4 name-format=prefix-identity name-prefix=2g4_ch4 radio-mac=00:00:00:00:00:00 slave-configurations=SSD_guest,SSD_dmzadd action=create-dynamic-enabled comment=5g_ch60_802.11ac_capable_radios common-name-regexp="" disabled=yes hw-supported-modes="" identity-regexp=Mikrotik ip-address-ranges="" master-configuration=SSD_2g4_ch11 name-format=prefix-identity name-prefix=2g_ch11 radio-mac=\ 00:00:00:00:00:00 slave-configurations=""add action=create-dynamic-enabled comment=5g_ch116_802.11ac_capable_radios common-name-regexp="" disabled=yes hw-supported-modes=ac identity-regexp=CAPac_Parter ip-address-ranges="" master-configuration=SSD_5g_ch118 name-format=prefix-identity name-prefix=5g_ch116 radio-mac=\ 00:00:00:00:00:00 slave-configurations=""add action=create-dynamic-enabled common-name-regexp="" disabled=yes hw-supported-modes=gn identity-regexp="" ip-address-ranges="" master-configuration=SSD_5g_ch118 name-format=prefix-identity name-prefix=2ghz radio-mac=00:00:00:00:00:00 slave-configurations=""add action=create-dynamic-enabled common-name-regexp="" disabled=yes hw-supported-modes=ac identity-regexp="" ip-address-ranges="" master-configuration=cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac radio-mac=00:00:00:00:00:00 slave-configurations=""add action=create-dynamic-enabled common-name-regexp="" disabled=yes hw-supported-modes=an identity-regexp="" ip-address-ranges="" master-configuration=cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an radio-mac=00:00:00:00:00:00 slave-configurations=""add action=create-dynamic-enabled common-name-regexp="" disabled=yes hw-supported-modes="" identity-regexp=HAP ip-address-ranges="" master-configuration=SSD_2g4_ch11 name-format=cap name-prefix="" radio-mac=00:00:00:00:00:00 slave-configurations=""add action=create-dynamic-enabled comment=2g4_802.11g_capable_radios common-name-regexp="" disabled=yes hw-supported-modes=g identity-regexp=CAPac_Etaj ip-address-ranges="" master-configuration=SSD_2g4_ch4 name-format=prefix-identity name-prefix=2g4_ch11 radio-mac=\ 00:00:00:00:00:00 slave-configurations=SSD_dmzadd action=create-dynamic-enabled comment=2g4_802.11g_capable_radios common-name-regexp="" disabled=yes hw-supported-modes=g identity-regexp=CAPac_Parter ip-address-ranges="" master-configuration=SSD_2g4_ch4 name-format=prefix-identity name-prefix=2g4_ch4 radio-mac=\ 00:00:00:00:00:00 slave-configurations=SSD_dmzadd action=create-dynamic-enabled common-name-regexp="" disabled=yes hw-supported-modes=g identity-regexp=HAP ip-address-ranges="" master-configuration=SSD_2g4_ch4 name-format=prefix-identity name-prefix=2g4_ch4 radio-mac=00:00:00:00:00:00 slave-configurations=SSD_dmz/certificate settingsset crl-download=no crl-store=ram crl-use=no/container configset layer-dir="" ram-high=0 registry-url="" tmpdir="" username=""/disk settingsset auto-smb-sharing=no auto-smb-user=guest/ip smbset comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all/interface bridge portadd auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=eth2-lan internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=eth3-lan internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=eth4-lan internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=eth5-lan internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=eth6-lan internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=eth7-lan internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge-lan broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes ingress-filtering=yes interface=eth8-lan internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge-guest broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none ingress-filtering=yes interface=eth2-vlan-guest internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=15 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yesadd auto-isolate=no bpdu-guard=no bridge=bridge-dmz broadcast-flood=yes disabled=no edge=auto fast-leave=no frame-types=admit-all horizon=none ingress-filtering=yes interface=eth2-vlan-dmz internal-path-cost=10 learn=auto multicast-router=temporary-query path-cost=10 \ point-to-point=auto priority=0x80 pvid=20 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes/interface bridge port-controller# disabledset bridge=none cascade-ports="" switch=none/interface bridge port-extender# disabledset control-ports="" excluded-ports="" switch=none/interface bridge settingsset allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no/ip firewall connection trackingset enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=\ 5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=!dynamic lldp-med-net-policy-vlan=disabled mode=tx-and-rx protocol=cdp,lldp,mndp/ip settingsset accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes max-neighbor-entries=16384 rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no/ipv6 settingsset accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes disable-ipv6=no forward=yes max-neighbor-entries=16384/interface detect-internetset detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none/interface l2tp-server serverset accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address default-profile=default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \ !