Greetings,
i am sure i have something wrong. Two hap ac^2 routers
I am using IPSEC with speed 15Mbps, when i turn ipsec off and use wireguard it is 9Mbps.
The throughput of the connection between sites is 70Mbps.
What could be wrong? MTU 1420, tryed with 1400 same results
post configs of both devices…
As requested, both configs please.
Wireguard should normally (when properly configured) be a bit faster then IPSEC.
It’s BTW not normal either you only get 15Mbps when connection between both devices is 70Mpbs. I think. Are you sure about that 70 ? Both up and down, nothing in between ?
What encryption are you using for IPSEC ?
Some encryption engines can be HW offloaded on hap AC2, some not.
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration
For WG it’s only the processor which plays a role. No HW offloading.
Edit: stupid typo …
I have grayed out wireguard routes for know until i figure out why its not working, will use IPSEC
A pity you spend time on these screenshots…
Config export is done using terminal
/export file=anynameyouwish.
Then review file contents for sensitive info and post between [__code] quotes.
And you did not answer my other question either.
How do you know you got 70mbps end to end both ways ?
Most likely your issue is not with the config of wg nor ipsec.
That’s why we need to see all and get all relevant info.
I see nothing that can be usefull on those screenshots, only angry red marker painting.
How did you do the bandwidth tests?
i have tested by fast.com
one line 100/25
and second line 600/600
So when i download from second line to first line i should have 70Mbps easy.
All lines tested with real world downloads. For example steam had 10MB/s on the 100/25 line.
I read somewhere that the fasttrack might be a problem?
Thank you
xD i like red colors xD
By using fast.com
Your limit is 25.
The wording is a bit off - he is downloading (100 mbps) from the second site (600mbps), so ideally it would be close to 100mbps in ideal/perfect situations.
Have you tried iperf3 between sites?
If he’s working from site 1 to site 2, the limit is 25Mbps.
Download for site 2 is UPLOAD on site 1 ! We’re talking site-to-site connection here, right ?
Upload on site 1 is max 25, no more.
The other way around the max would be 100Mbps. Theoretically, since whatever VPN protocol you choose, there is some overhead to be subtracted.
For WG that’s (depending on speed) an order of magnitude 10-15%, for ipsec it will be a bit more overhead.
(Openvpn is a lot worse …)
But again …
we need to have full view on the configs and the way those tests are performed.
If doing btest from Mikrotik to Mikrotik, there is a double CPU impact on those devices (btest client/server AND Wireguard encryption).
With theoretical 100/25 as possible throughput, I would expect Wireguard to be in the order of 80/20, at least.
Even IPSEC when testing from site 1 to site2, I still think it is too low. (15 on 25Mbps = 40% overhead, should be better especially if HW offloading can be used).
Ideal way to test:
computer on site 1 with iperf3
Connection to Mikrotik1
WG connection (or IPSEC)
Mikrotik 2
Computer on Mikrotik 2 with iperf3 server
And then test both upstream and downstream from computer 1 to computer 2.
Reverse serve/client on the iperf3 part (test from computer 2 to computer 1) to be sure all bases are covered.
Zero impact on Mikrotik devices for the testing process, only the real wireguard (or ipsec) communication on those devices.
For illustration…
My home connection is theoretically 200/20, practically it is 190/19 (I test it every hour so I know).
At work I have a Windows 2016 VM server sitting behind a theoretical 80/80 connection, connected using WG to home.
Using regular speedtest on that server, I see 76 down and 75 up. Just to get a reference.
When testing using iperf I get 18.4 from home to server (home limit acting here) and 61 from server to home (server limit and probably also encryption process acting here).
(last figure could have been a bit higher but maybe something else is playing in between, something I can not check).
In both cases I see CPU on my Hex going towards 18% and 70% respectively. Going up but CPU still has room.
On that server CPU is (almost literally) doing nothing… 
He is at site 1 downloading from site 2, from what I understand.
At least I can interpret it both ways.
It’s not clear.
Anyhow, point I made as well is that whatever limit there is in place, WG should be able to get over at least 80% throughput (even 90%).
Can’t speak for IPSEC, I don’t use it that much (I HATE the setup troubles it gives …).
edit: duplicate
What is not clear to me is which device is the peer and which is the server for the initial connection.
Nor is it clear the use of the tunnel. Did you want to use the internet of the server from the peer…
Not seeing the configs, your complaints have no merit…
Nor do I have any faith in the basics of your wireguard config as you dont have any of the two devices with a persistant keep alive set.
@holvoetn assessment is 100% correct.
Throughput is always subject to the weakest link plus ISP idiosyncrasies
Symmetrical connections enjoyed by both PEERS under WireGuard will under excellent circumstance provide 90% or better performance of the subscribed bandwidth assuming peers are capable.
Asymmetrical connections under WireGuard are always subject to the weakest upload Peer and even there WG will exploit 90% or better of the weakest link.
Symmetrical = Upload/Download are equal or within 1% of equal
Asymmetrical = Upload/Download are not equal ever.
When Peer A is Symmetrical and Peer B is Asymmetrical the weakest link governs in both directions.
When Peer A is Symmetrical and Peer B is Symmetrical the performance is usually within the effective range [90% or better]
This is why when testing bandwidth iPerf is the preferred mechanism since it is best in exploiting the PEER capabilities/shortcomings.
