Hi Mkx,
a little late, but I’ve been very busy lately.
You find the mikrotik configuration first and last the routing information of the fritz box.
Thank you for your help.
Yours
Stefan
Mikrotik:
[admin@MikroTik] > /export hide-sensitive
# may/17/2020 16:19:02 by RouterOS 6.46.6
# software id = VUHL-QDZS
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 968909BB55D7
/interface bridge
add admin-mac=B8:69:F4:BE:97:8A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX comment="WLAN 5 GHz" country=\
no_country_set disabled=no distance=indoors frequency=auto mac-address=B8:69:F4:BE:97:93 mode=ap-bridge \
radio-name=B869F4BE9793 secondary-channel=auto ssid=Nordlicht_5GHz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment="WLAN 2.4 GHz" country=\
no_country_set disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Nordlicht \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
/interface ovpn-server
add name=ovpn-in1 user=ABC.DEF.Handy
add name=ovpn-in2 user=ABC.DEF.Laptop
/interface pptp-client
add connect-to=ro1.pointtoserver.com dial-on-demand=yes disabled=no name=PureVPN-PPTP-BUK-RO user=\
purevpn0dABCDEFG
add connect-to=uk-ded-3.purevpn.net disabled=no name=PureVPN-PPTP-D-UK user=purevpn0dABCDEFG
add connect-to=jp-tk.pointtoserver.com dial-on-demand=yes disabled=no name=PureVPN-PPTP-J-TKY user=\
purevpn0dABCDEFG
add connect-to=ru1.pointtoserver.com dial-on-demand=yes disabled=no name=PureVPN-PPTP-MOS-RUS user=\
purevpn0dABCDEFG
add connect-to=de-ao1.pointtoserver.com dial-on-demand=yes disabled=no name=PureVPN-PPTP-NBG-D user=\
purevpn0dABCDEFG
add connect-to=usny1.pointtoserver.com dial-on-demand=yes disabled=no name=PureVPN-PPTP-NY-USA user=\
purevpn0dABCDEFG
/interface wireless manual-tx-power-table
set wlan1 comment="WLAN 5 GHz"
set wlan2 comment="WLAN 2.4 GHz"
/interface wireless nstreme
set wlan1 comment="WLAN 5 GHz"
set wlan2 comment="WLAN 2.4 GHz"
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=branch1-profile nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-256 name=branch0-profile nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-256 name=branch2-profile nat-traversal=no
/ip ipsec peer
add address=172.16.2.10/32 disabled=yes local-address=172.16.2.9 name=branch2peer profile=branch2-profile
add address=172.16.2.6/32 local-address=172.16.2.5 name=branch1peer profile=branch1-profile
add address=172.16.2.2/32 local-address=172.16.2.1 name=branch0peer profile=branch0-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
/ip pool
add name=dhcp ranges=172.20.1.100-172.20.1.127
add name=ovpn64 ranges=10.100.10.253-10.100.10.254
add name=ovpn63 next-pool=ovpn64 ranges=10.100.10.249-10.100.10.250
add name=ovpn62 next-pool=ovpn63 ranges=10.100.10.245-10.100.10.246
add name=ovpn61 next-pool=ovpn62 ranges=10.100.10.241-10.100.10.242
add name=ovpn60 next-pool=ovpn61 ranges=10.100.10.237-10.100.10.238
add name=ovpn59 next-pool=ovpn60 ranges=10.100.10.233-10.100.10.234
add name=ovpn58 next-pool=ovpn59 ranges=10.100.10.229-10.100.10.230
add name=ovpn57 next-pool=ovpn58 ranges=10.100.10.225-10.100.10.226
add name=ovpn56 next-pool=ovpn57 ranges=10.100.10.221-10.100.10.222
add name=ovpn55 next-pool=ovpn56 ranges=10.100.10.217-10.100.10.218
add name=ovpn54 next-pool=ovpn55 ranges=10.100.10.213-10.100.10.214
add name=ovpn53 next-pool=ovpn54 ranges=10.100.10.209-10.100.10.210
add name=ovpn52 next-pool=ovpn53 ranges=10.100.10.205-10.100.10.206
add name=ovpn51 next-pool=ovpn52 ranges=10.100.10.201-10.100.10.202
add name=ovpn50 next-pool=ovpn51 ranges=10.100.10.197-10.100.10.198
add name=ovpn49 next-pool=ovpn50 ranges=10.100.10.193-10.100.10.194
add name=ovpn48 next-pool=ovpn49 ranges=10.100.10.189-10.100.10.190
add name=ovpn47 next-pool=ovpn48 ranges=10.100.10.185-10.100.10.186
add name=ovpn46 next-pool=ovpn47 ranges=10.100.10.181-10.100.10.182
add name=ovpn45 next-pool=ovpn46 ranges=10.100.10.177-10.100.10.178
add name=ovpn44 next-pool=ovpn45 ranges=10.100.10.173-10.100.10.174
add name=ovpn43 next-pool=ovpn44 ranges=10.100.10.169-10.100.10.170
add name=ovpn42 next-pool=ovpn43 ranges=10.100.10.165-10.100.10.166
add name=ovpn41 next-pool=ovpn42 ranges=10.100.10.161-10.100.10.162
add name=ovpn40 next-pool=ovpn41 ranges=10.100.10.157-10.100.10.158
add name=ovpn39 next-pool=ovpn40 ranges=10.100.10.153-10.100.10.154
add name=ovpn38 next-pool=ovpn39 ranges=10.100.10.149-10.100.10.150
add name=ovpn37 next-pool=ovpn38 ranges=10.100.10.145-10.100.10.146
add name=ovpn36 next-pool=ovpn37 ranges=10.100.10.141-10.100.10.142
add name=ovpn35 next-pool=ovpn36 ranges=10.100.10.137-10.100.10.138
add name=ovpn34 next-pool=ovpn35 ranges=10.100.10.133-10.100.10.134
add name=ovpn33 next-pool=ovpn34 ranges=10.100.10.129-10.100.10.130
add name=ovpn32 next-pool=ovpn33 ranges=10.100.10.125-10.100.10.126
add name=ovpn31 next-pool=ovpn32 ranges=10.100.10.121-10.100.10.122
add name=ovpn30 next-pool=ovpn31 ranges=10.100.10.117-10.100.10.118
add name=ovpn29 next-pool=ovpn30 ranges=10.100.10.113-10.100.10.114
add name=ovpn28 next-pool=ovpn29 ranges=10.100.10.109-10.100.10.110
add name=ovpn27 next-pool=ovpn28 ranges=10.100.10.105-10.100.10.106