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=yes/interface list memberadd disabled=no interface=eth1-wan list=LANadd disabled=no interface=digi list=WANadd disabled=no interface=eth1-wan list=WANadd disabled=no interface=bridge-lan list=LAN/interface lte settingsset firmware-path=firmware mode=auto/interface ovpn-server serverset auth=sha1,md5 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no ipv6-prefix-len=64 keepalive-timeout=60 mac-address=FE:3A:DF:FE:EA:CE max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp push-routes="" redirect-gateway=\ disabled reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::/interface pptp-server server# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol insteadset authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled/interface sstp-server serverset authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default-encryption enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no/interface wifi capset enabled=no/interface wifi capsmanset enabled=no/interface wireguard peersadd allowed-address=192.168.201.3/32 client-endpoint="" comment="Sami's S22+" disabled=no endpoint-address="" endpoint-port=0 interface=Wireguard_wg0 preshared-key="" private-key="" public-key="gDSOxxx"add allowed-address=192.168.202.2/32,192.168.200.11/32,192.168.200.92/32,192.168.200.93/32,192.168.200.31/32,192.168.201.2/32,192.168.201.3/32,192.168.8.0/24,192.168.202.1/32 client-endpoint="" comment="piVPN " disabled=no endpoint-address="" endpoint-port=0 interface=\ Wireguard_piVPN preshared-key="" private-key="" public-key="jgL7xxx"add allowed-address=192.168.201.2/32 client-endpoint="" comment="HP Laptop" disabled=no endpoint-address="" endpoint-port=0 interface=Wireguard_wg0 preshared-key="" private-key="" public-key="/p3Ym6xxx"/interface wireless alignset active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 frames-per-second=25 receive-all=no ssid-all=no/interface wireless capset bridge=none caps-man-addresses="" caps-man-certificate-common-names="" caps-man-names="" certificate=none discovery-interfaces="" enabled=no interfaces="" lock-to-caps-man=no static-virtual=no/interface wireless snifferset channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0/interface wireless snooperset channel-time=200ms multiple-channels=yes receive-errors=no/ip addressadd address=192.168.200.1/24 disabled=no interface=bridge-lan network=192.168.200.0add address=50.0.0.1/24 disabled=no interface=bridge-guest network=50.0.0.0add address=192.168.201.1/24 disabled=no interface=Wireguard_wg0 network=192.168.201.0add address=51.0.0.1/24 disabled=no interface=bridge-dmz network=51.0.0.0add address=192.168.202.1/24 disabled=no interface=Wireguard_piVPN network=192.168.202.0/ip arpadd address=192.168.200.11 disabled=yes interface=bridge-lan mac-address=FF:FF:FF:FF:FF:FF published=noadd address=192.168.200.25 disabled=yes interface=bridge-lan mac-address=68:A4:0E:1C:AB:7D published=no/ip cloudset back-to-home-vpn=revoked-and-disabled ddns-enabled=yes ddns-update-interval=none update-time=yes/ip cloud advancedset use-local-address=no/ip dhcp-server configset accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m/ip dhcp-server leaseadd address=192.168.200.31 address-lists="" client-id=1:70:85:c2:a7:d5:73 comment=RTX dhcp-option="" disabled=no !insert-queue-before mac-address=70:85:C2:A7:D5:73 server=dhcp-lanadd address=192.168.200.2 address-lists="" comment=Switch dhcp-option="" disabled=no !insert-queue-before mac-address=0C:80:63:3A:14:01 server=dhcp-lan/ip dhcp-server networkadd address=50.0.0.0/24 caps-manager="" comment=dhcp-guest dhcp-option="" dns-server=50.0.0.1,8.8.8.8 gateway=50.0.0.1 !next-server ntp-server="" wins-server=""add address=51.0.0.0/24 caps-manager="" comment=dhcp-dmz dhcp-option="" dns-server=51.0.0.1,8.8.8.8 gateway=51.0.0.1 !next-server ntp-server="" wins-server=""add address=192.168.200.0/24 boot-file-name=netboot.xyz.kpxe caps-manager="" comment=dhcp-lan dhcp-option="" dns-server=192.168.200.1 gateway=192.168.200.1 next-server=192.168.200.11 ntp-server="" wins-server=""/ip dnsset address-list-extra-time=0s allow-remote-requests=yes cache-max-ttl=1w cache-size=6048KiB doh-max-concurrent-queries=50 doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=200 max-concurrent-tcp-sessions=40 max-udp-packet-size=4096 query-server-timeout=2s \ query-total-timeout=10s servers=8.8.8.8,8.8.4.4 use-doh-server="" verify-doh-cert=no/ip firewall address-listadd address=192.168.200.0/24 comment=Management disabled=no dynamic=no list=LANsadd address=something.no-ip.org disabled=no dynamic=no list=WANs/ip firewall filteradd action=accept chain=forward comment=Wireguard_DELL !