I am very sorry to everybody for poor info. I really thought that there is some checkbox and all will work correctly.
I will perform bandwidth test between routers and will prepare full config exports. 
P.S. The transfer is from 600/600 to 100/25
I hope there is no confidential data D:
SITE B 600/600
192.168.5.0/24
may/01/2022 18:15:11 by RouterOS 7.2.1
software id = EU0G-52A4
/caps-man channel
add band=2ghz-b/g/n name=channel_2g
add band=5ghz-a/n/ac name=channel_5g
add band=2ghz-b/g/n name=channel_2g_guest
/interface bridge
add admin-mac=TOPSECRET auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge_guest
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce
country=TOPSECRET disabled=no distance=indoors frequency=2427 installation=
indoor mode=ap-bridge ssid=TOPSECRET station-roaming=enabled
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX country=TOPSECRET disabled=no distance=indoors frequency=
auto installation=indoor mode=ap-bridge ssid=TOPSECRET station-roaming=
enabled wireless-protocol=802.11
/interface ipip
add allow-fast-path=no local-address=TOPSECRET name=TOPSECRET
remote-address=TOPSECRET
/interface wireguard
add listen-port=TOPSECRET mtu=1420 name=wireguard1
/caps-man configuration
add channel=channel_2g country=TOPSECRET datapath.bridge=bridge name=config_2g
security.authentication-types=wpa2-psk ssid=TOPSECRET
add channel=channel_5g country=TOPSECRET datapath.bridge=bridge name=config_5g
security.authentication-types=wpa2-psk ssid=TOPSECRET
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1
add bridge=bridge_guest name=datapath_guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm
name=security1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm
name=security_guest
/caps-man configuration
add channel=channel_2g_guest country=TOPSECRET datapath=datapath_guest
datapath.bridge=bridge_guest name=config_2g_guest security=security_guest
ssid=home_guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WLAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” group-ciphers=
tkip,aes-ccm mode=dynamic-keys name=profile1 supplicant-identity=“”
unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=
profile_guest supplicant-identity=“”
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=
TOPSECRET master-interface=wlan1 multicast-buffering=disabled
name=wlan_guest security-profile=profile_guest ssid=home_guest
station-roaming=enabled wds-cost-range=0 wds-default-cost=0 wps-mode=
disabled
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-192,aes-128 name=profile1
nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.5.50-192.168.5.254
add name=dhcp_guest ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=3h name=dhcp
add address-pool=dhcp_guest interface=bridge_guest name=dhcp_guest
/ppp profile
add bridge=bridge name=OVPN remote-address=dhcp
/queue simple
add max-limit=400M/400M name=queue1 target=192.168.5.7/32
add max-limit=30M/30M name=wifi_guest target=10.10.10.0/24
add max-limit=100M/100M name=TOPSECRET target=192.168.5.181/32
add disabled=yes max-limit=100M/100M name=TOPSECRET target=
192.168.5.223/32
add disabled=yes max-limit=64k/64k name=“TOPSECRET” target=192.168.5.227/32
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy=“local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,rest-api”
/caps-man access-list
add action=accept allow-signal-out-of-range=5s disabled=no interface=all
signal-range=-87..120 ssid-regexp=“”
add action=reject allow-signal-out-of-range=5s disabled=no interface=all
signal-range=-120..-88 ssid-regexp=“”
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=config_2g
add disabled=yes master-configuration=config_2g
add disabled=yes master-configuration=config_5g
add action=create-dynamic-enabled hw-supported-modes=ac,an
master-configuration=config_5g
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=
config_2g slave-configurations=config_2g_guest
add action=create-dynamic-enabled disabled=yes hw-supported-modes=gn
master-configuration=config_2g_guest
add action=create-dynamic-enabled disabled=yes master-configuration=
config_2g_guest
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=wlan2
add bridge=bridge_guest ingress-filtering=no interface=wlan_guest
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=WLAN
add interface=wlan2 list=WLAN
/interface ovpn-server server
set auth=sha1 certificate=server2021 cipher=aes256 default-profile=OVPN
enabled=yes mode=ethernet port=TOPSECRET require-client-certificate=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=TOPSECRET endpoint-port=
TOPSECRET interface=wireguard1 public-key=
“TOPSECRET”
/ip address
add address=192.168.5.1/24 comment=defconf interface=bridge network=
192.168.5.0
add address=TOPSECRET/24 comment=“TOPSECRET” disabled=yes
interface=ether1 network=TOPSECRET
add address=10.10.10.1/24 interface=bridge_guest network=10.10.10.0
add address=10.20.32.2/30 interface=IPsec_TOPSECRET network=10.20.32.0
add address=172.16.2.2/30 interface=wireguard1 network=172.16.2.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=clientid,hostname interface=ether1
add !dhcp-options disabled=yes interface=wlan1
/ip dhcp-server lease
TOPSECRET
/ip firewall filter
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“Port scanners to list "
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” protocol=