add name=ovpn26 next-pool=ovpn27 ranges=10.100.10.101-10.100.10.102
add name=ovpn25 next-pool=ovpn26 ranges=10.100.10.97-10.100.10.98
add name=ovpn24 next-pool=ovpn25 ranges=10.100.10.93-10.100.10.94
add name=ovpn23 next-pool=ovpn24 ranges=10.100.10.89-10.100.10.90
add name=ovpn22 next-pool=ovpn23 ranges=10.100.10.85-10.100.10.86
add name=ovpn21 next-pool=ovpn22 ranges=10.100.10.81-10.100.10.82
add name=ovpn20 next-pool=ovpn21 ranges=10.100.10.77-10.100.10.78
add name=ovpn19 next-pool=ovpn20 ranges=10.100.10.73-10.100.10.74
add name=ovpn18 next-pool=ovpn19 ranges=10.100.10.69-10.100.10.70
add name=ovpn17 next-pool=ovpn18 ranges=10.100.10.65-10.100.10.66
add name=ovpn16 next-pool=ovpn17 ranges=10.100.10.61-10.100.10.62
add name=ovpn15 next-pool=ovpn16 ranges=10.100.10.57-10.100.10.58
add name=ovpn14 next-pool=ovpn15 ranges=10.100.10.53-10.100.10.54
add name=ovpn13 next-pool=ovpn14 ranges=10.100.10.49-10.100.10.50
add name=ovpn12 next-pool=ovpn13 ranges=10.100.10.45-10.100.10.46
add name=ovpn11 next-pool=ovpn12 ranges=10.100.10.41-10.100.10.42
add name=ovpn10 next-pool=ovpn11 ranges=10.100.10.37-10.100.10.38
add name=ovpn9 next-pool=ovpn10 ranges=10.100.10.33-10.100.10.34
add name=ovpn8 next-pool=ovpn9 ranges=10.100.10.29-10.100.10.30
add name=ovpn7 next-pool=ovpn8 ranges=10.100.10.25-10.100.10.26
add name=ovpn6 next-pool=ovpn7 ranges=10.100.10.21-10.100.10.22
add name=ovpn5 next-pool=ovpn6 ranges=10.100.10.17-10.100.10.18
add name=ovpn4 next-pool=ovpn5 ranges=10.100.10.13-10.100.10.14
add name=ovpn3 next-pool=ovpn4 ranges=10.100.10.9-10.100.10.10
add name=ovpn2 next-pool=ovpn3 ranges=10.100.10.5-10.100.10.6
add name=ovpn1 next-pool=ovpn2 ranges=10.100.10.1-10.100.10.2
add name=Pool-VPN ranges=10.10.0.1-10.10.0.255
add name=BR-DHCP-Pool ranges=172.20.1.200-172.20.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=1.1.1.1 local-address=ovpn1 name=VPN-PROFILE remote-address=ovpn1 use-encryption=yes \
wins-server=8.8.8.8
add bridge=bridge name=BCP-Profil use-encryption=no
/interface sstp-client
add connect-to=ukl1.pointtoserver.com disabled=no name=sstp-out1 profile=default-encryption user=\
purevpn0dABCDEFG
/system logging action
add disk-file-name=dude-logs-main name=dudeLogsMain target=disk
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,ro\
mon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap1,mschap2 caller-id-type=number default-profile=BCP-Profil enabled=yes mrru=1600
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server@MikroTik cipher=aes128,aes192,aes256 default-profile=VPN-PROFILE enabled=yes \
port=443 require-client-certificate=yes
/ip address
add address=172.20.1.1/24 comment=defconf interface=ether2 network=172.20.1.0
add address=172.20.1.1/24 interface=bridge network=172.20.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=172.20.1.0/24 comment=defconf dns-server=212.82.226.212,204.152.184.76,194.150.168.168 gateway=\
172.20.1.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220,1.1.1.1,8.8.8.8
/ip dns static
add address=172.20.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input disabled=yes in-interface-list=LAN ipsec-policy=in,ipsec
add action=accept chain=input comment="Allow L2TP" dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow PPTP" disabled=yes dst-port=1723 in-interface-list=WAN protocol=\
tcp src-port=""
add action=accept chain=input disabled=yes in-interface-list=WAN protocol=gre
add action=accept chain=forward dst-address=172.20.1.52 dst-port=12001 log=yes log-prefix="IPTV FW" protocol=\
tcp
add action=accept chain=forward dst-address=172.20.1.52 dst-port=12002 log=yes log-prefix="IPTV FW" protocol=\
tcp
add action=accept chain=input comment="Allow OpenVPN" dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow access to Webfig and Winbox" disabled=yes dst-port=80,443,8080 \
ipsec-policy=in,ipsec protocol=tcp src-address=192.168.20.0/24
add action=accept chain=input disabled=yes dst-port=5060 protocol=udp src-address=192.168.20.0/24
add action=accept chain=input disabled=yes protocol=rdp src-address=192.168.20.0/24
add action=accept chain=input comment="Allow access to Webfig and Winbox" dst-port=80,443,8291 ipsec-policy=\
in,ipsec protocol=tcp src-address=172.20.2.0/24
add action=accept chain=input comment="Allow access to Webfig and Winbox" dst-port=80,443,8291 ipsec-policy=\
in,ipsec protocol=tcp src-address=172.20.3.0/24
add action=accept chain=input comment="Allow access to Webfig and Winbox" dst-port=80,443,8291 ipsec-policy=\
in,ipsec protocol=tcp src-address=172.20.4.0/24
add action=accept chain=input comment="SIP Reachability" dst-port=5060,7078-7085 protocol=udp src-address=\
192.168.20.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!VPN_NETWORK \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=PureVPN-PPTP-D-UK new-routing-mark=PureVPN-PPTP-D-UK-Mask \
passthrough=yes src-address=172.20.1.25-172.20.1.49
add action=mark-routing chain=prerouting comment=PureVPN-SSTP-Test disabled=yes new-routing-mark=PureVPN-SSTP \
passthrough=yes src-address=172.20.1.50-172.20.1.54
add action=mark-routing chain=prerouting comment=PureVPN-PPTP-J-TKY new-routing-mark=PureVPN-PPTP-J-TKY-Mask \
