Hi,
I recently bought two RB750Gr2, both running 6.37.1, with basically default settings, each working nicely in different locations which I am trying to establish a simple site-to-site VPN between. Based on my reading of the Wiki manual http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel , it seems straight-forward enough. But I’m afraid I must be missing something because I’ve followed the manual, and a few other sources, and I can’t ping one way or the other. Also, and this may or may not be important (I have a feeling it is) I’ve noticed a strange thing when I disconnect and reconnect to either router (I’m using Winbox), that under the IPsec Policies section, in the policy I created the “Tunnel” checkbox becomes unchecked by itself and the addresses in SA Src. Address and SA Dst. Address both change to 0.0.0.0. This happens on both devices. I have no idea why this is happening, I haven’t seen it mentioned anywhere.
Both locations have non-static WAN IPs, but I don’t power off the modems that often (both are on battery backup) so I’m not concerned about this right now. Unless this matters in the settings … which I don’t know if it does.
Also, there are other subnets on each router, but I’m only concerned at this point about establishing the VPN between the ones below.
Here’s my scenario and settings for each router:
OFFICE 1:
WAN: 50.XXX.XXX.XXX/23
LAN:192.168.4.1/24
OFFICE 2:
WAN: 73.XXX.XXX.XXX/22
LAN:192.168.10.1/24
ROUTER 1 / OFFICE 1
# nov/25/2016 15:50:41 by RouterOS 6.37.1
# software id = VJ3G-10WQ
#
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:D5 master-port=none mtu=1500 name=ether1 orig-mac-address=\
6C:3B:6B:2C:F2:D5 rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:D6 master-port=none mtu=1500 name=ether2-master \
orig-mac-address=6C:3B:6B:2C:F2:D6 rx-flow-control=off speed=100Mbps \
tx-flow-control=off
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:D7 master-port=ether2-master mtu=1500 name=ether3 \
orig-mac-address=6C:3B:6B:2C:F2:D7 rx-flow-control=off speed=100Mbps \
tx-flow-control=off
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:D8 master-port=none mtu=1500 name=ether4 orig-mac-address=\
6C:3B:6B:2C:F2:D8 rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:D9 master-port=none mtu=1500 name=ether5 orig-mac-address=\
6C:3B:6B:2C:F2:D9 rx-flow-control=off speed=100Mbps tx-flow-control=off
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface list
set (unknown) name=all
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" eap-methods=passthrough \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled management-protection-key="" mode=none \
mschapv2-password="" mschapv2-username="" name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
"" wpa2-pre-shared-key=""
/ip dhcp-client option
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
flash/hotspot html-directory-override="" http-cookie-lifetime=3d \
http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
!insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
transparent-proxy=no
/ip ipsec mode-config
set request-only name=request-only send-dns=yes
/ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
modp1024
/ip pool
add name=dhcp ranges=192.168.4.40-192.168.4.199
add name=dhcp-guest ranges=192.168.44.40-192.168.44.199
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=ether2-master lease-script="" lease-time=10m name=\
defconf
add address-pool=dhcp-guest authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=ether5 lease-script="" lease-time=10m name=\
dhcp-guest
/ppp profile
set *0 address-list="" !bridge !bridge-path-cost !bridge-port-priority \
change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
!insert-queue-before !local-address name=default on-down="" on-up="" \
only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
!remote-address !session-timeout use-compression=default use-encryption=\
default use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-path-cost !bridge-port-priority \
change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
!insert-queue-before !local-address name=default-encryption on-down="" \
on-up="" only-one=default !outgoing-filter !parent-queue !queue-type \
!rate-limit !remote-address !session-timeout use-compression=default \
use-encryption=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2-master queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
/ip neighbor discovery
set ether1 discover=no
set ether2-master discover=yes
set ether3 discover=yes
set ether4 discover=yes
set ether5 discover=yes
/routing bgp instance
set default as=65530 client-to-client-reflection=yes !cluster-id \
!confederation disabled=no ignore-as-path-len=no name=default out-filter=\
"" redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=\
no redistribute-rip=no redistribute-static=no router-id=0.0.0.0 \
routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never !domain-id \
!domain-tag in-filter=ospf-in metric-bgp=auto metric-connected=20 \
metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 \
!mpls-te-area !mpls-te-router-id name=default out-filter=ospf-out \
redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
redistribute-rip=no redistribute-static=no router-id=0.0.0.0 \
!routing-table !use-dn
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 \
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
eb,sniff,sensitive,api,romon,!ftp,!write,!policy,!dude" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