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=tcp
src-address-list=allowed_remote_ips
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=udp
src-address-list=allowed_remote_ips
add action=accept chain=input dst-port=TOPSECRET protocol=udp
add action=drop chain=input comment=“dropping port scanners”
src-address-list=“port scanners”
add action=drop chain=input comment=block_guests_to_local_input dst-address=
10.10.10.1 dst-port=80,21,22,23,8291 protocol=tcp src-address-list=
guest_users
add action=drop chain=input comment=block_guests_to_local_lan dst-address=
192.168.5.0/24 src-address-list=guest_users
add action=drop chain=forward dst-address=10.0.0.0/8 out-interface=ether1
protocol=tcp src-address=192.168.5.0/24
add action=drop chain=forward dst-address=10.0.0.0/8 out-interface=ether1
protocol=icmp src-address=192.168.5.0/24
add action=drop chain=forward dst-address=192.168.5.0/24 in-interface=ether1
protocol=tcp src-address=10.0.0.0/8
add action=drop chain=forward dst-address=10.0.0.0/8 out-interface=ether1
protocol=tcp
add action=accept chain=input dst-port=11944 protocol=tcp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input disabled=yes dst-port=80 protocol=tcp
src-address=TOPSECRET
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=
allowed_remote_ips
add action=accept chain=input dst-port=8291 in-interface=IPsec_TOPSECRET
protocol=tcp
add action=accept chain=input disabled=yes dst-port=80 protocol=tcp
add action=accept chain=input disabled=yes dst-port=443 protocol=tcp
add action=accept chain=forward dst-port=8006 protocol=tcp src-address-list=
allowed_remote_ips
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=forward disabled=yes dst-port=10000 in-interface=
ether1 protocol=tcp src-address=TOPSECRET
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 in-interface=bridge protocol=tcp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=input dst-port=22 in-interface=bridge protocol=tcp
add action=accept chain=input dst-port=21 in-interface=bridge protocol=tcp
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=TOPSECRET
dst-port=80 protocol=tcp src-address-list=CountryIPBlocks to-addresses=
192.168.5.187
add action=dst-nat chain=dstnat disabled=yes dst-address=TOPSECRET
dst-port=443 protocol=tcp src-address-list=CountryIPBlocks to-addresses=
192.168.5.187
add action=dst-nat chain=dstnat disabled=yes dst-address=TOPSECRET
dst-port=80 protocol=tcp src-address-list=all_local to-addresses=
192.168.5.187
add action=dst-nat chain=dstnat disabled=yes dst-address=TOPSECRET
dst-port=443 protocol=tcp src-address-list=all_local to-addresses=
192.168.5.187
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.187
dst-port=80 out-interface=bridge protocol=tcp src-address=192.168.5.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.187
dst-port=443 out-interface=bridge protocol=tcp src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=wireguard1
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WLAN
add action=masquerade chain=srcnat comment=“defconf: masquerade”
dst-address-list=guest_users ipsec-policy=out,none
add action=netmap chain=dstnat dst-port=TOPSECRET in-interface=ether1 protocol=tcp
src-address-list=allowed_remote_ips to-addresses=192.168.5.5
add action=netmap chain=dstnat dst-port=TOPSECRET in-interface=ether1 protocol=
tcp src-address-list=allowed_remote_ips to-addresses=192.168.5.192
add action=netmap chain=dstnat dst-port=TOPSECRET in-interface=ether1 protocol=
udp src-address-list=allowed_remote_ips to-addresses=192.168.5.192
add action=netmap chain=dstnat disabled=yes dst-port=10000 in-interface=
ether1 protocol=tcp src-address=151.237.56.5 to-addresses=192.168.5.15
add action=accept chain=srcnat out-interface=ether1
/ip firewall service-port
set sip disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=TOPSECRET
add disabled=no distance=1 dst-address=192.168.6.0/24 gateway=10.20.32.1
pref-src=”" routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=yes distance=1 dst-address=192.168.6.0/24 gateway=172.16.2.1
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp interfaces
add interface=wlan1
/ppp secret
add local-address=192.168.5.1 name=TOPSECRET profile=OVPN remote-address=
192.168.5.49 service=ovpn
/system clock
set time-zone-name=TOPSECRET
/system identity
set name=TOPSECRET_MT_ROUTER
/system ntp client
set enabled=yes
/system ntp client servers
add address=TOPSECRET
/system package update
set channel=long-term
/system routerboard settings
set cpu-frequency=716MHz
/system scheduler
add name=schedule1 on-event=“:delay 30\r
\n/system script run script1” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
/system script
add dont-require-permissions=no name=script1 owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
delay 1\r
\n\r
\n:local reportBody ""\r
\n\r
\n:local deviceName [/system identity get name]\r
\n:local deviceDate [/system clock get date]\r
\n:local deviceTime [/system clock get time]\r
\n:local hwModel [/system routerboard get model]\r
\n:local rosVersion [/system package get system version]\r
\n:local currentFirmware [/system routerboard get current-firmware]\r
\n:local upgradeFirmware [/system routerboard get upgrade-firmware]\r
\n\r
\n\r
\n:set reportBody ($reportBody . "Router Reboot Report for $deviceName