passthrough=yes src-address=172.20.1.55-172.20.1.59
add action=mark-routing chain=prerouting comment=PureVPN-PPTP-BUK-RO new-routing-mark=\
PureVPN-PPTP-BUK-RO-Mask passthrough=yes src-address=172.20.1.60-172.20.1.64
add action=mark-routing chain=prerouting comment=PureVPN-PPTP-NBG-D new-routing-mark=PureVPN-PPTP-NBG-D-Mask \
passthrough=yes src-address=172.20.1.65-172.20.1.69
add action=mark-routing chain=prerouting comment=PureVPN-PPTP-MOS-RUS new-routing-mark=\
PureVPN-PPTP-MOS-RUS-Mask passthrough=yes src-address=172.20.1.70-172.20.1.74
add action=mark-routing chain=prerouting comment=PureVPN-PPTP-NY-USA new-routing-mark=\
PureVPN-PPTP-NY-USA-Mask passthrough=yes src-address=172.20.1.75-172.20.1.79
add action=mark-connection chain=prerouting new-connection-mark=VPN_NETWORK passthrough=yes
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=accept chain=srcnat comment="IPsec traffic NAT bypass" dst-address=172.20.3.0/24 src-address=\
172.20.1.0/24
add action=accept chain=srcnat dst-address=172.20.2.0/24 src-address=172.20.1.0/24
add action=masquerade chain=srcnat comment="Masquerade internal network" disabled=yes src-address=\
172.20.1.0/24
add action=accept chain=srcnat dst-address=172.20.3.0/24 src-address=172.20.1.0/24
add action=accept chain=srcnat dst-address=172.20.4.0/24 src-address=172.20.1.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.20.0/24 src-address=172.20.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=172.20.1.1 \
to-ports=443
add action=dst-nat chain=dstnat dst-port=12000 in-interface-list=WAN protocol=tcp to-addresses=172.20.1.20 \
to-ports=12000
add action=dst-nat chain=dstnat dst-port=12001-12005 in-interface-list=WAN log=yes log-prefix=IPTV protocol=\
tcp to-addresses=172.20.1.52 to-ports=12001-12005
add action=dst-nat chain=dstnat dst-port=21 in-interface-list=WAN protocol=tcp to-addresses=172.20.1.20 \
to-ports=21
add action=masquerade chain=srcnat disabled=yes dst-address=172.20.1.52 dst-port=8013 log=yes log-prefix=\
IPTVx out-interface-list=LAN protocol=tcp src-address=172.20.1.0/24
add action=masquerade chain=srcnat out-interface=PureVPN-PPTP-D-UK
add action=masquerade chain=srcnat out-interface=PureVPN-PPTP-J-TKY
add action=masquerade chain=srcnat out-interface=PureVPN-PPTP-BUK-RO
add action=masquerade chain=srcnat out-interface=PureVPN-PPTP-NBG-D
add action=masquerade chain=srcnat out-interface=PureVPN-PPTP-MOS-RUS
add action=masquerade chain=srcnat out-interface=PureVPN-PPTP-NY-USA
add action=masquerade chain=srcnat out-interface=sstp-out1
/ip ipsec identity
add peer=branch0peer
add peer=branch1peer
add peer=branch2peer
/ip ipsec policy
add dst-address=172.20.2.0/24 level=unique peer=branch0peer sa-dst-address=172.16.2.2 sa-src-address=\
172.16.2.1 src-address=172.20.1.0/24 tunnel=yes
add dst-address=172.20.3.0/24 level=unique peer=branch1peer sa-dst-address=172.16.2.6 sa-src-address=\
172.16.2.5 src-address=172.20.1.0/24 tunnel=yes
add dst-address=172.20.4.0/24 level=unique peer=branch2peer src-address=172.20.1.0/24 tunnel=yes
/ip route
add comment=PureVPN-Route-Check distance=1 gateway=PureVPN-PPTP-D-UK routing-mark=PureVPN-PPTP-D-UK-Mask
add distance=1 gateway=sstp-out1 routing-mark=PureVPN-SSTP
add comment=PureVPN-Route-Check distance=1 gateway=PureVPN-PPTP-J-TKY routing-mark=PureVPN-PPTP-J-TKY-Mask
add comment=PureVPN-Route-Check distance=1 gateway=PureVPN-PPTP-BUK-RO routing-mark=PureVPN-PPTP-BUK-RO-Mask
add comment=PureVPN-Route-Check distance=1 gateway=PureVPN-PPTP-NBG-D routing-mark=PureVPN-PPTP-NBG-D-Mask
add comment=PureVPN-Route-Check distance=1 gateway=PureVPN-PPTP-MOS-RUS routing-mark=\
PureVPN-PPTP-MOS-RUS-Mask
add comment=PureVPN-Route-Check distance=1 gateway=PureVPN-PPTP-NY-USA routing-mark=PureVPN-PPTP-NY-USA-Mask
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=ABC.DEF.Laptop profile=VPN-PROFILE service=ovpn
add name=ABC.DEF.Handy profile=VPN-PROFILE service=ovpn
add name=Birgit.Albers.Handy profile=VPN-PROFILE service=ovpn
add name=Birgit.Albers.Laptop profile=VPN-PROFILE service=ovpn
add local-address=172.16.2.1 name=branch0 profile=BCP-Profil remote-address=172.16.2.2 service=l2tp
add local-address=172.16.2.5 name=branch1 profile=BCP-Profil remote-address=172.16.2.6 service=l2tp
add local-address=172.16.2.9 name=branch2 profile=BCP-Profil remote-address=172.16.2.10 service=l2tp
add disabled=yes local-address=172.16.2.13 name=branch2a profile=BCP-Profil remote-address=172.16.2.14 \
service=l2tp
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 disabled=yes interface=ether1 upstream=yes
add disabled=yes interface=ether6
/system clock
set time-zone-name=Europe/Berlin
/system leds
add interface=wlan2 leds=\
wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=\
wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add disabled=yes topics=dns
add disabled=yes topics=dns
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes primary-ntp=66.228.42.59 secondary-ntp=131.188.3.220
/system ntp server
set enabled=yes
/system scheduler
add disabled=yes interval=5m name=check-ppp-client on-event=":log info message=\"*** start check any ppp clien\