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \ !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=Wireguard_piVPN !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=forward !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot \ !icmp-options !in-bridge-port !in-bridge-port-list in-interface=bridge-lan !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list out-interface=Wireguard_wg0 \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=forward comment="Allow Wireguard" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \ !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark src-address=192.168.201.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=forward comment="Allow Wireguard" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp dst-address=192.168.201.0/24 !dst-address-list !dst-address-type \ !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=forward comment="Wireguard piVPN Production" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type \ !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark src-address=192.168.202.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=forward comment="Wireguard piVPN Production" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp dst-address=192.168.202.0/24 !dst-address-list \ !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \ !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host \ !ttladd action=accept chain=forward comment="no fasttrack for dmz traffic upload" connection-state=established,related src-address=51.0.0.0/24add action=accept chain=forward comment="no fasttrack for guest traffic upload" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=established,related !connection-type !content disabled=no !dscp !dst-address \ !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \ !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark src-address=50.0.0.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \ !tcp-mss !time !tls-host !ttladd action=accept chain=forward comment="no fasttrack for dmz traffic download" connection-state=established,related dst-address=51.0.0.0/24add action=accept chain=forward comment="no fasttrack for guest traffic download" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=established,related !connection-type !content disabled=no !dscp dst-address=50.0.0.0/24 \ !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \ !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \ !tls-host !ttladd action=fasttrack-connection chain=forward comment="defconf: fasttrack" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=established,related !connection-type !content disabled=no !dscp !dst-address !dst-address-list \ !dst-address-type !dst-limit !dst-port !fragment !hotspot hw-offload=yes !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \ !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \ !tls-host !ttladd action=accept chain=forward comment="defconf: accept in ipsec policy" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type \ !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority ipsec-policy=in,ipsec !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \ !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=forward comment="defconf: accept out ipsec policy" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type \ !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority ipsec-policy=out,ipsec !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \ !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=forward comment="defconf: accept established,related, untracked" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=established,related,untracked !connection-type !content disabled=no !dscp \ !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \ !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \ !tcp-mss !time !tls-host !ttladd action=reject chain=forward comment="drop dmz traffic" in-interface=bridge-dmz out-interface=bridge-lan reject-with=icmp-network-unreachableadd action=reject chain=forward comment="drop guest traffic" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \ !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=bridge-guest !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list out-interface=\ bridge-lan !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm reject-with=icmp-network-unreachable !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \ !tcp-mss !time !tls-host !ttladd action=drop chain=forward comment="defconf: drop invalid" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate connection-state=invalid !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type \ !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" !connection-bytes !connection-limit !connection-mark connection-nat-state=!dstnat !connection-rate connection-state=new !connection-type !content disabled=yes !dscp !dst-address !dst-address-list \ !