krissg
January 19, 2025, 12:17pm
1
Hi
sxt lte mgmt vlan ether 1 → rb5009 ether3 vlan 200 mgmt (added to bridge-LAN)
# 2025-01-11 21:57:53 by RouterOS 7.16.2
# software id =
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge-LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-AP_PLAC
set [ find default-name=ether2 ] mac-address=20:E5:2A:23:D2:A9 name=\
ether2-WAN_SW
set [ find default-name=ether3 ] name=ether3-WAN_LTE
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAG1
set [ find default-name=ether6 ] name=ether6-LAG1
set [ find default-name=ether7 ] name=ether7-LAG2
set [ find default-name=ether8 ] name=ether8-LAG2
/interface wireguard
add comment=back-to-home-vpn listen-port=62827 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=VLAN_10_LAN vlan-id=10
add interface=bridge-LAN name=VLAN_20_KAM vlan-id=20
add interface=bridge-LAN name=VLAN_30_IOT vlan-id=30
add interface=bridge-LAN name=VLAN_40_TV vlan-id=40
add interface=bridge-LAN name=VLAN_100_MGMT vlan-id=100
add interface=ether3-WAN_LTE name=VLAN_100_MGMT_LTE vlan-id=10
/interface bonding
add mode=802.3ad name=LAG_1_SW_RACK slaves=ether5-LAG1,ether6-LAG1 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=LAG_2_SW_RACK_POE slaves=ether7-LAG2,ether8-LAG2 \
transmit-hash-policy=layer-2-and-3
/interface list
add name=LAN
add name=WAN
/ip firewall layer7-protocol
add name=knock1 regexp=
add name=knock2 regexp=
/ip pool
add name=pool-VLAN_10_LAN ranges=192.168.10.2-192.168.10.254
add name=pool-VLAN_20_KAM ranges=192.168.20.2-192.168.20.254
add name=pool-VLAN_30_IOT ranges=192.168.30.2-192.168.30.254
add name=pool-VLAN_100_MGMT ranges=192.168.100.2-192.168.100.254
add name=pool-VLAN_40_TV ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add add-arp=yes address-pool=pool-VLAN_10_LAN interface=VLAN_10_LAN name=\
DHCP_LAN_VLAN
add add-arp=yes address-pool=pool-VLAN_20_KAM interface=VLAN_20_KAM name=\
DHCP_KAM_VLAN
add add-arp=yes address-pool=pool-VLAN_30_IOT interface=VLAN_30_IOT name=\
DHCP_IOT_VLAN
add add-arp=yes address-pool=pool-VLAN_100_MGMT interface=VLAN_100_MGMT name=\
DHCP_MGMT_VLAN
add add-arp=yes address-pool=pool-VLAN_40_TV interface=VLAN_40_TV name=\
DHCP_TV_VLAN
/snmp community
set [ find default=yes ] name=Zabbix
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zt_giolbas network=
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zt_klozaw network=
/interface bridge port
add bridge=bridge-LAN interface=ether1-AP_PLAC pvid=100
add bridge=bridge-LAN interface=LAG_1_SW_RACK pvid=100
add bridge=bridge-LAN interface=LAG_2_SW_RACK_POE pvid=100
add bridge=bridge-LAN interface=ether4-LAN pvid=10
add bridge=bridge-LAN interface=VLAN_100_MGMT_LTE pvid=10
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge-LAN tagged=LAG_1_SW_RACK,LAG_2_SW_RACK_POE,bridge-LAN \
vlan-ids=10,20,30,40
add bridge=bridge-LAN untagged=ether1-AP_PLAC vlan-ids=100
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=bridge-LAN list=LAN
add interface=ether1-AP_PLAC list=LAN
add interface=ether4-LAN list=LAN
add interface=ether2-WAN_SW list=WAN
add interface=ether3-WAN_LTE list=WAN
add interface=LAG_1_SW_RACK list=LAN
add interface=LAG_2_SW_RACK_POE list=LAN
add interface=VLAN_10_LAN list=LAN
/ip address
add address=192.168.10.1/24 interface=VLAN_10_LAN network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN_20_KAM network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN_30_IOT network=192.168.30.0
add address=192.168.100.1/24 interface=VLAN_100_MGMT network=192.168.100.0
add address=192.168.40.1/24 interface=VLAN_40_TV network=192.168.40.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip cloud back-to-home-users
add allow-lan=yes comment=bth-Kris name=Kris private-key=\
"" public-key=\
""
add allow-lan=yes comment=bth-Basia name=Basia private-key=\
"" public-key=\
""
/ip dhcp-client
add comment="WAN_SW dhcp client" interface=ether2-WAN_SW use-peer-dns=no \
use-peer-ntp=no
add comment="WAN_LTE dhcp client" default-route-distance=10 interface=\
ether3-WAN_LTE use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.40.40 comment=Samsung_TV_40cali mac-address=\
50:85:69:04:1B:C4 server=DHCP_TV_VLAN
add address=192.168.10.60 comment=HP_P1102W mac-address=C4:8E:8F:87:09:34 \
server=DHCP_LAN_VLAN
add address=192.168.10.31 comment=S21_FE_Basia mac-address=F4:02:28:C7:50:3A \
server=DHCP_LAN_VLAN
add address=192.168.40.50 comment=Samsung_TV_50cali mac-address=\
E4:7D:BD:E7:84:39 server=DHCP_TV_VLAN
add address=192.168.10.4 comment=Laptok mac-address=34:13:E8:A4:6F:DC server=\
DHCP_LAN_VLAN
add address=192.168.40.60 comment="Philips TV 70cali" mac-address=\
70:AF:24:C6:56:D0 server=DHCP_TV_VLAN
add address=192.168.10.30 comment="S24 Kris" mac-address=BC:93:07:4C:10:54 \
server=DHCP_LAN_VLAN
add address=192.168.10.5 comment="Laptok Thinkpad" mac-address=\
F4:A4:75:9F:8E:2C server=DHCP_LAN_VLAN
add address=192.168.100.50 comment=QNAP mac-address=6A:0E:3D:04:C8:AC server=\
DHCP_MGMT_VLAN
add address=192.168.30.100 comment="Roleta Gospodarczy Ogr\F3d_AC" \
mac-address=80:64:6F:B1:16:6F server=DHCP_IOT_VLAN
add address=192.168.30.102 comment=Roleta_Kuchnia_AC mac-address=\
4C:75:25:19:60:71 server=DHCP_IOT_VLAN
add address=192.168.30.99 comment=MEW-01_Rozdzielnia mac-address=\
CC:50:E3:0D:80:70 server=DHCP_IOT_VLAN
add address=192.168.100.75 comment="Mikrotik LTE" mac-address=\
C4:AD:34:7C:80:FE server=DHCP_MGMT_VLAN
add address=192.168.30.68 comment=Swiatlo_Waszkuchnia mac-address=\
98:F4:AB:DD:03:E6 server=DHCP_IOT_VLAN
add address=192.168.30.54 comment=Socket_Rolety mac-address=BC:DD:C2:10:58:FC \
server=DHCP_IOT_VLAN
add address=192.168.30.104 comment=Roleta_Salon_AC mac-address=\
F4:CF:A2:FF:EE:73 server=DHCP_IOT_VLAN
add address=192.168.30.55 comment=Czujka_Dymu mac-address=EC:FA:BC:28:54:5E \
server=DHCP_IOT_VLAN
add address=192.168.30.17 comment="Wether Station" mac-address=\
CC:50:E3:59:65:FF server=DHCP_IOT_VLAN
add address=192.168.30.18 comment="Odkurzacz Xiaomi" mac-address=\
B0:4A:39:95:D0:67 server=DHCP_IOT_VLAN
add address=192.168.30.19 comment="Oczyszczacz Xiaomi" mac-address=\
04:CF:8C:94:E4:12 server=DHCP_IOT_VLAN
add address=192.168.30.53 comment=Swiatlo_Gospodarczy mac-address=\
AC:0B:FB:D8:DE:4B server=DHCP_IOT_VLAN
add address=192.168.30.52 comment=Swiatlo_Taras mac-address=50:02:91:D1:89:76 \
server=DHCP_IOT_VLAN
add address=192.168.30.56 comment=Sonoff_POW_Piwica mac-address=\
CC:50:E3:54:1D:92 server=DHCP_IOT_VLAN
add address=192.168.30.58 comment=Socket_Szafa_Rack mac-address=\
2C:3A:E8:17:75:50 server=DHCP_IOT_VLAN
add address=192.168.30.59 comment=Touch_Pokoj_Goscinny mac-address=\
60:01:94:A1:5A:89 server=DHCP_IOT_VLAN
add address=192.168.30.60 comment=Touch_Sypialnia mac-address=\
DC:4F:22:86:E8:97 server=DHCP_IOT_VLAN
add address=192.168.30.61 comment=Sonoff_POW_Sypialnia mac-address=\
C0:49:EF:F3:05:30 server=DHCP_IOT_VLAN
add address=192.168.30.62 comment=Touch_Sien_Gora mac-address=\
60:01:94:98:AF:B1 server=DHCP_IOT_VLAN
add address=192.168.30.63 comment=Touch_Maly_Pokoj mac-address=\
84:0D:8E:77:36:E4 server=DHCP_IOT_VLAN
add address=192.168.30.64 comment=Yunschan_Altana mac-address=\
5C:CF:7F:C3:E9:16 server=DHCP_IOT_VLAN
add address=192.168.30.106 comment=Roleta_Pokoj_Kariny_AC mac-address=\