t connection ***\";\r\
\n#:local pppTest value=[/ppp active find];\r\
\n:local pppTest value=[/ppp active find where service=pptp];\r\
\n:local pingNumber value=2;\r\
\n:local pingMin value=1;\r\
\n:foreach userTest in=\$pppTest do={\r\
\n :local pingOk value=[:ping [/ppp active get \$userTest value-name=address] count=\$pingNumber]\r\
\n :if ( \$pingOk < \$pingMin) do={\r\
\n :log warning message=([/ppp active get \$userTest value-name=service] . \" auto disconnected: \". \$pi\
ngOk . \" ping ok over \" . \$pingNumber . \" \" . [/ppp active get \$userTest value-name=name] . \" \" . \
[/ppp active get \$userTest value-name=address])\r\
\n /ppp active remove \$userTest\r\
\n }\r\
\n};\r\
\n:log info message=\"*** end check any ppp client connection ***\";\r\
\n" policy=ftp,read,write,test start-date=jan/01/2002 start-time=00:20:00
add disabled=yes interval=1m name=Check_PPTP_DET_UK on-event=":local tmp [/ip address get value-name=address \
[find interface=PureVPN-PPTP-D-UK]]\r\
\n\t:local ip [pick \$ip 0 ([:len \$ip]-3) ]\r\
\n#\t\t\t:log warning \"Monitoring...\";\r\
\n:if (ip != 45.74.40.119) do={ \r\
\n\t\t\t:log warning \"Monitoring UK PPTP...wrong ip\";\r\
\n#\t:log error \"wrong ip\"\r\
\n\t\t:log error \$ip\r\
\n\t\t\t/interface pptp-client disable PureVPN-PPTP-D-UK;\r\
\n\t\t\t\t:delay 50s;\r\
\n\t\t\t/interface pptp-client enable PureVPN-PPTP-D-UK;\r\
\n} else={\r\
\n#\t\t\t:log warning \"Monitoring UK PPTP...correct ip\";\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=may/11/2019 \
start-time=00:00:00
add disabled=yes interval=1m name=Check-Branch2 on-event=":if ([/ping 172.20.4.1 interface=bridge count=3] = 0\
) do={\r\
\n:log info \"No connection to branch2\"\r\
\n\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/05/2019 \
start-time=00:00:00
add disabled=yes interval=1m name="Check-L2T-Branch1 V1" on-event=":local HOST \"172.20.3.1\"\r\
\n:local PINGCOUNT \"5\"\r\
\n:local INT \"<l2tp-branch1>\"\r\
\n:local DELAY \"10s\"\r\
\n# :local sub1 ([/system identity get name])\r\
\n# :local sub2 ([/system clock get time])\r\
\n# :local sub3 ([/system clock get date])\r\
\n# :local ADMINMAIL1 \"YOUR_EMAIL@hotmail.com\"\r\
\n:if ([/ping \$HOST interval=1 interface=\$INT count=\$PINGCOUNT] = 0) do={\r\
\n:log error \"HOST \$HOST is not responding to ping request, reseting \$INT interface ...\"\r\
\n/interface disable \$INT\r\
\n:log error \"\$INT is now disabled, waiting \$DELAY ...\"\r\
\n:delay \$DELAY\r\
\n/interface enable \$INT\r\
\n:delay \$DELAY\r\
\n:log error \"\$INT is now enabled\"\r\
\n# :log warning \"Sending Email alert to \$ADMINMAIL1 for Link reset ...\"\r\
\n# /tool e-mail send to=\$ADMINMAIL1 subject=\"\$INT got reset @ \$sub3 \$sub2 \$sub1\" start-tls=yes\r\
\n} else {\r\
\n:log warning \"HOST \$HOST ping is ok, no need to take any action ...\";\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/08/2019 \
start-time=00:00:00
add disabled=yes interval=1m name=Check-Branch1 on-event=":if ([/ping 172.20.3.1 interface=bridge count=3] = 0\
) do={\r\
\n:log info \"No connection to branch1\"\r\
\n\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/05/2019 \
start-time=00:00:00
add disabled=yes interval=1m name=Check-Branch0 on-event=":if ([/ping 172.20.2.1 interface=bridge count=3] = 0\
) do={\r\
\n:log info \"No connection to branch0\"\r\
\n\r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/05/2019 \
start-time=00:00:00
add interval=5m name="IPSEC TESTING SCRIPT BRANCH 0" on-event=\
"/system script run \"IPSEC TESTING SCRIPT BRANCH 0\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/08/2019 start-time=\
00:00:00
add disabled=yes interval=5m name="IPSEC TESTING SCRIPT BRANCH 2" on-event=\
"/system script run \"IPSEC TESTING SCRIPT BRANCH 2\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/08/2019 start-time=\
00:00:00
add interval=5m name="IPSEC TESTING SCRIPT BRANCH 1" on-event=\
"/system script run \"IPSEC TESTING SCRIPT BRANCH 1\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/08/2019 start-time=\
00:00:00
add disabled=yes interval=5m name=Check_PureVPN on-event="/system script run \"CheckPureVPN_Interface\"\r\
\n/system script run \"Check_PPTP_DET_UK\"\r\
\n#/system script run \"CheckPureVPN_Routes\"" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/15/2019 start-time=\
00:00:00
/system script
add dont-require-permissions=no name=CheckInternetConnection owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local i 0;\r\
\n:local F 0;\r\
\n:local date;\r\
\n:local time;\r\
\n\r\
\n\r\
\n:local webpage1\t\"8.8.8.8\"\r\
\n:local webpage2\t\"www.google.com\"\r\
\n\r\
\n:global InternetStatus;\r\
\n:global InternetLastChange;\r\
\n\r\
\n:for i from=1 to=5 do={\r\
\n\tif ([/ping \$webpage1 count=1]=0) do={:set F (\$F + 1)}\r\
\n\tif ([/ping \$webpage2 count=1]=0) do={:set F (\$F + 1)}\r\
\n\t:delay 1;\r\
\n};\r\
\n\t\t\t\t\r\
\n:if ((\$F=10)) do={\r\
\n\t:if ((\$InternetStatus=\"UP\")) do={\r\
\n\t\t:log info \"WARNING : The INTERNET service's gone DOWN\";\r\
\n\t\t:set InternetStatus \"DOWN\";\r\
\n\r\
\n##\t\tdo something\r\