ssword,web,sniff,sensitive,api,romon,!ftp,!policy,!dude" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
winbox,password,web,sniff,sensitive,api,romon,dude" skin=default
/caps-man aaa
set interim-update=disabled mac-caching=disabled mac-format=XX:XX:XX:XX:XX:XX \
mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
require-peer-certificate=no upgrade-policy=none
/certificate settings
set crl-download=yes
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery settings
set default=yes default-for-dynamic=no
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=\
yes send-redirects=yes tcp-syncookies=no
/interface l2tp-server server
set allow-fast-path=no authentication=pap,chap,mschap1,mschap2 \
default-profile=default-encryption enabled=no ipsec-secret="" \
keepalive-timeout=30 max-mru=1450 max-mtu=1450 max-sessions=unlimited \
mrru=disabled use-ipsec=no
/interface ovpn-server server
set auth=sha1,md5 cipher=blowfish128,aes128 default-profile=default enabled=\
no keepalive-timeout=60 mac-address=FE:77:F3:9B:66:CD max-mtu=1500 mode=\
ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
default enabled=no force-aes=no keepalive-timeout=60 max-mru=1500 \
max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any \
verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
interfaces="" lock-to-caps-man=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.4.1/24 comment=defconf disabled=no interface=\
ether2-master network=192.168.4.0
add address=192.168.44.1/24 disabled=no interface=ether5 network=192.168.44.0
/ip cloud
set ddns-enabled=no update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 \
dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=\
yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.4.0/24 caps-manager="" comment=defconf dhcp-option="" \
dns-server="" gateway=192.168.4.1 netmask=24 ntp-server="" wins-server=""
add address=192.168.44.0/24 caps-manager="" comment=defconf dhcp-option="" \
dns-server="" gateway=192.168.44.1 netmask=24 ntp-server="" wins-server=\
""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
servers=192.168.4.1,192.168.44.1
/ip dns static
add address=192.168.4.1 disabled=no name=router regexp="" ttl=1d
/ip firewall filter
add action=accept chain=forward !connection-bytes !connection-limit \
!connection-mark !connection-nat-state !connection-rate !connection-state \
!connection-type !content disabled=no !dscp dst-address=192.168.4.0/24 \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
!layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
!out-bridge-port-list !out-interface !out-interface-list !p2p \
!packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table src-address=\
192.168.10.0/24 !src-address-list !src-address-type !src-mac-address \
!src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=forward !connection-bytes !connection-limit \
!connection-mark connection-nat-state="" !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
in-interface=ether5 !in-interface-list !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list out-interface=ether1 \
!out-interface-list !p2p !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl
add action=drop chain=forward !connection-bytes !connection-limit \
!connection-mark !connection-nat-state !connection-rate connection-state=\
!established,related !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
in-interface=ether5 !in-interface-list !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
!p2p !packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !ttl
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=no \
!dscp dst-address=192.168.10.0/24 !dst-address-list !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
!nth !out-bridge-port !out-bridge-port-list out-interface=ether1 \
!out-interface-list !packet-mark !packet-size !per-connection-classifier \
!port !priority !protocol !psd !random !routing-mark !routing-table \
src-address=192.168.4.0/24 !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports !ttl
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1 !to-addresses !to-ports
/ip firewall raw
add action=notrack chain=prerouting !content disabled=no !dscp dst-address=\
192.168.10.0/24 !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-interface !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !limit log=no log-prefix="" \
!nth !out-interface !out-interface-list !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
src-address=192.168.4.0/24 !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=notrack chain=prerouting !content disabled=no !dscp dst-address=\
192.168.4.0/24 !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-interface !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !limit log=no log-prefix="" \
!nth !out-interface !out-interface-list !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
src-address=192.168.10.0/24 !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
disabled=no name=default-trial
/ip ipsec peer
add address=73.XXX.XXX.XXX/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
aes-128,3des exchange-mode=main generate-policy=no hash-algorithm=sha1 \
lifebytes=0 lifetime=1d local-address=0.0.0.0 nat-traversal=no passive=no \
policy-template-group=default port=500 proposal-check=obey secret=test \
send-initial-contact=yes
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.10.0/24 group=default proposal=default \