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \ !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \ !tls-host !ttladd action=log chain=forward !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=yes !dscp dst-address=192.168.200.11 !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="DS1816XS connection: " !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark src-address=!192.168.200.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=log chain=forward !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=80,443,5000,5001 !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="DS Photo Connection" !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=accept chain=input protocol=icmpadd action=accept chain=input connection-state=establishedadd action=accept chain=input connection-state=relatedadd action=accept chain=input comment="allow IPsec NAT" disabled=no dst-port=4500 protocol=udpadd action=accept chain=input comment="allow IKE" disabled=no dst-port=500 protocol=udpadd action=accept chain=input comment="allow l2tp" disabled=no dst-port=1701 protocol=udpadd action=drop chain=input in-interface-list=!LAN/ip firewall mangleadd action=mark-connection chain=prerouting comment="Mark connections for hairpin NAT" dst-address-list=WANs new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LANsadd action=mark-routing chain=prerouting comment=Mullvad !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \ !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" new-routing-mark=*4000 !nth !out-bridge-port !out-bridge-port-list \ !out-interface !out-interface-list !packet-mark !packet-size passthrough=no !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark src-address=192.168.200.9 !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss \ !time !tls-host !ttladd action=log chain=prerouting comment="Logging for wireguard" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp dst-address=192.168.200.0/24 !dst-address-list \ !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \ !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark src-address=192.168.202.20 !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \ !tcp-mss !time !tls-host !ttladd action=log chain=forward comment="Logging for wireguard" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp dst-address=192.168.200.0/24 !dst-address-list !dst-address-type \ !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface \ !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark src-address=192.168.202.20 !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !tls-host !ttladd action=log chain=postrouting comment="Logging for wireguard" !connection-bytes !connection-limit !connection-mark !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp dst-address=192.168.200.0/24 !dst-address-list \ !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \ !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark src-address=192.168.202.20 !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \ !tcp-mss !time !tls-host !ttl/ip firewall natadd action=masquerade chain=srcnat comment="Hairpin NAT" !connection-bytes !connection-limit connection-mark="Hairpin NAT" !connection-rate !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot \ !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark \ !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host !to-addresses !to-ports !ttladd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-portsadd action=dst-nat chain=dstnat comment="Wireguard hairpin nat" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address dst-address-list=WANs !dst-address-type !dst-limit dst-port=51820 !fragment !hotspot \ !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark \ !packet-size !per-connection-classifier !port !priority protocol=udp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.1 to-ports=51820 !ttladd action=dst-nat chain=dstnat comment="Web NAS" disabled=yes dst-port=5001 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.200.9 to-ports=5001add action=masquerade chain=srcnat comment="Camere Dahua internal" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp dst-address=192.168.200.4 !dst-address-list !dst-address-type !dst-limit dst-port=5013 !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list out-interface=bridge-lan !out-interface-list \ !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !realm !routing-mark src-address=192.168.200.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host !to-addresses !to-ports !ttladd action=dst-nat chain=dstnat comment="Camere Dahua internal" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address !dst-address-list dst-address-type=local !dst-limit dst-port=5013 !fragment !hotspot \ !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark \ !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.4 to-ports=5013 !ttladd action=dst-nat chain=dstnat comment="Plex NAS" disabled=no dst-port=32400 !in-interface in-interface-list=WAN protocol=tcp to-addresses=192.168.200.11 to-ports=32400add action=dst-nat chain=dstnat comment="SSH RPi" disabled=yes dst-port=63333 !in-interface in-interface-list=WAN protocol=tcp to-addresses=192.168.200.6 to-ports=63333add action=masquerade chain=srcnat comment="SSH RPi internal" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp dst-address=192.168.200.6 !dst-address-list !dst-address-type !dst-limit dst-port=63333 !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list out-interface=bridge-lan !out-interface-list \ !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !routing-mark src-address=192.168.200.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports !ttladd action=dst-nat chain=dstnat comment="SSH RPi internal" disabled=yes dst-port=63333 in-interface=bridge-lan protocol=tcp to-addresses=192.168.200.6 to-ports=63333add action=dst-nat chain=dstnat comment="FTP NAS" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=2123 !fragment !hotspot !icmp-options \ !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \ !per-connection-classifier !port !priority protocol=tcp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.11 to-ports=2123 !ttladd action=dst-nat chain=dstnat comment="Paradox IP Module" dst-port=5005 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.3 to-ports=5005add action=dst-nat chain=dstnat comment="Camere Dahua" dst-port=5013 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.4 to-ports=5013add action=dst-nat chain=dstnat comment="Temp LetsEncrypt NAS" disabled=yes dst-port=80 !in-interface in-interface-list=WAN protocol=tcp to-addresses=192.168.200.11 to-ports=80add action=dst-nat chain=dstnat comment="Certificate NAS " disabled=yes dst-port=80 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.200.9 to-ports=80add action=dst-nat chain=dstnat comment=Grafana disabled=yes dst-port=3000 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.11 to-ports=3000add action=dst-nat chain=dstnat comment="Web PDU" disabled=yes dst-port=9876 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.10 to-ports=9876add action=dst-nat chain=dstnat comment="SSH NAS" disabled=yes dst-port=64444 !in-interface in-interface-list=WAN protocol=tcp to-addresses=192.168.200.11 to-ports=64444add action=dst-nat chain=dstnat comment="SSH Mikrotik" disabled=yes dst-port=4040 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.1 to-ports=4040add action=dst-nat chain=dstnat comment="SSH Switch" disabled=yes dst-port=62222 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.2 to-ports=22add action=dst-nat chain=dstnat comment="Web Switch" disabled=yes dst-port=8090 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.2 to-ports=8090add action=dst-nat chain=dstnat comment="Web Paradox" disabled=yes dst-port=5004 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.3 to-ports=80add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp !to-addresses to-ports=53add action=redirect chain=dstnat comment="proxy dns" disabled=yes dst-port=53 protocol=tcp !to-addresses to-ports=53add action=masquerade chain=srcnat comment="Paradox IP Module internal" dst-address=192.168.200.3 dst-port=5005 out-interface=bridge-lan protocol=tcp src-address=192.168.200.0/24 !to-addresses !to-portsadd action=dst-nat chain=dstnat comment="Paradox IP Module internal" dst-port=5005 in-interface=bridge-lan protocol=tcp to-addresses=192.168.200.3 to-ports=5005add action=dst-nat chain=dstnat comment="Web NAS internal" disabled=yes dst-port=5001 in-interface=bridge-lan protocol=tcp to-addresses=192.168.200.9 to-ports=5001add action=masquerade chain=srcnat comment="Web NAS internal" disabled=yes dst-address=192.168.200.9 dst-port=5001 out-interface=bridge-lan protocol=tcp src-address=192.168.200.0/24 !to-addresses !to-portsadd action=dst-nat chain=dstnat comment="Mikrotik Winbox" disabled=yes dst-port=8291 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.1 to-ports=8291add action=dst-nat chain=dstnat comment=Plex disabled=no dst-port=32400 in-interface=bridge-lan !in-interface-list protocol=tcp to-addresses=192.168.200.11 to-ports=32400add action=masquerade chain=srcnat comment="Plex Intern" dst-address=192.168.200.9 dst-port=32400 out-interface=bridge-lan protocol=tcp src-address=192.168.200.0/24 !to-addresses !to-portsadd action=netmap chain=dstnat comment="RTX WOL" disabled=yes dst-port=8099 protocol=udp to-addresses=192.168.200.11 !to-portsadd action=dst-nat chain=dstnat comment="RTX RDP" disabled=yes dst-port=9000 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.11 to-ports=3389add action=dst-nat chain=dstnat comment=Rsync disabled=yes dst-port=2222 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.9 to-ports=2222add action=masquerade chain=srcnat comment="masq. vpn traffic" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot \ !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark \ !packet-size !per-connection-classifier !port !priority !protocol !psd !random !realm !routing-mark src-address=192.168.201.