C8:C9:A3:9F:88:E2 server=DHCP_IOT_VLAN
add address=192.168.30.107 comment=Roleta_Lazienka_AC mac-address=\
80:64:6F:B1:12:50 server=DHCP_IOT_VLAN
add address=192.168.30.108 comment=Roleta_Sien_AC mac-address=\
F4:CF:A2:FF:EE:6C server=DHCP_IOT_VLAN
add address=192.168.30.66 comment=Touch_Sien_Dol mac-address=\
DC:4F:22:82:F2:D3 server=DHCP_IOT_VLAN
add address=192.168.30.109 comment=Roleta_Maly_Pokoj_AC mac-address=\
4C:75:25:19:29:67 server=DHCP_IOT_VLAN
add address=192.168.30.111 comment=Roleta_Pokoj_Goscinny mac-address=\
AC:0B:FB:D8:BE:B1 server=DHCP_IOT_VLAN
add address=192.168.30.69 comment="Swiatlo Plac" mac-address=\
8C:AA:B5:1B:42:49 server=DHCP_IOT_VLAN
add address=192.168.30.114 comment="Roleta_Kom\F3rka_AC" mac-address=\
AC:0B:FB:D8:C8:93 server=DHCP_IOT_VLAN
add address=192.168.30.112 comment=Roleta_Sypialnia_AC mac-address=\
4C:75:25:19:60:3D server=DHCP_IOT_VLAN
add address=192.168.30.70 comment=mROW-01 mac-address=98:CD:AC:25:D2:62 \
server=DHCP_IOT_VLAN
add address=192.168.30.101 comment=Roleta_Gospodarczy_Plac_AC mac-address=\
80:64:6F:B1:16:71 server=DHCP_IOT_VLAN
add address=192.168.30.71 comment=Gate_NICE mac-address=4C:75:25:1A:0F:8E \
server=DHCP_IOT_VLAN
add address=192.168.30.103 comment=Roleta_Taras_AC mac-address=\
AC:0B:FB:D9:23:9D server=DHCP_IOT_VLAN
add address=192.168.30.20 comment=Glosnik_Google mac-address=\
20:DF:B9:B2:4F:85 server=DHCP_IOT_VLAN
add address=192.168.30.72 comment=Oswietlenie_Przod mac-address=\
E8:68:E7:4E:15:D0 server=DHCP_IOT_VLAN
add address=192.168.30.73 comment=Choinka_Karina mac-address=\
70:03:9F:5D:0A:87 server=DHCP_IOT_VLAN
add address=192.168.30.74 comment=Gwiazda mac-address=24:A1:60:0A:12:50 \
server=DHCP_IOT_VLAN
add address=192.168.30.75 comment=Dimmer_Schody mac-address=C4:5B:BE:6E:26:DA \
server=DHCP_IOT_VLAN
add address=192.168.40.70 comment=Chromecast mac-address=14:AE:85:71:BD:AD \
server=DHCP_TV_VLAN
add address=192.168.10.50 comment="Fenix 7X" mac-address=90:F1:57:AF:8D:75 \
server=DHCP_LAN_VLAN
add address=192.168.30.16 comment="Falownik Huawei" mac-address=\
9C:B2:E8:2C:47:05 server=DHCP_IOT_VLAN
add address=192.168.30.98 comment=MEW-02_Ogrzewanie mac-address=\
7C:87:CE:F3:7A:87 server=DHCP_IOT_VLAN
add address=192.168.30.200 comment="Termostat Pokoj Kariny" mac-address=\
EC:FA:BC:76:31:23 server=DHCP_IOT_VLAN
add address=192.168.30.201 comment="Termostat Salon" mac-address=\
EC:FA:BC:76:2E:19 server=DHCP_IOT_VLAN
add address=192.168.30.202 comment="Termostat Kuchnia" mac-address=\
EC:FA:BC:76:27:C0 server=DHCP_IOT_VLAN
add address=192.168.30.203 comment="Termostat Komorka" mac-address=\
EC:FA:BC:76:24:7F server=DHCP_IOT_VLAN
add address=192.168.30.204 comment="Termostat Lazienka" mac-address=\
E0:98:06:1F:4D:51 server=DHCP_IOT_VLAN
add address=192.168.30.206 comment="Termostat Maly Pokoj" mac-address=\
8C:AA:B5:FD:ED:4E server=DHCP_IOT_VLAN
add address=192.168.30.208 comment="Termostat Sien Gora" mac-address=\
8C:AA:B5:FD:61:53 server=DHCP_IOT_VLAN
add address=192.168.30.205 comment="Termostat Sypialnia" mac-address=\
EC:FA:BC:76:23:D7 server=DHCP_IOT_VLAN
add address=192.168.30.207 comment="Termostat Pokoj Goscinny" mac-address=\
8C:AA:B5:57:8A:44 server=DHCP_IOT_VLAN
add address=192.168.30.210 comment="Termostat Sien Dol" mac-address=\
EC:FA:BC:76:2E:66 server=DHCP_IOT_VLAN
add address=192.168.30.209 comment="Termostat Lauba" mac-address=\
EC:FA:BC:76:30:72 server=DHCP_IOT_VLAN
add address=192.168.30.24 comment="HA dev" mac-address=02:07:E1:4C:43:F8 \
server=DHCP_IOT_VLAN
add address=192.168.10.181 comment="Pv Ubuntu" mac-address=2A:4A:86:F1:F9:86 \
server=DHCP_LAN_VLAN
add address=192.168.10.182 comment="Pv Win11" mac-address=5E:26:27:1B:10:84 \
server=DHCP_LAN_VLAN
add address=192.168.100.210 comment=AP_GORA mac-address=60:22:32:3F:26:E4 \
server=DHCP_MGMT_VLAN
add address=192.168.10.40 comment="Yamacha glosnik" mac-address=\
40:06:A0:84:3B:7A server=DHCP_LAN_VLAN
add address=192.168.30.97 comment=LEW_Serwerownia mac-address=\
58:BF:25:40:8A:BF server=DHCP_IOT_VLAN
add address=192.168.30.57 comment=Sonoff_POW_Kuchnia mac-address=\
84:F3:EB:B1:D3:05 server=DHCP_IOT_VLAN
add address=192.168.10.190 comment=Terminal_HP mac-address=FC:3F:DB:04:4E:6C \
server=DHCP_LAN_VLAN
add address=192.168.30.76 comment=OLED mac-address=84:F3:EB:E3:A1:EF server=\
DHCP_IOT_VLAN
add address=192.168.30.77 comment=Bramka_Versa mac-address=AC:0B:FB:E9:5A:1C \
server=DHCP_IOT_VLAN
add address=192.168.30.78 comment="Swiatlo Piwnica" mac-address=\
8C:AA:B5:1B:39:95 server=DHCP_IOT_VLAN
add address=192.168.30.220 comment=Piec_Wifi mac-address=84:F7:03:E0:54:4C \
server=DHCP_IOT_VLAN
add address=192.168.30.211 comment=Termostat_Gospodarczy mac-address=\
EC:FA:BC:76:2D:9B server=DHCP_IOT_VLAN
add address=192.168.40.20 comment="C+ SYPIALNIA" mac-address=\
C4:77:AF:54:EA:F7 server=DHCP_TV_VLAN
add address=192.168.40.30 comment="C+ karina" mac-address=C4:77:AF:54:F2:F2 \
server=DHCP_TV_VLAN
add address=192.168.40.10 comment="C+ KUCHNIA" mac-address=C4:77:AF:54:EC:8D \
server=DHCP_TV_VLAN
add address=192.168.30.23 comment="Pv Ubuntu-supla-dev" mac-address=\
BC:24:11:AF:64:5A server=DHCP_IOT_VLAN
add address=192.168.10.32 comment=S10_Karina mac-address=72:9C:9C:FB:AB:12 \
server=DHCP_LAN_VLAN
add address=192.168.30.79 comment=Gniazdko_Bojler mac-address=\
CC:50:E3:26:2C:D2 server=DHCP_IOT_VLAN
add address=192.168.30.115 comment=Rolety_Markiza_AC mac-address=\
50:02:91:D2:47:77 server=DHCP_IOT_VLAN
add address=192.168.30.230 comment="Bramka Auraton" mac-address=\
9C:9E:6E:F0:3F:BC server=DHCP_IOT_VLAN
add address=192.168.100.60 comment="SERVER OSCAM" mac-address=\
94:83:C4:07:3A:1D server=DHCP_MGMT_VLAN
add address=192.168.100.140 comment=SW_POKOJ_KARINY mac-address=\
B0:95:75:84:1F:C9 server=DHCP_MGMT_VLAN
add address=192.168.100.220 comment=AP_SIEN mac-address=74:83:C2:90:40:0F \
server=DHCP_MGMT_VLAN
add address=192.168.100.40 comment="DELL IDRAC" mac-address=18:66:DA:B2:B3:88 \
server=DHCP_MGMT_VLAN
add address=192.168.100.100 comment=SW_RACK_POE mac-address=1C:61:B4:B9:4A:CF \
server=DHCP_MGMT_VLAN
add address=192.168.100.10 comment=PROXMOX mac-address=18:66:DA:B2:B3:84 \
server=DHCP_MGMT_VLAN
add address=192.168.100.130 comment=SW_MALY_POKOJ mac-address=\
84:D8:1B:57:B8:52 server=DHCP_MGMT_VLAN
add address=192.168.100.120 comment=SW_GOSPODARCZY mac-address=\
B0:BE:76:89:5B:66 server=DHCP_MGMT_VLAN
add address=192.168.100.160 comment=SW_WARSZTAT mac-address=84:D8:1B:DA:63:16 \
server=DHCP_MGMT_VLAN
add address=192.168.100.190 comment=SW_KUCHNIA mac-address=70:A7:41:79:85:15 \
server=DHCP_MGMT_VLAN
add address=192.168.100.90 comment=ALARM mac-address=00:1B:9C:0C:15:8A \
server=DHCP_MGMT_VLAN
add address=192.168.100.150 comment=SW_SYPIALNIA mac-address=\
84:D8:1B:57:B8:4E server=DHCP_MGMT_VLAN
add address=192.168.100.85 comment=RPI5 mac-address=2C:CF:67:83:89:B7 server=\
DHCP_MGMT_VLAN
add address=192.168.100.30 comment="UNIFI CONTROLLER" mac-address=\
70:A7:41:79:FC:A1 server=DHCP_MGMT_VLAN
add address=192.168.30.25 comment=HA mac-address=02:B7:0C:22:CA:3F server=\
DHCP_IOT_VLAN
add address=192.168.100.110 comment=SW_RACK mac-address=28:87:BA:66:D8:22 \
server=DHCP_MGMT_VLAN