\n")\r
\n:set reportBody ($reportBody . "Report generated on $deviceDate at $
deviceTime\n\n")\r
\n\r
\n:set reportBody ($reportBody . "Hardware Model: $hwModel\n")\r
\n:set reportBody ($reportBody . "RouterOS Version: $rosVersion\n")\r
\n:set reportBody ($reportBody . "Current Firmware: $currentFirmware\n
")\r
\n:set reportBody ($reportBody . "Upgrade Firmware: $upgradeFirmware")
\r
\nif ( $currentFirmware < $upgradeFirmware) do={\r
\n:set reportBody ($reportBody . "NOTE: You should upgrade the RouterBOA
RD firmware!\n")\r
\n}\r
\n\r
\n:set reportBody ($reportBody . "\n\n=== Critical Log Events ===\n"
_)\r
\n\r
\n:local x\r
\n:local ts\r
\n:local msg\r
\nforeach i in=([/log find where topics~"critical"]) do={\r
\n:set $ts [/log get $i time]\r
\n:set $msg [/log get $i message]\r
\n:set $reportBody ($reportBody . $ts . " " . $msg . "\n" )\r
\n}\r
\n\r
\n:set reportBody ($reportBody . "\n=== end of report ===\n")\r
\n\r
\n/tool e-mail send subject="[$deviceName] Router Reboot Report" to="a
TOPSECRET" body=$reportBody”
/system watchdog
set ping-start-after-boot=1h ping-timeout=2m watch-address=1.1.1.1
watchdog-timer=no
/tool e-mail
set address=TOPSECRET from=TOPSECRET port=TOPSECRET tls=starttls user=
TOPSECRET
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set file-name=packetsniff filter-ip-address=192.168.5.40/32
filter-operator-between-entries=and
SITE A 100/25
192.168.6.0/24
may/01/2022 18:15:37 by RouterOS 7.2
software id = H7WM-PZPA
model = RBD52G-5HacD2HnD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=channel1
add band=2ghz-g/n control-channel-width=20mhz frequency=2442 name=channel2
add band=2ghz-g/n control-channel-width=20mhz frequency=2472 name=channel3
/interface bridge
add admin-mac=TOPSECRET auto-mac=no comment=defconf disabled=yes
name=bridge
add admin-mac=TOPSECRET auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway-internet
set [ find default-name=ether2 ] comment=NEO name=ether2-master-local
set [ find default-name=ether3 ] comment=SWITCH name=ether3-slave-local
set [ find default-name=ether4 ] comment=TOPSECRET name=ether4-slave-local
set [ find default-name=ether5 ] comment=AP_0
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode
band=2ghz-g/n channel-width=20/40mhz-XX country=“TOPSECRET”
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=TOPSECRET wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX country=“TOPSECRET” disabled=no distance=indoors
frequency=auto hide-ssid=yes installation=indoor mode=ap-bridge ssid=
TOPSECRET wireless-protocol=802.11
/interface ipip
add allow-fast-path=no local-address=TOPSECRET name=IPsec_TOPSECRET
remote-address=TOPSECRET
add allow-fast-path=no local-address=TOPSECRET mtu=1480 name=IPsec_TOPSECRET
remote-address=TOPSECRET
/interface wireguard
add listen-port=TOPSECRET mtu=1420 name=wireguard1
/interface vlan
add interface=ether1-gateway-internet name=vlan1 vlan-id=848
/caps-man datapath
add bridge=bridge-local name=datapath1
/caps-man configuration
add channel=channel1 channel.band=2ghz-g/n country=“TOPSECRET” datapath=
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no
distance=indoors hide-ssid=no mode=ap name=Config
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
add channel=channel2 channel.band=2ghz-g/n country=“TOPSECRET” datapath=
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no
distance=indoors hide-ssid=no mode=ap name=cfg1
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
add channel=channel3 channel.band=2ghz-g/n country=“TOPSECRET” datapath=
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no
distance=indoors hide-ssid=no mode=ap name=cfg2
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 user=
TOPSECRET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes
eap-methods=“” group-key-update=1h mode=dynamic-keys supplicant-identity=
MikroTik
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=
profile1 supplicant-identity=“”
/interface wireless
add keepalive-frames=disabled mac-address=TOPSECRET master-interface=
wlan1 multicast-buffering=disabled name=wlan3 security-profile=profile1
ssid=killme wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-192,aes-128 name=profile_1
nat-traversal=no
/ip ipsec peer
add address=TOPSECRET/32 disabled=yes name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.6.101-192.168.6.230
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=
bridge-local lease-script=“:local recipient "TOPSECRET"\r
\n/ip dhcp-server lease\r
\n:if ($leaseBound = 1 && [ get [ find where mac-address=$leaseActMAC ]
dynamic ] = true) do={\r
\n\t:do {\r
\n\t\t:tool e-mail send to=$recipient subject="DHCP Address Alert [MAC:
$leaseActMAC]" body="TOPSECRET - The following MAC address [$leaseActMAC]
_received an IP address [$leaseActIP] with hostname [$host-name]"\r
\n\t\t:log info "Sent DHCP alert for MAC $leaseActMAC"\r
\n\t} on-error={:log error "Failed to send alert email to $recipient"}
\r
\n}” lease-time=6h name=default
/ppp profile
add local-address=default-dhcp name=pptpprofile remote-address=default-dhcp
add bridge=bridge-local name=OpenVPN_TOPSECRET remote-address=default-dhcp
/queue simple
add disabled=yes max-limit=100M/100M name=queue1 target=192.168.6.0/24
add dst=IPsec_TOPSECRET max-limit=3M/50M name=skynet-backup target=192.168.6.7/32