\n\r\
\n\t\t\t\t\r\
\n\t\t:set date [/system clock get date];\r\
\n\t\t:set time [/system clock get time];\r\
\n\t\t:set InternetLastChange (\$time . \" \" . \$date);\r\
\n\t\t\t\t\r\
\n\t} else={:set InternetStatus \"DOWN\";}\r\
\n} else={\r\
\n\t:if ((\$InternetStatus=\"DOWN\")) do={\t\r\
\n\t\t:log info \"WARNING : The INTERNET service's gone UP\"; \r\
\n\t\t:set InternetStatus \"UP\";\r\
\n\r\
\n##\t\tdo something\r\
\n\r\
\n\t\t:set date [/system clock get date];\r\
\n\t\t:set time [/system clock get time];\r\
\n\t\t:set InternetLastChange (\$time . \" \" . \$date);\r\
\n\t\t\t\t\r\
\n\t} else={:set InternetStatus \"UP\";}\r\
\n}"
add dont-require-permissions=no name=IPCheckVPN owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local tmp [/ip address get valu\
e-name=address [find interface=PureVPN-PPTP-D-UK]]\r\
\n\t:local ip [pick \$ip 0 ([:len \$ip]-3) ]\r\
\n\t\t\t:log warning \"Monitoring...\";\r\
\n:if (ip != 10.200.13.20) do={ \r\
\n\t:log error \"wrong ip\"\r\
\n\t\t:log error \$ip\r\
\n\t\t\t/interface pptp-client disable pptp-out;\r\
\n\t\t\t\t:delay 10s;\r\
\n\t\t\t/interface pptp-client enable pptp-out;\r\
\n}"
add dont-require-permissions=no name=ddns_update owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="##############Script Settings####\
##############\r\
\n:local DDNSUser test\r\
\n:local DDNSPass master\r\
\n:local DDNSDomain xyz.dyndns.org\r\
\n:local DDNSServer \"https://members.dyndns.org/v3/update\"\r\
\n:local WANInter \"pppoe-out1\"\r\
\n###############################################\r\
\n\r\
\n:local IpCurrent [/ip address get [find interface=\$WANInter] address];\r\
\n:for i from=( [:len \$IpCurrent] - 1) to=0 do={ \r\
\n :if ( [:pick \$IpCurrent \$i] = \"/\") do={ \r\
\n :local NewIP [:pick \$IpCurrent 0 \$i];\r\
\n :if ([:resolve \$DDNSDomain] != \$NewIP) do={\r\
\n /tool fetch mode=https user=\$DDNSUser password=\$DDNSPass url=\"\$DDNSServer\\3Fhostname=\$DDNSDo\
main&myip=\$NewIP\" keep-result=no\r\
\n :log info \"DDNS Update: \$DDNSDomain - \$NewIP\"\r\
\n :log info \"IPsec: Updating IPsec Policy.\"\r\
\n# /ip ipsec policy set [find comment=\"myIPsec\"] sa-src-address=\$NewIP\r\
\n :log info \"IPsec: IPsec Policy updated.\"\r\
\n }\r\
\n } \r\
\n}"
add dont-require-permissions=no name=PingCheck owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local PingResult\r\
\n\r\
\n:set PingResult [ping 172.20.3.1 count=5]\r\
\n:put \$PingResult\r\
\n:log info \$PingResult"
add dont-require-permissions=no name="Ping Test" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local HOST \"8.8.8.8\"\r\
\n:local PINGCOUNT \"5\"\r\
\n:local INT \"bridge\"\r\
\n:local DELAY \"10s\"\r\
\n# :local sub1 ([/system identity get name])\r\
\n# :local sub2 ([/system clock get time])\r\
\n# :local sub3 ([/system clock get date])\r\
\n# :local ADMINMAIL1 \"YOUR_EMAIL@hotmail.com\"\r\
\n:if ([/ping \$HOST interval=1 count=\$PINGCOUNT] = 0) do={\r\
\n:log error \"HOST \$HOST is not responding to ping request, reseting \$INT interface ...\"\r\
\n/interface disable \$INT\r\
\n:log error \"\$INT is now disabled, waiting \$DELAY ...\"\r\
\n:delay \$DELAY\r\
\n/interface enable \$INT\r\
\n:delay \$DELAY\r\
\n:log error \"\$INT is now enabled\"\r\
\n# :log warning \"Sending Email alert to \$ADMINMAIL1 for Link reset ...\"\r\
\n# /tool e-mail send to=\$ADMINMAIL1 subject=\"\$INT got reset @ \$sub3 \$sub2 \$sub1\" start-tls=yes\r\
\n} else {\r\
\n:log warning \"HOST \$HOST ping is ok, no need to take any action ...\";\r\
\n}"
add dont-require-permissions=no name=ping-ipsec owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="{\r\
\n:if ([/ping 10.1.1.1 src-address=172.16.1.1 count=5] = 0) do={ \r\
\n:log warning \"VPN DOWN\";\r\
\n/ip ipsec peer disable 0;\r\
\n/ip ipsec remote-peers kill-connections;\r\
\n/ip ipsec installed-sa flush;\r\
\n:delay 200;\r\
\n/ip ipsec peer enable 0;\r\
\n/ip cloud force-update;\r\
\n:delay 15;\r\
\n/ping 10.1.1.1 src-address=172.16.1.1 count=5;\r\
\n} else={\r\
\n:log warning \"VPN UP\";\r\
\n/ip cloud force-update;\r\
\n}\r\
\n}\r\
\n"
add dont-require-permissions=no name=CheckIpSec owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local ipsecname \"branch2peer\";\
\r\
\n\r\
\n:local PeerNumber [/ip ipsec peer find name=\$ipsecname];\r\
\n:local PolicyNumber [/ip ipsec policy find peer=\$ipsecname];\r\
\n\r\
\n:log info (\"PeerNumber: \" . \$PeerNumber . \" PolicyNiumber: \" . \$PolicyNumber);\r\
\n#/ip ipsec peer disable \$PeerNumber;\r\
\n#:delay 10;\r\
\n#/ip ipsec peer enable \$PeerNumber;"
add dont-require-permissions=no name="IPSEC TESTING SCRIPT BRANCH 0" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# IPSEC TESTING SCRIPT V.1.0\r\
\n# Author: Sergey Krivosheyev (frozer@mail.ru)\r\
\n\r\
\n:local PingCount 5;\r\
\n:local RemoteGatewayIp 172.20.2.1;\r\
\n:local Name \"branch0peer\";\r\
\n\r\
\n:global CheckRemoteGateway [/ping \$RemoteGatewayIp interface=bridge count=\$PingCount];\r\
\n\r\
\n:if (\$CheckRemoteGateway=0) do={\r\
\n\r\
\n:local PeerNumber [/ip ipsec peer find name=\$Name];\r\
\n:local LocalTunnelIP [/ip ipsec peer get [find name=\$Name] local-address];\r\