add address=192.168.100.20 comment="OMADA CONTROLLER" mac-address=\
36:62:C1:9A:F1:F8 server=DHCP_MGMT_VLAN
add address=192.168.30.21 comment="Licznik wody" mac-address=\
FC:E8:C0:A0:89:8C server=DHCP_IOT_VLAN
add address=192.168.40.80 comment="SONY N720" mac-address=3C:07:71:7D:41:40 \
server=DHCP_TV_VLAN
add address=192.168.100.240 comment=AP_PLAC mac-address=74:83:C2:C9:1E:F7 \
server=DHCP_MGMT_VLAN
add address=192.168.100.250 comment=AP_PIWNICA mac-address=18:E8:29:96:4A:31 \
server=DHCP_MGMT_VLAN
add address=192.168.100.200 comment=AP_DOL mac-address=70:A7:41:D7:28:A8 \
server=DHCP_MGMT_VLAN
add address=192.168.100.230 comment=AP_GOSPODARCZY mac-address=\
74:83:C2:36:6F:31 server=DHCP_MGMT_VLAN
add address=192.168.100.70 comment=ZABBIX mac-address=06:32:B1:B3:9D:F9 \
server=DHCP_MGMT_VLAN
add address=192.168.30.22 comment="SUPLA_DEVICE WEATHER STATION" mac-address=\
BC:24:11:60:CE:52 server=DHCP_IOT_VLAN
add address=192.168.100.80 comment=UPS_SERVER mac-address=BC:24:11:75:17:12 \
server=DHCP_MGMT_VLAN
add address=192.168.30.10 comment="Serwer SUPLA" mac-address=\
BC:24:11:2C:39:C0 server=DHCP_IOT_VLAN
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8 gateway=192.168.40.1
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8 verify-doh-cert=yes
/ip dns static
add address= disabled=yes name=supla.krissg.ovh type=A
/ip firewall address-list
add address=192.168.10.0/24 list=WAN_Allow
add address=192.168.20.0/24 list=WAN_Allow
add address=5.173.0.0/16 list=WAN_Allow
add address=77.65.117.126 list=WAN_Allow
add address=188.123.223.100 list=WAN_Allow
add address=94.254.0.0/16 list=WAN_Allow
add address=35.214.214.56 list=WAN_Allow
add address=35.214.244.97 list=WAN_Allow
add address=cloud.supla.org list=WAN_Allow
add address=91.192.0.86 list=WAN_Allow
add address=call.supla.io list=WAN_Allow
add address=91.192.2.99 list=WAN_Allow
add address=googleassistant.supla.org list=WAN_Allow
add address=192.168.30.0/24 list=WAN_Allow
add address=89.64.58.84 list=WAN_Allow
add address=193.186.4.0/24 disabled=yes list=WAN_Allow
add address=46.112.76.0/24 disabled=yes list=WAN_Allow
add address=icons.supla.io list=WAN_Allow
add address=plex.tv list=WAN_Allow
add address=54.170.120.91 list=WAN_Allow
add address=46.51.207.89 list=WAN_Allow
add address=142.250.191.46 list=WAN_Allow
add address=192.168.100.0/24 list=WAN_Allow
add address=78.28.208.99 list=WAN_Allow
add address=192.168.216.0/24 list=WAN_Allow
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=VLAN_10_LAN protocol=\
tcp
add action=accept chain=input dst-port=53 in-interface=VLAN_10_LAN protocol=\
udp
add action=drop chain=input comment="Blokada ruchu z zt_giolbas to lan" \
dst-address=192.168.10.0/24 in-interface=zt_giolbas src-mac-address=\
!34:13:E8:A4:6F:DC
add action=accept chain=forward in-interface=zt_klozaw
add action=accept chain=forward in-interface=zt_giolbas
add action=accept chain=input in-interface=zt_klozaw
add action=accept chain=input in-interface=zt_giolbas
add action=drop chain=input disabled=yes in-interface=zt_giolbas src-address=\
10.147.20.14
add action=add-src-to-address-list address-list=Knock_list \
address-list-timeout=1m chain=input comment=Knock dst-port= \
layer7-protocol=knock1 protocol=udp
add action=add-src-to-address-list address-list=Knock_list2 \
address-list-timeout=1m chain=input dst-port= layer7-protocol=knock2 \
protocol=udp src-address-list=Knock_list
add action=add-src-to-address-list address-list=WAN_Allow \
address-list-timeout=1d5h chain=input dst-port= log=yes log-prefix=\
port_knock protocol=tcp src-address-list=Knock_list2
add action=drop chain=input comment="Port Scan" src-address-list=\
port-scanner
add action=add-src-to-address-list address-list=port-scanner \
address-list-timeout=1d chain=input in-interface-list=WAN protocol=tcp \
psd=21,3s,3,1
add action=add-src-to-address-list address-list=port-scanner \
address-list-timeout=1w chain=input in-interface-list=WAN protocol=udp \
psd=21,3s,3,1
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=jump chain=input comment="!!! Check for well-known viruses !!!" \
jump-target=virus
add action=accept chain=input comment="Winbox from WAN (WAN Allow)" dst-port=\
1818 protocol=tcp src-address-list=WAN_Allow
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=jump chain=forward comment="!!! Check for well-known viruses !!!" \
jump-target=virus
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop everything else" log-prefix=DROP
add action=accept chain=forward comment="Established connections" \
connection-state=established
add action=accept chain=forward comment="Related connections" \
connection-state=related
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid log-prefix=INVALID
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN_SW masquerade" out-interface=\
ether2-WAN_SW
add action=masquerade chain=srcnat comment="WAN_LTE masquerade" \
out-interface=ether3-WAN_LTE
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat src-address=192.168.30.0/24
add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment=Alarm dst-address=x.x.x.x \
dst-port=1616 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.100.90 to-ports=1515
add action=dst-nat chain=dstnat comment=UpSrv dst-address=x.x.x.x \
dst-port=44044 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.10.4 to-ports=44004
add action=dst-nat chain=dstnat comment="Proxmox vnc" disabled=yes \
dst-address=x.x.x.x dst-port=5900-5999 protocol=tcp \
src-address-list=WAN_Allow to-addresses=192.168.10.180 to-ports=5900-5999
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.10.150 \
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.1
add action=dst-nat chain=dstnat comment="Supla app ssl" dst-address=\
x.x.x.x dst-port=2016 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.30.10 to-ports=2016
add action=dst-nat chain=dstnat comment="Supla app nossl" dst-address=\
x.x.x.x dst-port=2015 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.30.10 to-ports=2015
add action=dst-nat chain=dstnat comment="Nginx WEB" disabled=yes dst-address=\
x.x.x.x dst-port=443 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.20 to-ports=35443
add action=dst-nat chain=dstnat comment="Nginx WEB https" dst-address=\
x.x.x.x dst-port=443 log-prefix=nginx protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.30.10 to-ports=443
add action=dst-nat chain=dstnat comment="Nginx WEB http" dst-address=\
x.x.x.x dst-port=80 log=yes log-prefix=nginx protocol=tcp \
src-address-list=WAN_Allow to-addresses=192.168.30.10 to-ports=82
add action=dst-nat chain=dstnat comment="Nginx proxy" disabled=yes \
dst-address=x.x.x.x dst-port=8881 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=89
add action=dst-nat chain=dstnat comment="Supla scripts" disabled=yes \
dst-address=x.x.x.x dst-port=4434 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=4432
add action=dst-nat chain=dstnat comment=Transmission dst-address=x.x.x.x \
dst-port=49092 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.100.50 to-ports=9091
add action=dst-nat chain=dstnat comment="Transmissin wyjscie" dst-address=\
x.x.x.x dst-port=51413 protocol=tcp to-addresses=192.168.100.50 \
to-ports=51413