add dst=TOPSECRET/32 max-limit=8M/40M name=TOPSECRET target=
192.168.6.66/32
add dst=192.168.5.0/24 max-limit=15M/50M name=TOPSECRET<>TOPSECRET target=
192.168.6.66/32
add disabled=yes dst=pppoe-out1 max-limit=3M/20M name=TOPSECRET target=
192.168.6.66/32
add dst=pppoe-out1 max-limit=5M/40M name=TOPSECRET target=192.168.6.74/32
add max-limit=50M/50M name=TOPSECRET target=192.168.7.49/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=pppoe-out1
max-limit=4M/60M name=hoax_linux_cp_8-0 target=192.168.6.35/32 time=
8h-23h59m,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=6M/70M name=hoax_linux_cp_alltime target=
192.168.6.35/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=pppoe-out1
max-limit=7M/60M name=vulcan_cp_8-0 target=192.168.6.45/32 time=
8h-23h59m,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=8M/70M name=vulcan_cp_alltime target=
192.168.6.45/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s disabled=yes dst=
IPsec_TOPSECRET max-limit=2M/8M name=ARES target=192.168.6.72/32 time=
7h-23h,sun,mon,tue,wed,thu,fri,sat
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET
max-limit=5M/5M name=“ARES alltime” target=192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s disabled=yes dst=
TOPSECRET/32 max-limit=5M/12M name=“ARES alltime 2 TOPSECRET” target=
192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET
max-limit=4M/4M name=“ARES alltime temperary” target=192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET
max-limit=5M/8M name=TOPSECRET target=192.168.6.65/32
add dst=IPsec_TOPSECRET max-limit=7M/50M name=muj_PC_2_ua target=192.168.6.65/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET
max-limit=5M/12M name=neo_2_TOPSECRET target=192.168.6.44/32
add max-limit=20M/2M name=TOPSECRET target=192.168.6.121/32
add max-limit=20M/2M name=TOPSECRET target=192.168.6.122/32
add max-limit=20M/3M name=TOPSECRET target=192.168.6.120/32
add dst=pppoe-out1 max-limit=4M/70M name=TOPSECRET target=192.168.6.2/32
add dst=IPsec_TOPSECRET max-limit=8M/0 name=queue2 target=192.168.6.2/32
add dst=pppoe-out1 max-limit=4M/0 name=TOPSECRET target=192.168.6.79/32
add dst=pppoe-out1 max-limit=3M/0 name=TOPSECRET target=192.168.6.89/32 time=
0s-1d,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=8M/0 name=TOPSECRET target=192.168.6.65/32
add dst=pppoe-out1 max-limit=3M/50M name=workpcvm target=192.168.6.65/32
add dst=pppoe-out1 max-limit=2M/10M name=“new dvr” target=192.168.6.46/32
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add disabled=yes dst=pppoe-out1 max-limit=7M/0 name=TOPSECRET target=
192.168.6.69/32
add disabled=yes dst=pppoe-out1 max-limit=1M/50M name=TOPSECRET target=
192.168.6.20/32
add disabled=yes dst=pppoe-out1 max-limit=3M/20M name=tel_ox target=
192.168.6.28/32
add dst=pppoe-out1 max-limit=5M/35M name=tel_tanja target=192.168.6.28/32
add burst-limit=15M/0 burst-threshold=7M/0 burst-time=10m/0s dst=pppoe-out1
max-limit=9M/50M name=“TOPSECRET TOPSECRET nout” target=192.168.6.196/32
add disabled=yes dst=pppoe-out1 max-limit=1M/60M name=TOPSECRET target=
192.168.6.58/32
add dst=pppoe-out1 max-limit=1M/15M name=“ox TOPSECRET” target=192.168.6.21/32
add dst=pppoe-out1 max-limit=3M/30M name=TOPSECRET target=192.168.6.39/32
add dst=pppoe-out1 max-limit=2M/5M name=queue4 target=192.168.6.45/32
add dst=pppoe-out1 max-limit=1M/8M name=TOPSECRET target=192.168.6.151/32
add dst=pppoe-out1 max-limit=1M/10M name=“TOPSECRET main” target=192.168.6.200/32
add disabled=yes max-limit=0/20M name=TOPSECRET target=192.168.6.81/32 time=
7h-1d,sun,mon,tue,wed,thu,fri,sat
add disabled=yes dst=pppoe-out1 max-limit=0/128k name=queue3 target=wlan1
add disabled=yes dst=pppoe-out1 max-limit=1500k/0 name=wlanque target=wlan1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
add email-start-tls=yes email-to=> TOPSECRET@TOPSECRET.TOPSECRET > name=TOPSECRET target=email
/user group
add name=sniffer policy=“ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!rest-api”
add name=group1 policy=“local,ftp,read,!telnet,!ssh,!reboot,!write,!policy,!te
st,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!rest-api”
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all
signal-range=-85..120 ssid-regexp=“”
add action=reject allow-signal-out-of-range=10s disabled=no interface=all
signal-range=-120..-86 ssid-regexp=“”
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-local
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config
add action=create-dynamic-enabled disabled=yes master-configuration=cfg1
add action=create-dynamic-enabled disabled=yes master-configuration=cfg2
/interface bridge port
add bridge=bridge-local comment=defconf ingress-filtering=no interface=
ether2-master-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=
ether3-slave-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=
ether4-slave-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge-local comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge-local comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge-local disabled=yes ingress-filtering=no interface=
ether1-gateway-internet
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1-gateway-internet list=WAN
add interface=ether2-master-local list=LAN
add interface=ether3-slave-local list=LAN
add interface=ether4-slave-local list=LAN