\n\r\
\n:local RemoteTunnelIP [/ip ipsec peer get [find name=\$Name] address];\r\
\n:set RemoteTunnelIP [:pick \$RemoteTunnelIP 0 [:find \$RemoteTunnelIP \"/\" -1]];\r\
\n\r\
\n:local LocalRouterIP [/ip address get [find interface=\"bridge\"] address ];\r\
\n:set LocalRouterIP [:pick \$LocalRouterIP 0 [:find \$LocalRouterIP \"/\" -1]];\r\
\n\r\
\n:log info (\"LocalRouterIP: \" . \$LocalRouterIP . \" Local IP: \" . \$LocalTunnelIP . \" Remote IP: \" \
. \$RemoteTunnelIP);\r\
\n\r\
\n:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount src-address \$LocalTunnelIP];\r\
\n\r\
\n:if (\$CheckTunnel>0) do={\r\
\n#:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount src-address=\$LocalRouterIP];\r\
\n:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount];\r\
\n:local CheckPeer [/ip ipsec active-peers find remote-address=\$RemoteTunnelIP local-address=\$LocalTunne\
lIP state=\"established\"];\r\
\n\r\
\n#:log info (\"CheckTunnel: \" . \$CheckTunnel);\r\
\n#:log info (\"CheckPeer: \" . \$CheckPeer);\r\
\n\r\
\n:if ((\$CheckTunnel=0) || (\$CheckPeer=\"\")) do={\r\
\n/ip ipsec peer disable \$PeerNumber;\r\
\n/ip ipsec active-peers kill-connections;\r\
\n:log info (\$Name . \" tunnel is down - Kill connections\");\r\
\n/ip ipsec installed-sa flush;\r\
\n:log info (\$Name . \" tunnel is down - flushing installed SAs\");\r\
\n/ip ipsec peer enable \$PeerNumber;\r\
\n}\r\
\n}\r\
\n}"
add dont-require-permissions=no name="IPSEC TESTING SCRIPT BRANCH 2" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# IPSEC TESTING SCRIPT V.1.0\r\
\n# Author: Sergey Krivosheyev (frozer@mail.ru)\r\
\n\r\
\n:local PingCount 5;\r\
\n:local RemoteGatewayIp 172.20.4.1;\r\
\n:local Name \"branch2peer\";\r\
\n\r\
\n:local CheckRemoteGateway [/ping \$RemoteGatewayIp interface=bridge count=\$PingCount];\r\
\n\r\
\n:if (\$CheckRemoteGateway=0) do={\r\
\n\r\
\n:local PeerNumber [/ip ipsec peer find name=\$Name];\r\
\n:local LocalTunnelIP [/ip ipsec peer get [find name=\$Name] local-address];\r\
\n\r\
\n:local RemoteTunnelIP [/ip ipsec peer get [find name=\$Name] address];\r\
\n:set RemoteTunnelIP [:pick \$RemoteTunnelIP 0 [:find \$RemoteTunnelIP \"/\" -1]];\r\
\n\r\
\n:local LocalRouterIP [/ip address get [find interface=\"bridge\"] address ];\r\
\n:set LocalRouterIP [:pick \$LocalRouterIP 0 [:find \$LocalRouterIP \"/\" -1]];\r\
\n\r\
\n:log info (\"LocalRouterIP: \" . \$LocalRouterIP . \" Local IP: \" . \$LocalTunnelIP . \" Remote IP: \" \
. \$RemoteTunnelIP);\r\
\n\r\
\n:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount src-address \$LocalTunnelIP];\r\
\n\r\
\n:if (\$CheckTunnel>0) do={\r\
\n#:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount src-address=\$LocalRouterIP];\r\
\n:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount];\r\
\n:local CheckPeer [/ip ipsec active-peers find remote-address=\$RemoteTunnelIP local-address=\$LocalTunne\
lIP state=\"established\"];\r\
\n\r\
\n#:log info (\"CheckTunnel: \" . \$CheckTunnel);\r\
\n#:log info (\"CheckPeer: \" . \$CheckPeer);\r\
\n\r\
\n:if ((\$CheckTunnel=0) || (\$CheckPeer=\"\")) do={\r\
\n/ip ipsec peer disable \$PeerNumber;\r\
\n/ip ipsec active-peers kill-connections;\r\
\n:log info (\$Name . \" tunnel is down - Kill connections\");\r\
\n/ip ipsec installed-sa flush;\r\
\n:log info (\$Name . \" tunnel is down - flushing installed SAs\");\r\
\n/ip ipsec peer enable \$PeerNumber;\r\
\n}\r\
\n}\r\
\n}"
add dont-require-permissions=no name="IPSEC TESTING SCRIPT BRANCH 1" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# IPSEC TESTING SCRIPT V.1.0\r\
\n# Author: Sergey Krivosheyev (frozer@mail.ru)\r\
\n\r\
\n:local PingCount 5;\r\
\n:local RemoteGatewayIp 172.20.3.1;\r\
\n:local Name \"branch1peer\";\r\
\n\r\
\n:local CheckRemoteGateway [/ping \$RemoteGatewayIp interface=bridge count=\$PingCount];\r\
\n\r\
\n:if (\$CheckRemoteGateway=0) do={\r\
\n\r\
\n:local PeerNumber [/ip ipsec peer find name=\$Name];\r\
\n:local LocalTunnelIP [/ip ipsec peer get [find name=\$Name] local-address];\r\
\n\r\
\n:local RemoteTunnelIP [/ip ipsec peer get [find name=\$Name] address];\r\
\n:set RemoteTunnelIP [:pick \$RemoteTunnelIP 0 [:find \$RemoteTunnelIP \"/\" -1]];\r\
\n\r\
\n:local LocalRouterIP [/ip address get [find interface=\"bridge\"] address ];\r\
\n:set LocalRouterIP [:pick \$LocalRouterIP 0 [:find \$LocalRouterIP \"/\" -1]];\r\
\n\r\
\n:log info (\"LocalRouterIP: \" . \$LocalRouterIP . \" Local IP: \" . \$LocalTunnelIP . \" Remote IP: \" \
. \$RemoteTunnelIP);\r\
\n\r\
\n:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount src-address \$LocalTunnelIP];\r\
\n\r\
\n:if (\$CheckTunnel>0) do={\r\
\n#:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount src-address=\$LocalRouterIP];\r\
\n:local CheckTunnel [/ping \$RemoteTunnelIP count=\$PingCount];\r\
\n:local CheckPeer [/ip ipsec active-peers find remote-address=\$RemoteTunnelIP local-address=\$LocalTunne\
lIP state=\"established\"];\r\
\n\r\
\n#:log info (\"CheckTunnel: \" . \$CheckTunnel);\r\
\n#:log info (\"CheckPeer: \" . \$CheckPeer);\r\
\n\r\
\n:if ((\$CheckTunnel=0) || (\$CheckPeer=\"\")) do={\r\