add action=dst-nat chain=dstnat disabled=yes dst-address=x.x.x.x \
dst-port=51414 protocol=udp to-addresses=192.168.10.20 to-ports=51414
add action=dst-nat chain=dstnat comment="OSCAM Svr" disabled=yes dst-address=\
x.x.x.x dst-port=9999 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.50 to-ports=8888
add action=dst-nat chain=dstnat comment="OSCAM wyjscie" disabled=yes \
dst-address=x.x.x.x dst-port=7777 protocol=tcp to-addresses=\
192.168.10.50 to-ports=7777
add action=dst-nat chain=dstnat comment="Oscam svr ssh" disabled=yes \
dst-address=x.x.x.x dst-port=444 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.50 to-ports=22
add action=dst-nat chain=dstnat comment="Oscam svr https" disabled=yes \
dst-address=x.x.x.x dst-port=8000 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.50 to-ports=443
add action=dst-nat chain=dstnat comment="Qnap file browser" dst-address=\
x.x.x.x dst-port=3678 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.100.50 to-ports=3678
add action=dst-nat chain=dstnat comment="Magazyn FTP" dst-address=\
x.x.x.x dst-port=1106 log=yes log-prefix="FTP TEST kristel" \
protocol=tcp src-address-list=WAN_Allow to-addresses=192.168.100.50 \
to-ports=21
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=55536-55556 \
log=yes log-prefix="FTP TEST kristel" protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.100.50 to-ports=55536-55556
add action=dst-nat chain=dstnat comment="Magazyn SSH" dst-address=\
x.x.x.x dst-port=7922 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.100.50 to-ports=22
add action=dst-nat chain=dstnat comment="Magazyn WWW" disabled=yes \
dst-address=x.x.x.x dst-port=4439 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.20 to-ports=4439
add action=dst-nat chain=dstnat disabled=yes dst-address=x.x.x.x \
dst-port=8089 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.10.20 to-ports=8089
add action=dst-nat chain=dstnat comment=OwnCloud disabled=yes dst-address=\
x.x.x.x dst-port=25639 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.20 to-ports=25639
add action=dst-nat chain=dstnat comment="TP-LINK Omada" disabled=yes \
dst-address=x.x.x.x dst-port=8043 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.20 to-ports=8043
add action=dst-nat chain=dstnat comment=NVR dst-address=x.x.x.x \
dst-port=3733 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.20.2 to-ports=37777
add action=dst-nat chain=dstnat comment="FSB web" disabled=yes dst-address=\
x.x.x.x dst-port=6530 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.20 to-ports=4530
add action=dst-nat chain=dstnat comment="Malina SSH" dst-address=x.x.x.x \
dst-port=7923 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.30.10 to-ports=22
add action=dst-nat chain=dstnat comment="IDRAC vnc" dst-address=x.x.x.x \
dst-port=5900 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.100.40 to-ports=5900
add action=dst-nat chain=dstnat comment="Malina VNC" disabled=yes \
dst-address=x.x.x.x dst-port=5900 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=5900
add action=dst-nat chain=dstnat comment="Traccar wyjscie" dst-address=\
x.x.x.x dst-port=5027 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.30.10 to-ports=5027
add action=dst-nat chain=dstnat comment="Malina Unifi" disabled=yes \
dst-address=x.x.x.x dst-port=8843 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.184 to-ports=8843
add action=dst-nat chain=dstnat comment="Winbox LTE" dst-address=x.x.x.x \
dst-port=1919 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.10.200 to-ports=1919
add action=dst-nat chain=dstnat comment="Malina OSCAM" disabled=yes \
dst-address=x.x.x.x dst-port=8001 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=8888
add action=dst-nat chain=dstnat comment=PLEX dst-address=x.x.x.x \
dst-port=32400 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.100.50 to-ports=32400
add action=dst-nat chain=dstnat comment="apache WWW" disabled=yes \
dst-address=x.x.x.x dst-port=80 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.88.254 \
dst-port=91 protocol=tcp to-addresses=192.168.88.254 to-ports=88
add action=dst-nat chain=dstnat comment="Unifi Console" disabled=yes \
dst-address=x.x.x.x dst-port=3478 protocol=udp src-address-list=\
WAN_Allow to-addresses=192.168.10.115
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip route
add comment="Dual Wan - Check gateway WAN_SW" dst-address=8.8.8.8 gateway=\
91.195.92.1 scope=10
add comment="Dual Wan - Check gateway WAN_LTE" dst-address=8.8.4.4 gateway=\
10.118.186.49 scope=10
add check-gateway=ping comment="Dual Wan - WAN_SW" distance=1 gateway=8.8.8.8 \
target-scope=11
add check-gateway=ping comment="Dual Wan - WAN_LTE" distance=2 gateway=\
8.8.4.4 target-scope=11
add comment="Dual Wan - Check gateway WAN_SW second" dst-address=\
208.67.222.222 gateway=91.195.92.1 scope=10
add comment="Dual Wan - Check gateway WAN_LTE second" dst-address=\
208.67.220.220 gateway=10.118.186.49 scope=10
add check-gateway=ping comment="Dual Wan - WAN_SW second" distance=1 gateway=\
208.67.222.222 target-scope=11
add check-gateway=ping comment="Dual Wan - WAN_LTE second" distance=2 \
gateway=208.67.220.220 target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=1818
set api-ssl disabled=yes
/snmp
set enabled=yes trap-generators=interfaces trap-interfaces=bridge-LAN \
trap-target=192.168.100.70 trap-version=2
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Mietek
/system note
set show-at-login=no
jaclaz
January 19, 2025, 2:43pm
2
What you describe doesn’t seem to match with your config:
/interface vlan
add interface=bridge-LAN name=VLAN_10_LAN vlan-id=10
add interface=bridge-LAN name=VLAN_20_KAM vlan-id=20
add interface=bridge-LAN name=VLAN_30_IOT vlan-id=30
add interface=bridge-LAN name=VLAN_40_TV vlan-id=40
add interface=bridge-LAN name=VLAN_100_MGMT vlan-id=100
add interface=ether3-WAN_LTE name=VLAN_100_MGMT_LTE vlan-id=10
There is no vlan 200 and the one on ether2-WAN-LTE is 100 in the comment but actually 10 in the ccnfiguration
krissg
January 19, 2025, 3:09pm
3
Sorry you are right wrong config my mistake
# 2025-01-19 12:53:29 by RouterOS 7.17
# software id =
#
# model = RB5009UPr+S+
# serial number =
/interface bridge
add ingress-filtering=no name=bridge-LAN pvid=200 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-AP_PLAC
set [ find default-name=ether2 ] mac-address=20:E5:2A:23:D2:A9 name=\
ether2-WAN_SW
set [ find default-name=ether3 ] name=ether3-WAN_LTE
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAG1
set [ find default-name=ether6 ] name=ether6-LAG1
set [ find default-name=ether7 ] name=ether7-LAG2
set [ find default-name=ether8 ] name=ether8-LAG2
/interface wireguard
add comment=back-to-home-vpn listen-port=62827 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge-LAN name=VLAN_10_LAN vlan-id=10
add interface=bridge-LAN name=VLAN_20_KAM vlan-id=20
add interface=bridge-LAN name=VLAN_30_IOT vlan-id=30
add interface=bridge-LAN name=VLAN_40_TV vlan-id=40
add interface=bridge-LAN name=VLAN_100_MGMT vlan-id=100
add interface=ether3-WAN_LTE name=VLAN_200_MGMT_LTE vlan-id=200
/interface bonding
add mode=802.3ad name=LAG_1_SW_RACK slaves=ether5-LAG1,ether6-LAG1 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=LAG_2_SW_RACK_POE slaves=ether7-LAG2,ether8-LAG2 \