add interface=ether5 list=LAN
add disabled=yes interface=wlan1 list=discover
add disabled=yes interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=wlan1 list=LAN
add interface=ether5 list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=wlan2 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server2021 cipher=aes256 default-profile=
TOPSECRET enabled=yes mode=ethernet port=TOPSECRET
require-client-certificate=yes
/interface pptp-server serverPPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set default-profile=pptpprofile
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=TOPSECRET endpoint-port=
TOPSECRET interface=wireguard1 public-key=
“TOPSECRET”
/interface wireless access-list
add signal-range=-85..120
add authentication=no forwarding=no signal-range=-120..-86 vlan-mode=no-tag
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge
network=192.168.88.0
add address=192.168.6.1/24 interface=bridge-local network=192.168.6.0
add address=192.168.7.1/24 disabled=yes interface=bridge-local network=
192.168.7.0
add address=10.20.31.1/30 interface=IPsec_TOPSECRET network=10.20.31.0
add address=192.168.6.49 disabled=yes interface=ether4-slave-local network=
192.168.6.0
add address=192.168.66.1/24 disabled=yes interface=bridge-local network=
192.168.66.0
add address=192.168.66.49/24 disabled=yes interface=ether5 network=
192.168.66.0
add address=192.168.66.9/24 disabled=yes interface=ether5 network=
192.168.66.0
add address=192.168.66.2/24 disabled=yes interface=ether5 network=
192.168.66.0
add address=192.168.66.65/24 disabled=yes interface=ether5 network=
192.168.66.0
add address=10.20.32.1/30 interface=TOPSECRET network=10.20.32.0
add address=172.16.2.1/30 interface=wireguard1 network=172.16.2.0
/ip dhcp-client
add comment=defconf interface=ether1-gateway-internet
/ip dhcp-server config
set store-leases-disk=3m
/ip dhcp-server lease
TOPSECRET/ip dhcp-server network
add address=192.168.6.0/24 comment=“default configuration” dns-server=
192.168.6.1 gateway=192.168.6.1
add address=192.168.7.0/24 gateway=192.168.7.1
/ip dns
set allow-remote-requests=yes servers=84.19.64.3,84.19.64.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.6.1 name=router
add address=10.10.10.10 disabled=yes name=TOPSECRET
add address=10.10.10.1 disabled=yes name=TOPSECRET
/ip firewall address-list
add address=54.76.99.212 list=blacklist
add address=52.51.84.21 list=blacklist
add address=92.53.96.0.24 list=blacklist
add address=192.168.6.0/24 disabled=yes list=TOPSECRET
add address=TOPSECRET disabled=yes list=save_ips
add address=TOPSECRET list=save_ips
add address=TOPSECRET list=save_ips
add address=192.168.5.0/24 list=save_ips
add address=TOPSECRET list=save_ips
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=!192.168.6.0/24
src-address=192.168.6.64
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input dst-port=80 protocol=tcp src-address-list=
save_ips
add action=accept chain=input dst-port=8291 in-interface=pppoe-out1 protocol=
tcp src-address-list=save_ips
add action=accept chain=input dst-port=8291 protocol=tcp src-address=
TOPSECRET
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=
save_ips
add action=accept chain=input dst-port=48624 protocol=udp
add action=accept chain=input comment=ovpn_srv dst-port=TOPSECRET in-interface=
pppoe-out1 protocol=tcp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=input disabled=yes protocol=icmp src-address=
192.168.6.45
add action=drop chain=input src-address-list=blacklist
add action=drop chain=forward src-address-list=blacklist
add action=accept chain=forward disabled=yes dst-address=192.168.7.49
add action=accept chain=forward disabled=yes src-address=192.168.7.49
add action=accept chain=input disabled=yes src-address=192.168.6.49
src-address-type=“”
add action=drop chain=forward in-interface=pppoe-out1 src-address=10.0.0.0/8
add action=drop chain=forward in-interface=ether1-gateway-internet
src-address=10.0.0.0/8
add action=log chain=forward connection-state=new disabled=yes dst-limit=
70/1m,0,src-and-dst-addresses/1m dst-port=10000 in-interface=pppoe-out1
log-prefix=TOPSECRET protocol=tcp
add action=drop chain=output dst-address=0.0.0.0 src-address=192.168.6.130
add action=accept chain=forward disabled=yes dst-address=192.168.6.99
dst-port=TOPSECRET in-interface=bridge-local protocol=tcp
add action=accept chain=input dst-port=8291 in-interface=IPsec_TOPSECRET protocol=
tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=TOPSECRET disabled=yes dst-port=8000
in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=
pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=
pppoe-out1 protocol=tcp
add action=drop chain=input comment=“dropping port scanners” in-interface=
pppoe-out1 src-address-list=“port scanners”
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“Port scanners to list "
in-interface=pppoe-out1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“NMAP FIN Stealth scan”
in-interface=pppoe-out1 protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“SYN/FIN scan” in-interface=
pppoe-out1 protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“SYN/RST scan” in-interface=
pppoe-out1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“FIN/PSH/URG scan”
in-interface=pppoe-out1 protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“ALL/ALL scan” in-interface=