protocol=all src-address=192.168.4.0/24 template=yes
add disabled=no dst-address=192.168.10.0/24 group=default proposal=default \
protocol=all src-address=192.168.4.0/24 template=yes
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
max-cache-object-size=2048KiB max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
src-address=::
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80
set ssh address="" disabled=yes port=22
set www-ssl address="" certificate=none disabled=no port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
set api-ssl address="" certificate=none disabled=yes port=8729
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip ssh
set always-allow-password-login=no forwarding-enabled=no host-key-size=2048 \
strong-crypto=no
/ip traffic-flow
set active-flow-timeout=30m cache-entries=16k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
yes nat-dst-port=yes nat-src-address=yes nat-src-port=yes out-interface=\
yes packets=yes protocol=yes src-address=yes src-address-mask=yes \
src-mac-address=yes src-port=yes tcp-ack-num=yes tcp-flags=yes \
tcp-seq-num=yes tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
use-radius=no
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-community=public \
trap-generators="" trap-target="" trap-version=1
/system clock
set time-zone-autodetect=yes time-zone-name=America/New_York
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=ROUTER1
/system leds setting
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no server-dns-names=""
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
720MHz force-backup-booter=no protected-routerboot=disabled silent-boot=\
no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 start-tls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00 secrets=""
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all \
secrets=""
/tool sms
set allowed-number="" channel=0 interface=none keep-max-sms=0 \
receive-enabled=no secret="" sim-pin=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
filter-interface="" filter-ip-address="" filter-ip-protocol="" \
filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" \
filter-operator-between-entries=or filter-port="" filter-stream=no \
memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=\
no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=yes \
stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
use-radius=no
ROUTER 2 / OFFICE 2
# nov/25/2016 16:06:30 by RouterOS 6.37.1
# software id = D5W2-CCDX
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled arp-timeout=auto \
auto-mac=yes disabled=no forward-delay=15s max-message-age=20s mtu=auto \
name=bridge1 priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:CB master-port=none mtu=1500 name=ether1 orig-mac-address=\
6C:3B:6B:2C:F2:CB rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:CC master-port=none mtu=1500 name=ether2-master \
orig-mac-address=6C:3B:6B:2C:F2:CC rx-flow-control=off speed=100Mbps \
tx-flow-control=off
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:CD master-port=none mtu=1500 name=ether3 orig-mac-address=\
6C:3B:6B:2C:F2:CD rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:CE master-port=none mtu=1500 name=ether4 orig-mac-address=\
6C:3B:6B:2C:F2:CE rx-flow-control=off speed=100Mbps tx-flow-control=off
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled \
arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
6C:3B:6B:2C:F2:CF master-port=none mtu=1500 name=ether5 orig-mac-address=\
6C:3B:6B:2C:F2:CF rx-flow-control=off speed=100Mbps tx-flow-control=off
/queue interface
set bridge1 queue=no-queue
/ip neighbor discovery
set bridge1 discover=yes
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface list
set (unknown) name=all
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" eap-methods=passthrough \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled management-protection-key="" mode=none \
mschapv2-password="" mschapv2-username="" name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key=\
"" wpa2-pre-shared-key=""
/ip dhcp-client option
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
flash/hotspot html-directory-override="" http-cookie-lifetime=3d \
http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
!insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
transparent-proxy=no
/ip ipsec mode-config
set request-only name=request-only send-dns=yes
/ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
modp1024
/ip pool
add name=dhcp ranges=192.168.1.40-192.168.1.199
add name=dhcp2 ranges=192.168.10.40-192.168.10.199
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=bridge1 lease-script="" lease-time=10m name=defconf
add address-pool=dhcp2 authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=ether3 lease-script="" lease-time=10m name=server2
/ppp profile
set *0 address-list="" !bridge !bridge-path-cost !bridge-port-priority \
change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
!insert-queue-before !local-address name=default on-down="" on-up="" \
only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit \
!remote-address !session-timeout use-compression=default use-encryption=\
default use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-path-cost !bridge-port-priority \
change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter \
!insert-queue-before !local-address name=default-encryption on-down="" \