transmit-hash-policy=layer-2-and-3
/interface list
add name=LAN
add name=WAN
/ip firewall layer7-protocol
add name=knock1 regexp=
add name=knock2 regexp=
/ip pool
add name=pool-VLAN_10_LAN ranges=192.168.10.2-192.168.10.254
add name=pool-VLAN_20_KAM ranges=192.168.20.2-192.168.20.254
add name=pool-VLAN_30_IOT ranges=192.168.30.2-192.168.30.254
add name=pool-VLAN_100_MGMT ranges=192.168.100.2-192.168.100.254
add name=pool-VLAN_40_TV ranges=192.168.40.2-192.168.40.254
add name=pool-VLAN_200_MGMT_LTE ranges=192.168.200.2-192.168.200.5
/ip dhcp-server
add add-arp=yes address-pool=pool-VLAN_10_LAN interface=VLAN_10_LAN name=\
DHCP_LAN_VLAN
add add-arp=yes address-pool=pool-VLAN_20_KAM interface=VLAN_20_KAM name=\
DHCP_KAM_VLAN
add add-arp=yes address-pool=pool-VLAN_30_IOT interface=VLAN_30_IOT name=\
DHCP_IOT_VLAN
add add-arp=yes address-pool=pool-VLAN_100_MGMT interface=VLAN_100_MGMT name=\
DHCP_MGMT_VLAN
add add-arp=yes address-pool=pool-VLAN_40_TV interface=VLAN_40_TV name=\
DHCP_TV_VLAN
add add-arp=yes address-pool=pool-VLAN_200_MGMT_LTE interface=bridge-LAN \
name=DHCP_MGMT_LTE_VLAN
/snmp community
set [ find default=yes ] name=Zabbix
/zerotier
set zt1 disabled=no disabled=no
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zt_giolbas network=272f5eae1601ff8e
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zt_klozaw network=d5e5fb653725c597
/interface bridge port
add bridge=bridge-LAN interface=ether1-AP_PLAC pvid=100
add bridge=bridge-LAN ingress-filtering=no interface=LAG_1_SW_RACK pvid=100
add bridge=bridge-LAN ingress-filtering=no interface=LAG_2_SW_RACK_POE pvid=\
100
add bridge=bridge-LAN interface=ether4-LAN pvid=10
add bridge=bridge-LAN interface=VLAN_200_MGMT_LTE pvid=200
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge-LAN tagged=LAG_1_SW_RACK,LAG_2_SW_RACK_POE,bridge-LAN \
vlan-ids=10,20,30,40
add bridge=bridge-LAN untagged=ether1-AP_PLAC vlan-ids=100
add bridge=bridge-LAN tagged=VLAN_200_MGMT_LTE untagged=bridge-LAN vlan-ids=\
200
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=bridge-LAN list=LAN
add interface=ether1-AP_PLAC list=LAN
add interface=ether4-LAN list=LAN
add interface=ether2-WAN_SW list=WAN
add interface=ether3-WAN_LTE list=WAN
add interface=LAG_1_SW_RACK list=LAN
add interface=LAG_2_SW_RACK_POE list=LAN
add interface=VLAN_10_LAN list=LAN
add interface=VLAN_200_MGMT_LTE list=LAN
/interface ovpn-server server
add mac-address=FE:56:1F:D7:87:1C name=ovpn-server1
/ip address
add address=192.168.10.1/24 interface=VLAN_10_LAN network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN_20_KAM network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN_30_IOT network=192.168.30.0
add address=192.168.100.1/24 interface=VLAN_100_MGMT network=192.168.100.0
add address=192.168.40.1/24 interface=VLAN_40_TV network=192.168.40.0
add address=192.168.200.1/24 interface=VLAN_200_MGMT_LTE network=\
192.168.200.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip cloud back-to-home-users
add allow-lan=yes comment=bth-Kris name=Kris private-key=\
"" public-key=\
""
add allow-lan=yes comment=bth-Basia name=Basia private-key=\
"" public-key=\
""
/ip dhcp-client
add comment="WAN_SW dhcp client" interface=ether2-WAN_SW use-peer-dns=no \
use-peer-ntp=no
add comment="WAN_LTE dhcp client" default-route-distance=10 interface=\
ether3-WAN_LTE use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.40.40 comment=Samsung_TV_40cali mac-address=\
50:85:69:04:1B:C4 server=DHCP_TV_VLAN
add address=192.168.10.60 comment=HP_P1102W mac-address=C4:8E:8F:87:09:34 \
server=DHCP_LAN_VLAN
add address=192.168.10.31 comment=S21_FE_Basia mac-address=F4:02:28:C7:50:3A \
server=DHCP_LAN_VLAN
add address=192.168.40.50 comment=Samsung_TV_50cali mac-address=\
E4:7D:BD:E7:84:39 server=DHCP_TV_VLAN
add address=192.168.10.4 comment=Laptok mac-address=34:13:E8:A4:6F:DC server=\
DHCP_LAN_VLAN
add address=192.168.40.60 comment="Philips TV 70cali" mac-address=\
70:AF:24:C6:56:D0 server=DHCP_TV_VLAN
add address=192.168.10.30 comment="S24 Kris" mac-address=BC:93:07:4C:10:54 \
server=DHCP_LAN_VLAN
add address=192.168.10.5 comment="Laptok Thinkpad" mac-address=\
F4:A4:75:9F:8E:2C server=DHCP_LAN_VLAN
add address=192.168.30.100 comment="Roleta Gospodarczy Ogr\F3d_AC" \
mac-address=80:64:6F:B1:16:6F server=DHCP_IOT_VLAN
add address=192.168.30.102 comment=Roleta_Kuchnia_AC mac-address=\
4C:75:25:19:60:71 server=DHCP_IOT_VLAN
add address=192.168.30.99 comment=MEW-01_Rozdzielnia mac-address=\
CC:50:E3:0D:80:70 server=DHCP_IOT_VLAN
add address=192.168.100.75 comment="Mikrotik LTE" mac-address=\
C4:AD:34:7C:80:FE server=DHCP_MGMT_VLAN
add address=192.168.30.68 comment=Swiatlo_Waszkuchnia mac-address=\
98:F4:AB:DD:03:E6 server=DHCP_IOT_VLAN
add address=192.168.30.54 comment=Socket_Rolety mac-address=BC:DD:C2:10:58:FC \
server=DHCP_IOT_VLAN
add address=192.168.30.104 comment=Roleta_Salon_AC mac-address=\
F4:CF:A2:FF:EE:73 server=DHCP_IOT_VLAN
add address=192.168.30.55 comment=Czujka_Dymu mac-address=EC:FA:BC:28:54:5E \
server=DHCP_IOT_VLAN
add address=192.168.30.17 comment="Wether Station" mac-address=\
CC:50:E3:59:65:FF server=DHCP_IOT_VLAN
add address=192.168.30.18 comment="Odkurzacz Xiaomi" mac-address=\
B0:4A:39:95:D0:67 server=DHCP_IOT_VLAN
add address=192.168.30.19 comment="Oczyszczacz Xiaomi" mac-address=\
04:CF:8C:94:E4:12 server=DHCP_IOT_VLAN
add address=192.168.30.53 comment=Swiatlo_Gospodarczy mac-address=\
AC:0B:FB:D8:DE:4B server=DHCP_IOT_VLAN
add address=192.168.30.52 comment=Swiatlo_Taras mac-address=50:02:91:D1:89:76 \
server=DHCP_IOT_VLAN
add address=192.168.30.56 comment=Sonoff_POW_Piwica mac-address=\
CC:50:E3:54:1D:92 server=DHCP_IOT_VLAN
add address=192.168.30.58 comment=Socket_Szafa_Rack mac-address=\
2C:3A:E8:17:75:50 server=DHCP_IOT_VLAN
add address=192.168.30.59 comment=Touch_Pokoj_Goscinny mac-address=\
60:01:94:A1:5A:89 server=DHCP_IOT_VLAN
add address=192.168.30.60 comment=Touch_Sypialnia mac-address=\
DC:4F:22:86:E8:97 server=DHCP_IOT_VLAN
add address=192.168.30.61 comment=Sonoff_POW_Sypialnia mac-address=\
C0:49:EF:F3:05:30 server=DHCP_IOT_VLAN
add address=192.168.30.62 comment=Touch_Sien_Gora mac-address=\
60:01:94:98:AF:B1 server=DHCP_IOT_VLAN
add address=192.168.30.63 comment=Touch_Maly_Pokoj mac-address=\
84:0D:8E:77:36:E4 server=DHCP_IOT_VLAN
add address=192.168.30.64 comment=Yunschan_Altana mac-address=\
5C:CF:7F:C3:E9:16 server=DHCP_IOT_VLAN
add address=192.168.30.106 comment=Roleta_Pokoj_Kariny_AC mac-address=\
C8:C9:A3:9F:88:E2 server=DHCP_IOT_VLAN
add address=192.168.30.107 comment=Roleta_Lazienka_AC mac-address=\
80:64:6F:B1:12:50 server=DHCP_IOT_VLAN
add address=192.168.30.108 comment=Roleta_Sien_AC mac-address=\
F4:CF:A2:FF:EE:6C server=DHCP_IOT_VLAN
add address=192.168.30.66 comment=Touch_Sien_Dol mac-address=\
DC:4F:22:82:F2:D3 server=DHCP_IOT_VLAN
add address=192.168.30.109 comment=Roleta_Maly_Pokoj_AC mac-address=\
4C:75:25:19:29:67 server=DHCP_IOT_VLAN
add address=192.168.30.111 comment=Roleta_Pokoj_Goscinny mac-address=\
AC:0B:FB:D8:BE:B1 server=DHCP_IOT_VLAN
add address=192.168.30.69 comment="Swiatlo Plac" mac-address=\
8C:AA:B5:1B:42:49 server=DHCP_IOT_VLAN