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host !to-addresses !to-ports !ttladd action=dst-nat chain=dstnat comment=Bitwarden dst-port=44445 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.200.11 to-ports=44445add action=masquerade chain=srcnat comment="Bitwarden internal" dst-address=192.168.200.11 dst-port=44445 out-interface=bridge-lan protocol=tcp src-address=192.168.200.0/24 !to-addresses !to-portsadd action=dst-nat chain=dstnat comment="Bitwarden internal" dst-port=44445 in-interface=bridge-lan protocol=tcp to-addresses=192.168.200.11 to-ports=44445add action=dst-nat chain=dstnat comment=Octopi disabled=yes dst-port=6000 in-interface-list=WAN protocol=tcp to-addresses=192.168.200.26 to-ports=80add action=dst-nat chain=dstnat comment="Octopi 2" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=6001 !fragment !hotspot !icmp-options \ !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \ !per-connection-classifier !port !priority protocol=tcp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.26 to-ports=8081 !ttladd action=dst-nat chain=dstnat comment=Wireguard !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=51820 !fragment !hotspot !icmp-options \ !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \ !per-connection-classifier !port !priority protocol=udp !psd !random !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=192.168.200.11 to-ports=51820 !ttladd action=dst-nat chain=dstnat comment="Test connection Filme Qbittorent" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=32700 !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \ !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.11 to-ports=32700 !ttladd action=dst-nat chain=dstnat comment="Test connection Filme Qbittorent UDP" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=32700 !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \ !packet-mark !packet-size !per-connection-classifier !port !priority protocol=udp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.11 to-ports=32700 !ttladd action=dst-nat chain=dstnat comment="Test connection DownloadStation UDP" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=16881 !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \ !packet-mark !packet-size !per-connection-classifier !port !priority protocol=udp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.11 to-ports=16881 !ttladd action=dst-nat chain=dstnat comment="Test connection DownloadStation" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=16881 !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \ !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.11 to-ports=16881 !ttladd action=dst-nat chain=dstnat comment="Test connection DownloadStation DS916" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=16882 !fragment \ !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \ !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.9 to-ports=16882 !ttladd action=dst-nat chain=dstnat comment="Test connection DownloadStation UDP DS916" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=16882 \ !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface in-interface-list=WAN !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \ !packet-mark !packet-size !per-connection-classifier !port !priority protocol=udp !psd !random !realm !routing-mark !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host to-addresses=192.168.200.9 to-ports=16882 !ttladd action=masquerade chain=srcnat comment=Wireguard_DELL !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \ !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list out-interface=eth1-wan !out-interface-list !packet-mark !packet-size \ !per-connection-classifier !port !priority !protocol !psd !random !routing-mark src-address=192.168.202.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports !ttladd action=masquerade chain=srcnat comment="Wireguard piVPN" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \ !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark !packet-size \ !per-connection-classifier !port !priority !protocol !psd !random !routing-mark src-address=192.168.202.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports !ttladd action=masquerade chain=srcnat comment="masq. vpn traffic" !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type !content disabled=yes !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot \ !icmp-options !in-bridge-port !in-bridge-port-list !in-interface !in-interface-list !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list !packet-mark \ !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark src-address=192.168.89.0/24 !