on-up="" only-one=default !outgoing-filter !parent-queue !queue-type \
!rate-limit !remote-address !session-timeout use-compression=default \
use-encryption=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2-master queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
/ip neighbor discovery
set ether1 discover=no
set ether2-master discover=yes
set ether3 discover=yes
set ether4 discover=yes
set ether5 discover=yes
/routing bgp instance
set default as=65530 client-to-client-reflection=yes !cluster-id \
!confederation disabled=no ignore-as-path-len=no name=default out-filter=\
"" redistribute-connected=no redistribute-ospf=no redistribute-other-bgp=\
no redistribute-rip=no redistribute-static=no router-id=0.0.0.0 \
routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never !domain-id \
!domain-tag in-filter=ospf-in metric-bgp=auto metric-connected=20 \
metric-default=1 metric-other-ospf=auto metric-rip=20 metric-static=20 \
!mpls-te-area !mpls-te-router-id name=default out-filter=ospf-out \
redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
redistribute-rip=no redistribute-static=no router-id=0.0.0.0 \
!routing-table !use-dn
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=flash/log disk-lines-per-file=1000 \
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=\
0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=\
bsd-syslog target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
eb,sniff,sensitive,api,romon,!ftp,!write,!policy,!dude" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
ssword,web,sniff,sensitive,api,romon,!ftp,!policy,!dude" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
winbox,password,web,sniff,sensitive,api,romon,dude" skin=default
/caps-man aaa
set interim-update=disabled mac-caching=disabled mac-format=XX:XX:XX:XX:XX:XX \
mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" \
require-peer-certificate=no upgrade-policy=none
/certificate settings
set crl-download=yes
/interface bridge port
add auto-isolate=no bridge=bridge1 disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether4 path-cost=10 point-to-point=auto priority=\
0x80
add auto-isolate=no bridge=bridge1 disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether5 path-cost=10 point-to-point=auto priority=\
0x80
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery settings
set default=yes default-for-dynamic=no
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
max-neighbor-entries=8192 route-cache=yes rp-filter=no secure-redirects=\
yes send-redirects=yes tcp-syncookies=no
/interface l2tp-server server
set allow-fast-path=no authentication=pap,chap,mschap1,mschap2 \
default-profile=default-encryption enabled=no ipsec-secret="" \
keepalive-timeout=30 max-mru=1450 max-mtu=1450 max-sessions=unlimited \
mrru=disabled use-ipsec=no
/interface ovpn-server server
set auth=sha1,md5 cipher=blowfish128,aes128 default-profile=default enabled=\
no keepalive-timeout=60 mac-address=FE:B0:8A:02:63:C6 max-mtu=1500 mode=\
ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
default enabled=no force-aes=no keepalive-timeout=60 max-mru=1500 \
max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any \
verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" \
caps-man-names="" certificate=none discovery-interfaces="" enabled=no \
interfaces="" lock-to-caps-man=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.1.1/24 comment=defconf disabled=no interface=bridge1 \
network=192.168.1.0
add address=192.168.10.1/24 disabled=no interface=ether3 network=192.168.10.0
/ip cloud
set ddns-enabled=no update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 \
dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=\
yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.1.0/24 caps-manager="" comment=defconf dhcp-option="" \
dns-server="" gateway=192.168.1.1 netmask=24 ntp-server="" wins-server=""
add address=192.168.10.0/24 caps-manager="" comment=defconf dhcp-option="" \
dns-server="" gateway=192.168.10.1 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
servers=""
/ip dns static
add address=192.168.10.1 disabled=no name=router regexp="" ttl=1d
add address=192.168.10.12 disabled=no name=digital-sanctuary.org regexp="" \
ttl=1d
add address=192.168.10.12 disabled=no name=michaelsawicki.com regexp="" ttl=\
1d
/ip firewall address-list
add address=73.134.100.178 disabled=no list=WAN
/ip firewall filter
add action=accept chain=forward !connection-bytes !connection-limit \
!connection-mark !connection-nat-state !connection-rate !connection-state \
!connection-type !content disabled=no !dscp dst-address=192.168.10.0/24 \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
!layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
!out-bridge-port-list !out-interface !out-interface-list !p2p \
!packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table src-address=\
192.168.4.0/24 !src-address-list !src-address-type !src-mac-address \
!src-port !tcp-flags !tcp-mss !time !ttl
add action=accept chain=forward !connection-bytes !connection-limit \
!connection-mark connection-nat-state=!srcnat,dstnat !connection-rate \
!connection-state !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
in-interface=bridge1 !in-interface-list !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list out-interface=ether1 \
!out-interface-list !p2p !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl
add action=drop chain=forward !connection-bytes !connection-limit \