pppoe-out1 protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“NMAP NULL scan”
in-interface=pppoe-out1 protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment=“dropping port scanners” in-interface=
pppoe-out1 src-address-list=“port scanners”
add action=accept chain=forward comment=“TOPSECRET”
dst-limit=200/1m,200,dst-address/1m dst-port=TOPSECRET in-interface=
pppoe-out1 log=yes log-prefix=PRDX protocol=tcp src-address-list=
TOPSECRET
add action=drop chain=forward comment=“TOPSECRET”
dst-limit=200/1m,200,dst-address/1m dst-port=TOPSECRET in-interface=
pppoe-out1 log=yes log-prefix=PRDX protocol=tcp src-address-list=
TOPSECRET
add action=add-src-to-address-list address-list=TOPSECRET
address-list-timeout=5s chain=input comment=TOPSECRET dst-port=TOPSECRET
log-prefix=TOPSECRET protocol=tcp
add action=add-src-to-address-list address-list=TOPSECRET
address-list-timeout=2m chain=input comment=TOPSECRET dst-port=
44556 log-prefix=PRDX protocol=tcp src-address-list=PRDX_secured_IP
add action=drop chain=forward comment=“drop 6.68 WIN TOPSECRET”
disabled=yes src-address=192.168.6.68
add action=drop chain=input disabled=yes dst-port=53 protocol=udp
src-address=!192.168.6.0/24
add action=accept chain=forward disabled=yes protocol=tcp src-address=
192.168.6.190
add action=drop chain=input disabled=yes dst-port=80 in-interface=pppoe-out1
protocol=tcp
add action=accept chain=forward comment=
“---------------------------TOPSECRET” disabled=yes
dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=
pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=udp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=tcp
add action=drop chain=input comment=--------------------------------TOPSECRET
dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input dst-port=80 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 protocol=tcp
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment=“default configuration” disabled=yes
dst-address=192.168.6.0/24 src-address=192.168.5.0/24
add action=accept chain=forward comment=“default configuration” dst-address=
192.168.1.0/24 dst-port=TOPSECRET protocol=tcp src-address=192.168.6.0/24
add action=accept chain=input comment=ping in-interface=IPsec_TOPSECRET protocol=
icmp
add action=accept chain=forward comment=“TOPSECRET → TOPSECRET TOPSECRET " disabled=yes
dst-address=192.168.6.66 src-address=192.168.1.0/24
add action=accept chain=forward comment=“smb TOPSECRET->TOPSECRET” dst-address=
192.168.6.66 dst-port=445 in-interface=IPsec_TOPSECRET protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward comment=“TOPSECRET->TOPSECRET” disabled=yes
dst-address=192.168.6.0/24 dst-port=445 protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward comment=“TOPSECRET->TOPSECRET” disabled=yes
dst-address=192.168.6.0/24 dst-port=21 protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward comment=“TOPSECRET” disabled=yes
dst-address=192.168.6.74 dst-port=30303 protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward comment=“TOPSECRET” disabled=yes
dst-port=TOPSECRET protocol=tcp src-address=TOPSECRET
add action=accept chain=forward comment=“TOPSECRETS” disabled=yes
dst-port=TOPSECRET protocol=tcp src-address=TOPSECRET
add action=accept chain=forward dst-port=22334 protocol=udp
add action=accept chain=forward comment=“UA > skynet base2” dst-address=
192.168.6.9 dst-port=1600 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=“UA > HOAX ARES DB” dst-address=
192.168.6.72 dst-port=1600 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=“UA > HOAX VULCAN TOPSECRET”
dst-address=192.168.6.45 dst-port=8081 protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=forward comment=“TOPSECRET > HOAX ftp” dst-address=
192.168.6.66 protocol=icmp src-address=192.168.1.0/24
add action=accept chain=forward comment=“TOPSECRET > HOAX socket TOPSECRET” dst-port=
TOPSECRET protocol=tcp
add action=accept chain=forward comment=“established,related reverse”
connection-state=established,related dst-address=192.168.6.0/24
src-address=192.168.1.0/24
add action=accept chain=forward comment=“established,related reverse”
connection-state=established,related dst-address=192.168.1.0/24
src-address=192.168.6.0/24
add action=drop chain=forward comment=“default configuration” dst-address=
192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment=“default configuration” disabled=yes
dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment=“TOPSECRET” disabled=yes protocol=
udp src-address=192.168.6.190
add action=drop chain=forward comment=“TOPSECRET” disabled=yes protocol=
udp src-address=192.168.6.192
add action=drop chain=forward comment=“TOPSECRET” disabled=yes
protocol=udp src-address=192.168.6.191
add action=drop chain=input comment=“drop TOPSECRET brute force” dst-port=TOPSECRET,TOPSECRET
in-interface=pppoe-out1 protocol=tcp src-address-list=blacklist
add action=drop chain=forward comment=“drop TOPSECRET brute force” dst-port=
TOPSECRET,TOPSECRET in-interface=pppoe-out1 protocol=tcp src-address-list=blacklist
add action=accept chain=output content=“Incorrect user name or password.”
dst-limit=1/1m,5,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=blacklist
address-list-timeout=1d chain=output content=
“Incorrect user name or password.”