add address=192.168.30.114 comment="Roleta_Kom\F3rka_AC" mac-address=\
AC:0B:FB:D8:C8:93 server=DHCP_IOT_VLAN
add address=192.168.30.112 comment=Roleta_Sypialnia_AC mac-address=\
4C:75:25:19:60:3D server=DHCP_IOT_VLAN
add address=192.168.30.70 comment=mROW-01 mac-address=98:CD:AC:25:D2:62 \
server=DHCP_IOT_VLAN
add address=192.168.30.101 comment=Roleta_Gospodarczy_Plac_AC mac-address=\
80:64:6F:B1:16:71 server=DHCP_IOT_VLAN
add address=192.168.30.71 comment=Gate_NICE mac-address=4C:75:25:1A:0F:8E \
server=DHCP_IOT_VLAN
add address=192.168.30.103 comment=Roleta_Taras_AC mac-address=\
AC:0B:FB:D9:23:9D server=DHCP_IOT_VLAN
add address=192.168.30.20 comment=Glosnik_Google mac-address=\
20:DF:B9:B2:4F:85 server=DHCP_IOT_VLAN
add address=192.168.30.72 comment=Oswietlenie_Przod mac-address=\
E8:68:E7:4E:15:D0 server=DHCP_IOT_VLAN
add address=192.168.30.73 comment=Choinka_Karina mac-address=\
70:03:9F:5D:0A:87 server=DHCP_IOT_VLAN
add address=192.168.30.74 comment=Gwiazda mac-address=24:A1:60:0A:12:50 \
server=DHCP_IOT_VLAN
add address=192.168.30.75 comment=Dimmer_Schody mac-address=C4:5B:BE:6E:26:DA \
server=DHCP_IOT_VLAN
add address=192.168.40.70 comment=Chromecast mac-address=14:AE:85:71:BD:AD \
server=DHCP_TV_VLAN
add address=192.168.10.50 comment="Fenix 7X" mac-address=90:F1:57:AF:8D:75 \
server=DHCP_LAN_VLAN
add address=192.168.30.16 comment="Falownik Huawei" mac-address=\
9C:B2:E8:2C:47:05 server=DHCP_IOT_VLAN
add address=192.168.30.98 comment=MEW-02_Ogrzewanie mac-address=\
7C:87:CE:F3:7A:87 server=DHCP_IOT_VLAN
add address=192.168.30.200 comment="Termostat Pokoj Kariny" mac-address=\
EC:FA:BC:76:31:23 server=DHCP_IOT_VLAN
add address=192.168.30.201 comment="Termostat Salon" mac-address=\
EC:FA:BC:76:2E:19 server=DHCP_IOT_VLAN
add address=192.168.30.202 comment="Termostat Kuchnia" mac-address=\
EC:FA:BC:76:27:C0 server=DHCP_IOT_VLAN
add address=192.168.30.203 comment="Termostat Komorka" mac-address=\
EC:FA:BC:76:24:7F server=DHCP_IOT_VLAN
add address=192.168.30.204 comment="Termostat Lazienka" mac-address=\
E0:98:06:1F:4D:51 server=DHCP_IOT_VLAN
add address=192.168.30.206 comment="Termostat Maly Pokoj" mac-address=\
8C:AA:B5:FD:ED:4E server=DHCP_IOT_VLAN
add address=192.168.30.208 comment="Termostat Sien Gora" mac-address=\
8C:AA:B5:FD:61:53 server=DHCP_IOT_VLAN
add address=192.168.30.205 comment="Termostat Sypialnia" mac-address=\
EC:FA:BC:76:23:D7 server=DHCP_IOT_VLAN
add address=192.168.30.207 comment="Termostat Pokoj Goscinny" mac-address=\
8C:AA:B5:57:8A:44 server=DHCP_IOT_VLAN
add address=192.168.30.210 comment="Termostat Sien Dol" mac-address=\
EC:FA:BC:76:2E:66 server=DHCP_IOT_VLAN
add address=192.168.30.209 comment="Termostat Lauba" mac-address=\
EC:FA:BC:76:30:72 server=DHCP_IOT_VLAN
add address=192.168.30.24 comment="HA dev" mac-address=02:07:E1:4C:43:F8 \
server=DHCP_IOT_VLAN
add address=192.168.10.181 comment="Pv Ubuntu" mac-address=2A:4A:86:F1:F9:86 \
server=DHCP_LAN_VLAN
add address=192.168.10.182 comment="Pv Win11" mac-address=5E:26:27:1B:10:84 \
server=DHCP_LAN_VLAN
add address=192.168.100.210 comment=AP_GORA mac-address=60:22:32:3F:26:E4 \
server=DHCP_MGMT_VLAN
add address=192.168.10.40 comment="Yamacha glosnik" mac-address=\
40:06:A0:84:3B:7A server=DHCP_LAN_VLAN
add address=192.168.30.97 comment=LEW_Serwerownia mac-address=\
58:BF:25:40:8A:BF server=DHCP_IOT_VLAN
add address=192.168.30.57 comment=Sonoff_POW_Kuchnia mac-address=\
84:F3:EB:B1:D3:05 server=DHCP_IOT_VLAN
add address=192.168.10.190 comment=Terminal_HP mac-address=FC:3F:DB:04:4E:6C \
server=DHCP_LAN_VLAN
add address=192.168.30.76 comment=OLED mac-address=84:F3:EB:E3:A1:EF server=\
DHCP_IOT_VLAN
add address=192.168.30.77 comment=Bramka_Versa mac-address=AC:0B:FB:E9:5A:1C \
server=DHCP_IOT_VLAN
add address=192.168.30.78 comment="Swiatlo Piwnica" mac-address=\
8C:AA:B5:1B:39:95 server=DHCP_IOT_VLAN
add address=192.168.30.220 comment=Piec_Wifi mac-address=84:F7:03:E0:54:4C \
server=DHCP_IOT_VLAN
add address=192.168.30.211 comment=Termostat_Gospodarczy mac-address=\
EC:FA:BC:76:2D:9B server=DHCP_IOT_VLAN
add address=192.168.40.20 comment="C+ SYPIALNIA" mac-address=\
C4:77:AF:54:EA:F7 server=DHCP_TV_VLAN
add address=192.168.40.30 comment="C+ karina" mac-address=C4:77:AF:54:F2:F2 \
server=DHCP_TV_VLAN
add address=192.168.40.10 comment="C+ KUCHNIA" mac-address=C4:77:AF:54:EC:8D \
server=DHCP_TV_VLAN
add address=192.168.30.23 comment="Pv Ubuntu-supla-dev" mac-address=\
BC:24:11:AF:64:5A server=DHCP_IOT_VLAN
add address=192.168.10.32 comment=S10_Karina mac-address=72:9C:9C:FB:AB:12 \
server=DHCP_LAN_VLAN
add address=192.168.30.79 comment=Gniazdko_Bojler mac-address=\
CC:50:E3:26:2C:D2 server=DHCP_IOT_VLAN
add address=192.168.30.115 comment=Rolety_Markiza_AC mac-address=\
50:02:91:D2:47:77 server=DHCP_IOT_VLAN
add address=192.168.30.230 comment="Bramka Auraton" mac-address=\
9C:9E:6E:F0:3F:BC server=DHCP_IOT_VLAN
add address=192.168.100.60 comment="SERVER OSCAM" mac-address=\
94:83:C4:07:3A:1D server=DHCP_MGMT_VLAN
add address=192.168.100.140 comment=SW_POKOJ_KARINY mac-address=\
B0:95:75:84:1F:C9 server=DHCP_MGMT_VLAN
add address=192.168.100.220 comment=AP_SIEN mac-address=74:83:C2:90:40:0F \
server=DHCP_MGMT_VLAN
add address=192.168.100.40 comment="DELL IDRAC" mac-address=18:66:DA:B2:B3:88 \
server=DHCP_MGMT_VLAN
add address=192.168.100.100 comment=SW_RACK_POE mac-address=1C:61:B4:B9:4A:CF \
server=DHCP_MGMT_VLAN
add address=192.168.100.130 comment=SW_MALY_POKOJ mac-address=\
84:D8:1B:57:B8:52 server=DHCP_MGMT_VLAN
add address=192.168.100.120 comment=SW_GOSPODARCZY mac-address=\
B0:BE:76:89:5B:66 server=DHCP_MGMT_VLAN
add address=192.168.100.160 comment=SW_WARSZTAT mac-address=84:D8:1B:DA:63:16 \
server=DHCP_MGMT_VLAN
add address=192.168.100.190 comment=SW_KUCHNIA mac-address=70:A7:41:79:85:15 \
server=DHCP_MGMT_VLAN
add address=192.168.100.90 comment=ALARM mac-address=00:1B:9C:0C:15:8A \
server=DHCP_MGMT_VLAN
add address=192.168.100.150 comment=SW_SYPIALNIA mac-address=\
84:D8:1B:57:B8:4E server=DHCP_MGMT_VLAN
add address=192.168.100.85 comment=RPI5 mac-address=2C:CF:67:83:89:B7 server=\
DHCP_MGMT_VLAN
add address=192.168.100.30 comment="UNIFI CONTROLLER" mac-address=\
70:A7:41:79:FC:A1 server=DHCP_MGMT_VLAN
add address=192.168.30.25 comment=HA mac-address=02:B7:0C:22:CA:3F server=\
DHCP_IOT_VLAN
add address=192.168.100.110 comment=SW_RACK mac-address=28:87:BA:66:D8:22 \
server=DHCP_MGMT_VLAN
add address=192.168.100.20 comment="OMADA CONTROLLER" mac-address=\
36:62:C1:9A:F1:F8 server=DHCP_MGMT_VLAN
add address=192.168.30.21 comment="Licznik wody" mac-address=\
FC:E8:C0:A0:89:8C server=DHCP_IOT_VLAN
add address=192.168.40.80 comment="SONY N720" mac-address=3C:07:71:7D:41:40 \
server=DHCP_TV_VLAN
add address=192.168.100.240 comment=AP_PLAC mac-address=74:83:C2:C9:1E:F7 \
server=DHCP_MGMT_VLAN
add address=192.168.100.250 comment=AP_PIWNICA mac-address=18:E8:29:96:4A:31 \
server=DHCP_MGMT_VLAN
add address=192.168.100.200 comment=AP_DOL mac-address=70:A7:41:D7:28:A8 \
server=DHCP_MGMT_VLAN
add address=192.168.100.230 comment=AP_GOSPODARCZY mac-address=\
74:83:C2:36:6F:31 server=DHCP_MGMT_VLAN
add address=192.168.100.70 comment=ZABBIX mac-address=06:32:B1:B3:9D:F9 \
server=DHCP_MGMT_VLAN