!connection-mark !connection-nat-state !connection-rate connection-state=\
!established,related !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options in-bridge-port=ether5 \
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
!nth !out-bridge-port !out-bridge-port-list !out-interface \
!out-interface-list !p2p !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type src-mac-address=!A0:8D:16:FF:F3:46 !src-port !tcp-flags \
!tcp-mss !time !ttl
add action=accept chain=forward !connection-bytes !connection-limit \
!connection-mark !connection-nat-state !connection-rate connection-state=\
!established,related !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
in-interface=bridge1 !in-interface-list !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list out-interface=bridge1 \
!out-interface-list !p2p !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl
add action=drop chain=forward !connection-bytes !connection-limit \
!connection-mark !connection-nat-state !connection-rate connection-state=\
!established,related !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
!in-interface !in-interface-list !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list out-interface=bridge1 \
!out-interface-list !p2p !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type src-mac-address=!A0:8D:16:FF:F3:46 !src-port !tcp-flags \
!tcp-mss !time !ttl
add action=accept chain=input comment="defconf: accept ICMP" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate !connection-state !connection-type \
!content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port !in-interface !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-interface !p2p !packet-mark !packet-size \
!per-connection-classifier !port !priority protocol=icmp !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl
add action=accept chain=input comment="defconf: accept established,related" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate connection-state=\
established,related !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
!packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !ttl
add action=drop chain=input comment="defconf: drop all from WAN" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate !connection-state !connection-type \
!content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port in-interface=ether1 !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-interface !p2p !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate connection-state=\
established,related !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
!packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !ttl
add action=accept chain=forward comment="defconf: accept established,related" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate connection-state=\
established,related !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-interface \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
!packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !ttl
add action=drop chain=forward comment="defconf: drop invalid" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate connection-state=invalid \
!connection-type !content disabled=no !dscp !dst-address \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
!hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
!nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" !connection-bytes \
!connection-limit !connection-mark connection-nat-state=!dstnat \
!connection-rate connection-state=new !connection-type !content disabled=\
no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
!dst-port !fragment !hotspot !icmp-options !in-bridge-port in-interface=\
ether1 !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol \
!limit log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
!packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !ttl
/ip firewall mangle
# in/out-interface matcher not possible when interface (ether5) is slave - use master instead (bridge1)
add action=mark-packet chain=forward !connection-bytes !connection-limit \
!connection-mark !connection-nat-state !connection-rate !connection-state \
!connection-type !content disabled=no !dscp !dst-address \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list in-interface=\
ether5 !in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
!layer7-protocol !limit log=no log-prefix="" new-packet-mark=5m3 !nth \
!out-bridge-port !out-bridge-port-list out-interface=ether3 \
!out-interface-list !p2p !packet-mark !packet-size passthrough=yes \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!ttl
/ip firewall nat
add action=accept chain=srcnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=no \
!dscp dst-address=192.168.4.0/24 !dst-address-list !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
!nth !out-bridge-port !out-bridge-port-list out-interface=ether1 \
!out-interface-list !packet-mark !packet-size !per-connection-classifier \
!port !priority !protocol !psd !random !routing-mark !routing-table \
src-address=192.168.10.0/24 !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports !ttl
add action=masquerade chain=srcnat comment="defconf: masquerade" \
!connection-bytes !connection-limit !connection-mark !connection-rate \
!connection-type !content disabled=no !dscp !dst-address \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
!hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