\n/ip ipsec peer disable \$PeerNumber;\r\
\n/ip ipsec active-peers kill-connections;\r\
\n:log info (\$Name . \" tunnel is down - Kill connections\");\r\
\n/ip ipsec installed-sa flush;\r\
\n:log info (\$Name . \" tunnel is down - flushing installed SAs\");\r\
\n/ip ipsec peer enable \$PeerNumber;\r\
\n}\r\
\n}\r\
\n}"
add dont-require-permissions=no name=Update owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="##\r\
\n## Automatically upgrade RouterOS and Firmware\r\
\n## https://github.com/massimo-filippi/mikrotik\r\
\n##\r\
\n## script by Maxim Krusina, maxim@mfcc.cz\r\
\n## based on: http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS\r\
\n## created: 2014-12-05\r\
\n## updated: 2019-01-26\r\
\n## tested on: RouterOS 6.43.8 / multiple HW devices\r\
\n##\r\
\n########## Set variables\r\
\n## Update channel can take values before 6.43.8: bugfix | current | development | release-candidate\r\
\n## Update channel can take values after 6.43.8: long-term | stable | development | testing\r\
\n:local updChannel \"stable\"\r\
\n## Notify via Slack\r\
\n:local notifyViaSlack false\r\
\n:global SlackChannel \"#log\"\r\
\n## Notify via E-mail\r\
\n:local notifyViaMail false\r\
\n:local email \"your@email.com\"\r\
\n########## Upgrade firmware\r\
\n## Let's check for updated firmware\r\
\n:local rebootRequired false\r\
\n/system routerboard\r\
\n\r\
\n:if ( [get current-firmware] != [get upgrade-firmware]) do={\r\
\n\r\
\n ## New version of firmware available, let's upgrade\r\
\n ## Notify via Log\r\
\n :log info (\"Upgrading firmware on router \$[/system identity get name] from \$[/system routerboard g\
et current-firmware] to \$[/system routerboard get upgrade-firmware]\")\r\
\n ## Notify via Slack\r\
\n :if (\$notifyViaSlack) do={\r\
\n :global SlackMessage \"Upgrading firmware on router *\$[/system identity get name]* from \$[/syst\
em routerboard get current-firmware] to *\$[/system routerboard get upgrade-firmware]*\";\r\
\n :global SlackMessageAttachements \"\";\r\
\n /system script run \"Message To Slack\";\r\
\n }\r\
\n ## Notify via E-mail\r\
\n :if (\$notifyViaMail) do={\r\
\n /tool e-mail send to=\"\$email\" subject=\"Upgrading firmware on router \$[/system identity get n\
ame]\" body=\"Upgrading firmware on router \$[/system identity get name] from \$[/system routerboard get c\
urrent-firmware] to \$[/system routerboard get upgrade-firmware]\"\r\
\n }\r\
\n ## Upgrade (it will no reboot, we'll do it later)\r\
\n upgrade\r\
\n :set rebootRequired true\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n########## Upgrade RouterOS\r\
\n\r\
\n## Check for update\r\
\n/system package update\r\
\nset channel=\$updChannel\r\
\ncheck-for-updates\r\
\n## Wait on slow connections\r\
\n:delay 15s;\r\
\n## Important note: \"installed-version\" was \"current-version\" on older Roter OSes\r\
\n:if ([get installed-version] != [get latest-version]) do={\r\
\n ## Notify via Log\r\
\n :log info (\"Upgrading RouterOS on router \$[/system identity get name] from \$[/system package updat\
e get installed-version] to \$[/system package update get latest-version] (channel:\$[/system package upda\
te get channel])\")\r\
\n ## Notify via Slack\r\
\n :if (\$notifyViaSlack) do={\r\
\n :global SlackMessage \"Upgrading RouterOS on router *\$[/system identity get name]* from \$[/syst\
em package update get installed-version] to *\$[/system package update get latest-version] (channel:\$[/sy\
stem package update get channel])*\";\r\
\n :global SlackMessageAttachements \"\";\r\
\n /system script run \"Message To Slack\";\r\
\n }\r\
\n\r\
\n ## Notify via E-mail\r\
\n :if (\$notifyViaMail) do={\r\
\n /tool e-mail send to=\"\$email\" subject=\"Upgrading RouterOS on router \$[/system identity get n\
ame]\" body=\"Upgrading RouterOS on router \$[/system identity get name] from \$[/system package update ge\
t installed-version] to \$[/system package update get latest-version] (channel:\$[/system package update g\
et channel])\"\r\
\n }\r\
\n ## Wait for mail to be sent & upgrade\r\
\n :delay 15s;\r\
\n install\r\
\n} else={\r\
\n :if (\$rebootRequired) do={\r\
\n # Firmware was upgraded, but not RouterOS, so we need to reboot to finish firmware upgrade\r\
\n ## Notify via Slack\r\
\n :if (\$notifyViaSlack) do={\r\
\n :global SlackMessage \"Rebooting...\";\r\
\n :global SlackMessageAttachements \"\";\r\
\n /system script run \"Message To Slack\";\r\
\n }\r\
\n /system reboot\r\
\n } else={\r\
\n # No firmware nor RouterOS upgrade available, nothing to do, just log info\r\
\n :log info (\"No firmware nor RouterOS upgrade found.\")\r\
\n ## Notify via Slack\r\
\n :if (\$notifyViaSlack) do={\r\
\n :global SlackMessage \"No firmware nor RouterOS upgrade found.\";\r\
\n :global SlackMessageAttachements \"\";\r\
\n /system script run \"Message To Slack\";\r\
\n }\r\
\n }\r\
\n}"
add dont-require-permissions=no name=CheckPureVPN_Interface owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\r\
\n#:global pptplist \"PPTP interfaces \\n \\n\" ;\r\
\n#:local maxreset 2;\r\
\n:global intctr;\r\
\n\r\