add address=192.168.30.22 comment="SUPLA_DEVICE WEATHER STATION" mac-address=\
BC:24:11:60:CE:52 server=DHCP_IOT_VLAN
add address=192.168.100.80 comment=UPS_SERVER mac-address=BC:24:11:75:17:12 \
server=DHCP_MGMT_VLAN
add address=192.168.30.10 comment="Serwer SUPLA" mac-address=\
BC:24:11:2C:39:C0 server=DHCP_IOT_VLAN
add address=192.168.10.100 comment="QNAP OMV" mac-address=6A:0E:3D:04:C8:AC \
server=DHCP_LAN_VLAN
add address=192.168.10.200 comment=Proxmox mac-address=18:66:DA:B2:B3:84 \
server=DHCP_LAN_VLAN
add address=192.168.200.5 comment=Mietek_LTE mac-address=C4:AD:34:7C:80:FE \
server=DHCP_MGMT_LTE_VLAN
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
ntp-server=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 \
ntp-server=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1 \
ntp-server=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1 \
ntp-server=192.168.40.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1 \
ntp-server=192.168.100.1
add address=192.168.200.0/24 dns-server=8.8.8.8 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://8.8.4.4/dns-query \
verify-doh-cert=yes
/ip dns static
add address=x.x.x.x disabled=yes name=supla.krissg.ovh type=A
/ip firewall address-list
add address=192.168.10.0/24 list=WAN_Allow
add address=192.168.20.0/24 list=WAN_Allow
add address=5.173.0.0/16 list=WAN_Allow
add address=77.65.117.126 list=WAN_Allow
add address=188.123.223.100 list=WAN_Allow
add address=94.254.0.0/16 list=WAN_Allow
add address=35.214.214.56 list=WAN_Allow
add address=35.214.244.97 list=WAN_Allow
add address=cloud.supla.org list=WAN_Allow
add address=91.192.0.86 list=WAN_Allow
add address=call.supla.io list=WAN_Allow
add address=91.192.2.99 list=WAN_Allow
add address=googleassistant.supla.org list=WAN_Allow
add address=192.168.30.0/24 list=WAN_Allow
add address=89.64.58.84 list=WAN_Allow
add address=193.186.4.0/24 disabled=yes list=WAN_Allow
add address=46.112.76.0/24 disabled=yes list=WAN_Allow
add address=icons.supla.io list=WAN_Allow
add address=plex.tv list=WAN_Allow
add address=54.170.120.91 list=WAN_Allow
add address=46.51.207.89 list=WAN_Allow
add address=142.250.191.46 list=WAN_Allow
add address=192.168.100.0/24 list=WAN_Allow
add address=78.28.208.99 list=WAN_Allow
add address=192.168.216.0/24 list=WAN_Allow
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow VLAN 10 - DNS" dst-port=53 \
in-interface=VLAN_10_LAN log=yes log-prefix="Allow DNS vlan 10" protocol=\
udp
add action=accept chain=input comment="Allow VLAN 10 - NTP" dst-port=123 \
in-interface=VLAN_10_LAN log=yes log-prefix="Allow NTP vlan 10" protocol=\
tcp
add action=accept chain=input comment="Allow VLAN 20 - DNS" dst-port=53 \
in-interface=VLAN_20_KAM log=yes log-prefix="Allow DNS vlan 20" protocol=\
udp
add action=accept chain=input comment="Allow VLAN 20 - NTP" dst-port=123 \
in-interface=VLAN_20_KAM log=yes log-prefix="Allow NTP vlan 20" protocol=\
tcp
add action=accept chain=input comment="Allow VLAN 30 - DNS" dst-port=53 \
in-interface=VLAN_30_IOT log=yes log-prefix="Allow DNS vlan 30" protocol=\
udp
add action=accept chain=input comment="Allow VLAN 30 - NTP" dst-port=123 \
in-interface=VLAN_30_IOT log=yes log-prefix="Allow NTP vlan 30" protocol=\
tcp
add action=accept chain=input comment="Allow VLAN 40 - DNS" dst-port=53 \
in-interface=VLAN_40_TV log=yes log-prefix="Allow DNS vlan 40" protocol=\
udp
add action=accept chain=input comment="Allow VLAN 40 - NTP" dst-port=123 \
in-interface=VLAN_40_TV log=yes log-prefix="Allow NTP vlan 40" protocol=\
tcp
add action=accept chain=input comment="Allow VLAN 100 - DNS" dst-port=53 \
in-interface=VLAN_100_MGMT log=yes log-prefix="Allow DNS vlan 100" \
protocol=udp
add action=accept chain=input comment="Allow VLAN 100 - NTP" dst-port=123 \
in-interface=VLAN_100_MGMT log=yes log-prefix="Allow NTP vlan 100" \
protocol=tcp
add action=accept chain=input comment="Allow all vlan acces to router" \
in-interface-list=LAN log=yes log-prefix="Allow all vlan acces to router"
add action=drop chain=input comment="Blokada ruchu z zt_giolbas to lan" \
dst-address=192.168.10.0/24 in-interface=zt_giolbas src-mac-address=\
!34:13:E8:A4:6F:DC
add action=accept chain=forward in-interface=zt_klozaw
add action=accept chain=forward in-interface=zt_giolbas
add action=accept chain=input in-interface=zt_klozaw
add action=accept chain=input in-interface=zt_giolbas
add action=drop chain=input disabled=yes in-interface=zt_giolbas src-address=\
10.147.20.14
add action=add-src-to-address-list address-list=Knock_list \
address-list-timeout=1m chain=input comment=Knock dst-port= \
layer7-protocol=knock1 protocol=udp
add action=add-src-to-address-list address-list=Knock_list2 \
address-list-timeout=1m chain=input dst-port= layer7-protocol=knock2 \
protocol=udp src-address-list=Knock_list
add action=add-src-to-address-list address-list=WAN_Allow \
address-list-timeout=1d5h chain=input dst-port= log=yes log-prefix=\
port_knock protocol=tcp src-address-list=Knock_list2
add action=drop chain=input comment="Port Scan" src-address-list=\
port-scanner
add action=add-src-to-address-list address-list=port-scanner \
address-list-timeout=1d chain=input in-interface-list=WAN protocol=tcp \
psd=21,3s,3,1
add action=add-src-to-address-list address-list=port-scanner \
address-list-timeout=1w chain=input in-interface-list=WAN protocol=udp \
psd=21,3s,3,1
add action=jump chain=input comment="!!! Check for well-known viruses !!!" \
jump-target=virus
add action=accept chain=input comment="Winbox from WAN (WAN Allow)" dst-port=\
1818 protocol=tcp src-address-list=WAN_Allow
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=jump chain=forward comment="!!! Check for well-known viruses !!!" \
jump-target=virus
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop everything else" log-prefix=DROP
add action=accept chain=forward comment="Established connections" \
connection-state=established
add action=accept chain=forward comment="Related connections" \
connection-state=related
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid log-prefix=INVALID
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN_SW masquerade" out-interface=\
ether2-WAN_SW
add action=masquerade chain=srcnat comment="WAN_LTE masquerade" \
out-interface=ether3-WAN_LTE
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=masquerade chain=srcnat src-address=192.168.30.0/24
add action=masquerade chain=srcnat src-address=192.168.40.0/24
add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=masquerade chain=srcnat src-address=192.168.200.0/24
add action=dst-nat chain=dstnat comment=Alarm dst-address=x.x.x.x \
dst-port=1616 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.100.90 to-ports=1515
add action=dst-nat chain=dstnat comment=UpSrv dst-address=x.x.x.x \
dst-port=44044 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.10.4 to-ports=44004
add action=dst-nat chain=dstnat comment="Proxmox vnc" disabled=yes \
dst-address=x.x.x.x dst-port=5900-5999 protocol=tcp \
src-address-list=WAN_Allow to-addresses=192.168.10.180 to-ports=5900-5999
add action=src-nat chain=srcnat disabled=yes dst-address=192.168.10.150 \
protocol=tcp src-address=192.168.10.0/24 to-addresses=192.168.10.1
add action=dst-nat chain=dstnat comment="Supla app ssl" dst-address=\