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports !ttl/ip firewall service-portset ftp disabled=no ports=21set tftp disabled=no ports=69set irc disabled=yes ports=6667set h323 disabled=noset sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1hset pptp disabled=noset rtsp disabled=yes ports=554set udplite disabled=noset dccp disabled=noset sctp disabled=no/ip hotspot service-portset ftp disabled=no ports=21/ip hotspot userset [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial/ip ipsec policyset 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes/ip ipsec settingsset accounting=yes interim-update=0s xauth-use-radius=no/ip nat-pmpset enabled=no/ip proxyset always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=:: \ parent-proxy-port=0 port=8080 serialize-connections=no src-address=::/ip routeadd disabled=yes distance=1 gateway=eth1-wanadd comment="Wireguard range" disabled=yes distance=1 dst-address=192.168.201.0/24 gateway=bridge-lan pref-src=192.168.200.1 routing-table=main scope=10 suppress-hw-offload=no target-scope=10add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.202.2 pref-src="" routing-table=main suppress-hw-offload=no/ip serviceset telnet address=192.168.200.0/24 disabled=yes port=23 vrf=mainset ftp address=192.168.200.0/24 disabled=yes port=21set www address=192.168.200.0/24,192.168.201.3/32,192.168.201.2/32 disabled=no port=80 vrf=mainset ssh address=192.168.200.0/24,192.168.201.3/32 disabled=no port=4040 vrf=mainset www-ssl address="" certificate=none disabled=yes port=443 tls-version=any vrf=mainset api address=192.168.200.0/24 disabled=no port=8728 vrf=mainset winbox address=192.168.200.0/24,192.168.201.3/32,192.168.201.2/32 disabled=no port=8291 vrf=mainset api-ssl address="" certificate=none disabled=yes port=8729 tls-version=any vrf=main/ip smb sharesset [ find default=yes ] comment="default share" directory=/pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""/ip socksset auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main/ip sshset allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=no/ip tftp settingsset max-block-size=4096/ip traffic-flowset active-flow-timeout=30m cache-entries=512k enabled=yes inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 sampling-space=0/ip traffic-flow ipfixset bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes \ nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \ tcp-window-size=yes tos=yes ttl=yes udp-length=yes/ip traffic-flow targetadd disabled=no dst-address=192.168.200.11 port=2055 src-address=192.168.200.1 v9-template-refresh=20 v9-template-timeout=30m version=9/ip upnpset allow-disable-external-interface=no enabled=no show-dummy-rule=yes/ipv6 addressadd address=::2ec8:1bff:feff:d5ea/64 advertise=yes disabled=no eui-64=yes from-pool=myipv6 interface=bridge-lan no-dad=noadd address=::2ec8:1bff:feff:d5ea/64 advertise=yes disabled=no eui-64=yes from-pool=myipv6 interface=bridge-guest no-dad=noadd address=::2ec8:1bff:feff:d5ea/64 advertise=yes disabled=no eui-64=yes from-pool=myipv6 interface=bridge-dmz no-dad=no/ipv6 dhcp-clientadd add-default-route=no dhcp-options="" dhcp-options="" disabled=no interface=digi pool-name=myipv6 pool-prefix-length=64 prefix-hint=::/0 request=prefix use-peer-dns=yes/ipv6 firewall filteradd action=drop chain=input comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpadd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-espadd action=accept chain=input comment=openvpn dst-port=443 in-interface=eth1-wan protocol=tcpadd action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface=!bridge-lanadd action=drop chain=forward disabled=yes in-interface=bridge-lan src-address=2a02:1810:480c:4600:70f4:5102:9fab:c901/128add action=reject chain=forward comment="reject dmz to lan traffic" in-interface=bridge-dmz out-interface=bridge-lan reject-with=icmp-address-unreachableadd action=reject chain=forward comment="reject guest to lan traffic" in-interface=bridge-guest out-interface=bridge-lan reject-with=icmp-address-unreachableadd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp/ipv6 ndset [ find default=yes ] advertise-dns=no advertise-mac-address=yes disabled=no dns="" hop-limit=unspecified interface=all managed-address-configuration=no mtu=unspecified other-configuration=no pref64="" ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=medium \ reachable-time=unspecified retransmit-interval=unspecified/ipv6 nd prefix defaultset autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d/mpls settingsset allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes/ppp aaaset accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no/ppp secretadd caller-id="" disabled=no ipv6-routes="" limit-bytes-in=0 limit-bytes-out=0 !local-address name=vpn profile=default !remote-address !remote-ipv6-prefix routes="" service=any/radius incomingset accept=no port=3799 vrf=main/routing igmp-proxyset query-interval=2m5s query-response-interval=10s quick-leave=no/routing settingsset single-process=no/snmpset contact= enabled=yes engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" trap-version=1 vrf=main/system clockset time-zone-autodetect=yes time-zone-name=Europe/Bucharest/system clock manualset dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00/system identityset name=Mikrotik_router/system ledsset 0 disabled=no interface=sfp-sfpplus1 leds=sfp-sfpplus1-led type=interface-activity/system leds settingsset all-leds-off=never/system loggingset 0 action=memory disabled=no prefix="" topics=infoset 1 action=memory disabled=no prefix="" topics=errorset 2 action=memory disabled=no prefix="" topics=warningset 3 action=echo disabled=no prefix="" topics=criticaladd action=memory disabled=yes prefix="" topics=!sshadd action=memory disabled=yes prefix="" topics=wirelessadd action=memory disabled=yes prefix="" topics=dhcpadd action=memory disabled=yes prefix="" topics=debugadd action=memory disabled=yes prefix="" topics=dnsadd action=memory disabled=no prefix="" topics=scriptadd action=memory disabled=yes prefix="" topics=dhcpadd action=memory disabled=yes prefix="" topics=ovpnadd action=memory disabled=yes prefix="" topics=!snmpadd action=GMAIL disabled=no prefix="" topics=critical,!ovpnadd action=GMAIL disabled=yes prefix="<addr 7" topics=pppoeadd action=YAHOO disabled=no prefix="" topics=critical,!ovpnadd action=memory disabled=no prefix="" topics=wireguardadd action=memory disabled=no prefix="" topics=firewalladd action=GMAIL disabled=no prefix="" topics=ssh/system noteset note="" show-at-cli-login=no show-at-login=no/system ntp clientset enabled=yes mode=unicast servers=ro.pool.ntp.org vrf=main/system ntp serverset auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main/system ntp client serversadd address=ro.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=10 min-poll=6/system resource irqset 0 cpu=autoset 1 cpu=autoset 2 cpu=autoset 3 cpu=autoset 4 cpu=autoset 5 cpu=autoset 6 cpu=autoset 7 cpu=autoset 8 cpu=autoset 9 cpu=autoset 10 cpu=autoset 11 cpu=autoset 12 cpu=autoset 13 cpu=autoset 14 cpu=autoset 15 cpu=autoset 16 cpu=auto/system resource irq rpsset eth1-wan disabled=yesset eth2-lan disabled=yesset eth3-lan disabled=yesset eth4-lan disabled=yesset eth5-lan disabled=yesset eth6-lan disabled=yesset eth7-lan disabled=yesset eth8-lan disabled=yesset sfp-sfpplus1 disabled=yes/system resource usb settingsset authorization=no/system routerboard settingsset auto-upgrade=no boot-device=nand-if-fail-then-ethernet boot-protocol=bootp force-backup-booter=no preboot-etherboot=disabled preboot-etherboot-server=any protected-routerboot=disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no/system routerboard reset-buttonset enabled=no hold-time=0s..1m on-event=""/system scheduleradd comment=" Update No-IP DDNS" disabled=no interval=3m name=no-ip_ddns on-event=no-ip_ddns_update policy=read,write,test start-date=2019-06-01 start-time=02:31:50add disabled=yes interval=2m name="ISP-check using script IPS-reconnect" on-event=" /system script run ISP-reconnect" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2019-08-08 start-time=05:34:11add disabled=yes interval=0s name=static_dns_entries_script on-event="" policy=read,write,policy,test,password,sensitive,romon start-time=startup/system upgrade mirrorset check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""/system watchdogset auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes/tool bandwidth-serverset allocate-udp-ports-from=2000 authenticate=no enabled=yes max-sessions=100/tool graphingset page-refresh=300 store-every=5min/tool graphing interfaceadd allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yesadd allow-address=0.0.0.0/0 disabled=no interface=eth1-wan store-on-disk=yes/tool mac-serverset allowed-interface-list=all/tool mac-server mac-winboxset allowed-interface-list=all/tool mac-server pingset enabled=yes
Statistics: Posted by slaz — Mon Apr 01, 2024 6:32 pm
Statistics: Posted by Amm0 — Mon Apr 01, 2024 6:25 pm
Greetings msatter. I have tried that delimiter, several of them, including not listing one. Neither work. Below are the spamhaus links:
$update url="https://' . "www.spamhaus.org/drop/drop.txt" delimiter=("\_") listname=z-blocklist-SpamHaus timeout=2d
$update url="https://" . "www.spamhaus.org/drop/edrop.txt" delimiter=("\_") listname=z-blocklist-SpamHaus-edrop timeout=2d
**** added " . " to the links for forum formatting purposes ****
#$update url=https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv listname=turris delimiter=, timeout=8d heirule=http$update url=https://www.spamhaus.org/drop/drop.txt delimiter=("\_") listname=z-blocklist-SpamHaus timeout=2d$update url=https://www.spamhaus.org/drop/edrop.txt delimiter=("\_") listname=z-blocklist-SpamHaus-edrop timeout=2d
Statistics: Posted by MTNick — Mon Apr 01, 2024 6:25 pm
/routing igmp-proxy interfaceadd interface=VLAN100 upstream=yesadd interface=VLAN200/ip firewall filter add action=accept chain=forward in-interface=VLAN100 out-interface=VLAN200
Statistics: Posted by spectryx — Mon Apr 01, 2024 5:53 pm
Statistics: Posted by pe1chl — Mon Apr 01, 2024 5:44 pm
Statistics: Posted by jaclaz — Mon Apr 01, 2024 5:34 pm