!nth !out-bridge-port out-interface=ether1 !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses \
!to-ports !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
dst-port=443 !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list in-interface=ether1 !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
192.168.10.12 to-ports=443 !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
dst-port=80 !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list in-interface=ether1 !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
192.168.10.12 to-ports=80 !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
dst-port=21 !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list in-interface=ether1 !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
192.168.10.12 to-ports=21 !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
dst-port=58000-60000 !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list in-interface=ether1 !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
192.168.10.12 to-ports=58000-60000 !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
dst-port=8088 !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list in-interface=ether1 !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
192.168.10.12 to-ports=8088 !ttl
add action=dst-nat chain=dstnat !connection-bytes !connection-limit \
!connection-mark !connection-rate !connection-type !content disabled=no \
!dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
dst-port=25565 !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list in-interface=ether1 !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority protocol=tcp !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-mss !time to-addresses=\
192.168.10.12 to-ports=25565 !ttl
/ip firewall raw
add action=notrack chain=prerouting !content disabled=no !dscp dst-address=\
192.168.4.0/24 !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-interface !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !limit log=no log-prefix="" \
!nth !out-interface !out-interface-list !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
src-address=192.168.10.0/24 !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
add action=notrack chain=prerouting !content disabled=no !dscp dst-address=\
192.168.12.0/24 !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-interface !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !limit log=no log-prefix="" \
!nth !out-interface !out-interface-list !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
src-address=192.168.4.0/24 !src-address-list !src-address-type \
!src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
disabled=no name=default-trial
/ip ipsec peer
add address=50.XXX.XXX.XXX/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
aes-128,3des exchange-mode=main generate-policy=no hash-algorithm=sha1 \
lifebytes=0 lifetime=1d local-address=0.0.0.0 nat-traversal=no passive=no \
policy-template-group=default port=500 proposal-check=obey secret=test \
send-initial-contact=yes
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.4.0/24 group=default proposal=default \
protocol=all src-address=192.168.10.0/24 template=yes
add disabled=no dst-address=192.168.4.0/24 group=default proposal=default \
protocol=all src-address=192.168.10.0/24 template=yes
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
max-cache-object-size=2048KiB max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
src-address=::
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80
set ssh address="" disabled=yes port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
set api-ssl address="" certificate=none disabled=yes port=8729
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip ssh
set always-allow-password-login=no forwarding-enabled=no host-key-size=2048 \
strong-crypto=no
/ip traffic-flow
set active-flow-timeout=30m cache-entries=16k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
yes nat-dst-port=yes nat-src-address=yes nat-src-port=yes out-interface=\
yes packets=yes protocol=yes src-address=yes src-address-mask=yes \
src-mac-address=yes src-port=yes tcp-ack-num=yes tcp-flags=yes \
tcp-seq-num=yes tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no \
use-radius=no
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-community=public \
trap-generators="" trap-target="" trap-version=1
/system clock
set time-zone-autodetect=yes time-zone-name=America/New_York
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=ROUTER2
/system leds setting
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no server-dns-names=""
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
720MHz force-backup-booter=no protected-routerboot=disabled silent-boot=\
no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 start-tls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00 secrets=""
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all \
secrets=""
/tool sms
set allowed-number="" channel=0 interface=none keep-max-sms=0 \
receive-enabled=no secret="" sim-pin=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any \
filter-interface="" filter-ip-address="" filter-ip-protocol="" \
filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" \
filter-operator-between-entries=or filter-port="" filter-stream=no \
memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=\
no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=yes \
stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
use-radius=no