x.x.x.x dst-port=2016 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.30.10 to-ports=2016
add action=dst-nat chain=dstnat comment="Supla app nossl" dst-address=\
x.x.x.x dst-port=2015 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.30.10 to-ports=2015
add action=dst-nat chain=dstnat comment="Nginx WEB" disabled=yes dst-address=\
x.x.x.x dst-port=443 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.20 to-ports=35443
add action=dst-nat chain=dstnat comment="Nginx WEB https" dst-address=\
x.x.x.x dst-port=443 log-prefix=nginx protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.30.10 to-ports=443
add action=dst-nat chain=dstnat comment="Nginx WEB http" dst-address=\
x.x.x.x dst-port=80 log=yes log-prefix=nginx protocol=tcp \
src-address-list=WAN_Allow to-addresses=192.168.30.10 to-ports=82
add action=dst-nat chain=dstnat comment="Nginx proxy" disabled=yes \
dst-address=x.x.x.x dst-port=8881 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=89
add action=dst-nat chain=dstnat comment="Supla scripts" disabled=yes \
dst-address=x.x.x.x dst-port=4434 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=4432
add action=dst-nat chain=dstnat comment=Transmission dst-address=x.x.x.x \
dst-port=49092 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.10.100 to-ports=9091
add action=dst-nat chain=dstnat comment="Transmissin wyjscie" dst-address=\
x.x.x.x dst-port=51413 protocol=tcp to-addresses=192.168.10.100 \
to-ports=51413
add action=dst-nat chain=dstnat disabled=yes dst-address=x.x.x.x \
dst-port=51414 log=yes protocol=udp to-addresses=192.168.10.100 to-ports=\
51414
add action=dst-nat chain=dstnat comment="OSCAM Svr" disabled=yes dst-address=\
x.x.x.x dst-port=9999 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.50 to-ports=8888
add action=dst-nat chain=dstnat comment="OSCAM wyjscie" disabled=yes \
dst-address=x.x.x.x dst-port=7777 protocol=tcp to-addresses=\
192.168.10.50 to-ports=7777
add action=dst-nat chain=dstnat comment="Oscam svr ssh" disabled=yes \
dst-address=x.x.x.x dst-port=444 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.50 to-ports=22
add action=dst-nat chain=dstnat comment="Oscam svr https" disabled=yes \
dst-address=x.x.x.x dst-port=8000 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.50 to-ports=443
add action=dst-nat chain=dstnat comment="Qnap file browser" dst-address=\
x.x.x.x dst-port=3678 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.100 to-ports=3678
add action=dst-nat chain=dstnat comment="Magazyn FTP" dst-address=\
x.x.x.x dst-port=1106 log=yes log-prefix="FTP TEST kristel" \
protocol=tcp src-address-list=WAN_Allow to-addresses=192.168.10.100 \
to-ports=21
add action=dst-nat chain=dstnat dst-address=x.x.x.x dst-port=55536-55556 \
log=yes log-prefix="FTP TEST kristel" protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.100 to-ports=55536-55556
add action=dst-nat chain=dstnat comment="Magazyn SSH" dst-address=\
x.x.x.x dst-port=7922 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.100 to-ports=22
add action=dst-nat chain=dstnat comment="Magazyn WWW" disabled=yes \
dst-address=x.x.x.x dst-port=4439 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.20 to-ports=4439
add action=dst-nat chain=dstnat disabled=yes dst-address=x.x.x.x \
dst-port=8089 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.10.20 to-ports=8089
add action=dst-nat chain=dstnat comment=OwnCloud disabled=yes dst-address=\
x.x.x.x dst-port=25639 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.20 to-ports=25639
add action=dst-nat chain=dstnat comment="TP-LINK Omada" disabled=yes \
dst-address=x.x.x.x dst-port=8043 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.20 to-ports=8043
add action=dst-nat chain=dstnat comment=NVR dst-address=x.x.x.x \
dst-port=3733 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.20.2 to-ports=37777
add action=dst-nat chain=dstnat comment="FSB web" disabled=yes dst-address=\
x.x.x.x dst-port=6530 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.10.20 to-ports=4530
add action=dst-nat chain=dstnat comment="Malina SSH" dst-address=x.x.x.x \
dst-port=7923 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.30.10 to-ports=22
add action=dst-nat chain=dstnat comment="IDRAC vnc" dst-address=x.x.x.x \
dst-port=5900 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.100.40 to-ports=5900
add action=dst-nat chain=dstnat comment="Malina VNC" disabled=yes \
dst-address=x.x.x.x dst-port=5900 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=5900
add action=dst-nat chain=dstnat comment="Traccar wyjscie" dst-address=\
x.x.x.x dst-port=5027 protocol=tcp src-address-list=WAN_Allow \
to-addresses=192.168.30.10 to-ports=5027
add action=dst-nat chain=dstnat comment="Malina Unifi" disabled=yes \
dst-address=x.x.x.x dst-port=8843 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.184 to-ports=8843
add action=dst-nat chain=dstnat comment="Winbox LTE" dst-address=x.x.x.x \
dst-port=1919 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.200.5 to-ports=1919
add action=dst-nat chain=dstnat comment="Malina OSCAM" disabled=yes \
dst-address=x.x.x.x dst-port=8001 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=8888
add action=dst-nat chain=dstnat comment=PLEX dst-address=x.x.x.x \
dst-port=32400 protocol=tcp src-address-list=WAN_Allow to-addresses=\
192.168.100.50 to-ports=32400
add action=dst-nat chain=dstnat comment="apache WWW" disabled=yes \
dst-address=x.x.x.x dst-port=80 protocol=tcp src-address-list=\
WAN_Allow to-addresses=192.168.10.120 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.88.254 \
dst-port=91 protocol=tcp to-addresses=192.168.88.254 to-ports=88
add action=dst-nat chain=dstnat comment="Unifi Console" disabled=yes \
dst-address=x.x.x.x dst-port=3478 protocol=udp src-address-list=\
WAN_Allow to-addresses=192.168.10.115
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip route
add comment="Dual Wan - Check gateway WAN_SW" dst-address=8.8.8.8 gateway=\
91.195.92.1 scope=10
add comment="Dual Wan - Check gateway WAN_LTE" dst-address=8.8.4.4 gateway=\
10.118.186.49 scope=10
add check-gateway=ping comment="Dual Wan - WAN_SW" distance=1 gateway=8.8.8.8 \
target-scope=11
add check-gateway=ping comment="Dual Wan - WAN_LTE" distance=2 gateway=\
8.8.4.4 target-scope=11
add comment="Dual Wan - Check gateway WAN_SW second" dst-address=\
208.67.222.222 gateway=91.195.92.1 scope=10
add comment="Dual Wan - Check gateway WAN_LTE second" dst-address=\
208.67.220.220 gateway=10.118.186.49 scope=10
add check-gateway=ping comment="Dual Wan - WAN_SW second" distance=1 gateway=\
208.67.222.222 target-scope=11
add check-gateway=ping comment="Dual Wan - WAN_LTE second" distance=2 \
gateway=208.67.220.220 target-scope=11
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.0.0/16 port=1818
set api-ssl disabled=yes
/snmp
set enabled=yes trap-generators=interfaces trap-interfaces=bridge-LAN \
trap-target=192.168.100.70 trap-version=2
/system clock
set time-zone-name=Poland
/system identity
set name=Mietek
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system ntp client servers
add address=0.pl.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