\n#https://wiki.mikrotik.com/wiki/Get_active_VPN_connections_via_e-mail\r\
\n\r\
\n#:set pptplist \"\$pptplist \\n \\n CLIENTS: \\n\" ;\r\
\n:foreach int in=[/interface pptp-client find] do={\r\
\n# :set pptplist \"\$pptplist PPTP: \$[/interface pptp-client get \$int name] : \$[/interface pptp-clie\
nt get \$int running] \\n\" ;\r\
\n\r\
\n# :if ( [/interface pptp-client get \$int running] = true ) do={\r\
\n# :log info \"PPTP: \$[/interface pptp-client get \$int name] : true\" ;\r\
\n# }\r\
\n\r\
\n :if ( [/interface pptp-client get \$int running] = false ) do={\r\
\n :log error \"PPTP: \$[/interface pptp-client get \$int name] : false\" ;\r\
\n /interface disable \$int;\r\
\n :delay 10;\r\
\n /interface enable \$int;\r\
\n :set intctr (\$intctr+1);\r\
\n }\r\
\n\r\
\n}\r\
\n\r\
\n#:local sysname [/system identity get name];\r\
\n#:if (\$intctr<\$maxreset) do={\r\
\n#:log warning \"Watchdog: \$intname will be reset. It has already been reset \$intctr times.\";\r\
\n#/interface disable \$intname;\r\
\n#:delay 30;\r\
\n#/interface enable \$intname;\r\
\n#:set intctr (\$intctr+1);\r\
\n#} else={\r\
\n#:log error \"\$intname has been reset \$intctr times and will now be disabled.\"\r\
\n#/interface disable \$intname;\r\
\n#:delay 2;\r\
\n#}\r\
\n\r\
\n}"
add dont-require-permissions=no name=CheckPureVPN_Routes owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\r\
\n:global routectr;\r\
\n#https://forum.mikrotik.com/viewtopic.php\?t=121776\r\
\n# :local intname \"PureVPN-PPTP-D-UK\";\r\
\n\r\
\n# :log info [/ip address get [/ip address find interface=\$intname] address];\r\
\n# :log info [/ip address get [/ip address find interface=\$intname] network];\r\
\n\r\
\n# :local comment_name \"PureVPN-Route-Check\";\r\
\n\r\
\n :foreach routeTest in=[ /ip route find comment~\"PureVPN-Route-Check\"] do={\r\
\n :put (\"has routing-mark \".[ /ip route get \$routeTest value-name=comment ]);\r\
\n /ip route enable \$routeTest;\r\
\n :set routectr (\$routectr+1);\r\
\n }\r\
\n}"
add dont-require-permissions=no name=Check_PPTP_DET_UK owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local tmp [/ip address get valu\
e-name=address [find interface=PureVPN-PPTP-D-UK]]\r\
\n\t:local ip [pick \$ip 0 ([:len \$ip]-3) ]\r\
\n#\t\t\t:log warning \"Monitoring...\";\r\
\n:if (ip != 12.34.56.78) do={ \r\
\n\t\t\t:log warning \"Monitoring UK PPTP...wrong ip\";\r\
\n#\t:log error \"wrong ip\"\r\
\n\t\t:log error \$ip\r\
\n\t\t\t/interface pptp-client disable PureVPN-PPTP-D-UK;\r\
\n\t\t\t\t:delay 50s;\r\
\n\t\t\t/interface pptp-client enable PureVPN-PPTP-D-UK;\r\
\n} else={\r\
\n#\t\t\t:log warning \"Monitoring UK PPTP...correct ip\";\r\
\n}"
add dont-require-permissions=no name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\r\
\n:global Name \"branch2peer\";\r\
\n\r\
\n:global PeerNumber [/ip ipsec peer find name=\$Name];\r\
\n#:global state [/ip ipsec policy get \$PeerNumber. ph2-state];\r\
\n\r\
\n:global RemoteTunnelIP [/ip ipsec peer get [find name=\$Name] address];\r\
\n:set RemoteTunnelIP [:pick \$RemoteTunnelIP 0 [:find \$RemoteTunnelIP \"/\" -1]];\r\
\n\r\
\n:global status [/ip ipsec active-peers get [ find dynamic-address=172.16.2.9 ] state]\r\
\n\r\
\n#:foreach i in=[/ip ipsec policy find where (ph2-state=\"established\")] do={\r\
\n#:log info (\"CheckTunnel: \" . \$i);\r\
\n#:set state [ /ip ipsec policy get \$i ph2-state];\r\
\n#}\r\
\n\r\
\n#:foreach peer in=[/ip ipsec policy find where (ph2-state=\"established\")] do={\r\
\n#:log info (\"FoundTunnel: \" . \$peer);\r\
\n#:if ([/ip ipsec peer get \$peer name]=(\$Name) do={\r\
\n#:log info (\"FoundTunnel: \" . \$peer);\r\
\n#}\r\
\n\r\
\n#/ipsec policy {\r\
\n# :foreach i in=[find name=\$Name] do={\r\
\n# :set state [ /ip ipsec policy get \$i ph2-state];\r\
\n# #enable \$i\r\
\n# }\r\
\n#}\r\
\n\r\
\n#}\r\
\n}"
add dont-require-permissions=no name=script2 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\r\
\n:foreach i in=[/ip ipsec policy find where (ph2-state=\"established\")] do={\r\
\n:log info (\$i . \" tunnel is down - disable Connection\");\r\
\n#/ip ipsec peer disable \$i;\r\
\n\r\
\n:log info (\$i . \" tunnel is down - Kill connections\");\r\
\n#/ip ipsec active-peers kill-connections;\r\
\n\r\
\n:log info (\$i . \" tunnel is down - flushing installed SAs\");\r\
\n#/ip ipsec installed-sa flush;\r\
\n\r\
\n:log info (\$i . \" tunnel is down - enable Connection\");\r\
\n#/ip ipsec peer enable \$i;\r\
\n}\r\
\n}"
add dont-require-permissions=no name=script3 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\r\
\n:foreach Peer in=[ / ip ipsec active-peers find ] do={\r\
\n:global PeerVal [ / ip ipsec active-peers get \$Peer ];\r\
\n\r\
\n:global state [/ip ipsec policy get \$Peer ph2-state];\r\
\n\r\
\n:log info (\$state \" tunnel is down - enable Connection\");\r\
\n\r\
\n}\r\
\n\r\
\n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=user-manager
[admin@MikroTik] >
Fritzbox:
Static IPv4-Routing Table
Active Network Subnetmask Gateway
x 172.20.3.0 255.255.255.0 192.168.0.3
Static IPv4-Route
IPv4-Network 172.20.3.0
Subnet mask 255.255.255.0
Gateway 192.168.0.3
IPv4-Route active x (yes)