add action=accept chain=input disabled=yes in-interface=IPsec_TOPSECRET protocol=
icmp
add action=accept chain=input comment=“TOPSECRET default configuration”
connection-state=established
add action=accept chain=input comment=“toto default configuration”
connection-state=related
add action=accept chain=forward dst-port=TOPSECRET protocol=tcp
add action=accept chain=forward dst-port=TOPSECRET protocol=udp
add action=accept chain=input dst-port=8291 protocol=udp
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
src-address=192.168.5.0/24
add action=accept chain=forward comment=“toto default configuration”
connection-state=established
add action=accept chain=forward comment=“default configuration”
connection-state=related
add action=accept chain=forward comment=“default configuration” in-interface=
bridge-local
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
src-address=192.168.5.0
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=input comment=“default configuration”
disabled=yes in-interface=pppoe-out1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=1d chain=forward comment=“default configuration”
disabled=yes in-interface=pppoe-out1
add action=drop chain=input comment=“default configuration” in-interface=
pppoe-out1
add action=drop chain=forward comment=“default configuration”
connection-state=”” in-interface=pppoe-out1
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=
truenas passthrough=yes src-address=192.168.6.49
add action=mark-connection chain=postrouting disabled=yes dst-address=
192.168.6.0/24 dst-address-type=local new-connection-mark=truenas
passthrough=yes src-address=192.168.6.49
add action=mark-packet chain=prerouting disabled=yes in-interface=
bridge-local new-packet-mark=TOPSECRET passthrough=yes
add action=mark-packet chain=prerouting disabled=yes in-interface=
ether4-slave-local new-packet-mark=TOPSECRET passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=pppoe-out1
add action=accept chain=srcnat disabled=yes dst-address=192.168.6.0/24
src-address=192.168.5.0/24
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=
192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=
172.16.2.0/30
add action=accept chain=srcnat dst-address=10.20.30.0/30 src-address=
10.20.31.0/30
add action=accept chain=srcnat dst-address=10.20.31.0/30 src-address=
10.20.30.0/30
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=
192.168.6.0/24
add action=accept chain=srcnat dst-address=172.16.2.0/30 src-address=
192.168.6.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=5000 in-interface=
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=netmap chain=dstnat disabled=yes dst-port=80 in-interface=
pppoe-out1 protocol=udp to-addresses=192.168.6.100 to-ports=80
add action=netmap chain=dstnat disabled=yes dst-port=5000 in-interface=
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway-internet
add action=masquerade chain=srcnat src-address=192.168.6.0/24 to-addresses=
0.0.0.0
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.20.31.0/30
add action=masquerade chain=srcnat disabled=yes src-address=10.20.30.0/30
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=IPsec_TOPSECRET
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=wireguard1
add action=masquerade chain=srcnat comment=“default configuration” disabled=
yes dst-port=20-21 out-interface=bridge-local protocol=tcp src-address=
192.168.1.0/24
add action=accept chain=dstnat comment=“default configuration” disabled=yes
dst-address=192.168.6.66 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66
to-ports=20-21
add action=dst-nat chain=dstnat comment=“default configuration” disabled=yes
dst-address=192.168.6.1 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66
add action=netmap chain=dstnat comment=“default configuration” disabled=yes
dst-address=192.168.6.1 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66
add action=dst-nat chain=dstnat comment=“default configuration” disabled=yes
dst-address=192.168.6.1 dst-port=20-21 protocol=tcp src-address=
192.168.1.0/24 to-addresses=192.168.6.66
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.6.66
dst-port=20-21 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=dstnat disabled=yes dst-address=192.168.6.66
dst-port=20-21 protocol=tcp to-addresses=192.168.6.66 to-ports=20-21
add action=netmap chain=dstnat disabled=yes dst-port=20-21 in-interface=
IPsec_TOPSECRET protocol=tcp to-addresses=192.168.6.66 to-ports=20-21
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=8000
in-interface=pppoe-out1 protocol=tcp src-address=91.228.45.226
to-addresses=192.168.6.46 to-ports=8000
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=8800
in-interface=pppoe-out1 protocol=tcp src-address=91.228.45.226
to-addresses=192.168.6.46 to-ports=80
add action=netmap chain=dstnat comment=TOPSECRET dst-port=10000 in-interface=
pppoe-out1 protocol=tcp to-addresses=192.168.6.139
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=10000
in-interface=pppoe-out1 protocol=udp to-addresses=192.168.6.139 to-ports=
10000
add action=netmap chain=dstnat disabled=yes dst-port=554 in-interface=
pppoe-out1 protocol=tcp to-addresses=192.168.6.152 to-ports=554
add action=netmap chain=dstnat dst-port=30303 in-interface=pppoe-out1
protocol=tcp to-addresses=192.168.6.74
add action=netmap chain=dstnat comment=TOPSECRET-TOPSECRET-SOCKET disabled=yes
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=
192.168.6.74
add action=netmap chain=dstnat comment=TOPSECRET-TOPSECRET dst-address=TOPSECRET
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=
192.168.6.74
add action=netmap chain=dstnat comment=ZEUS-WG dst-address=TOPSECRET
dst-port=TOPSECRET in-interface=bridge-local protocol=udp to-addresses=
192.168.6.74
add action=netmap chain=dstnat comment=“APOLLO TOPSECRET? old” disabled=yes
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=
192.168.6.74
add action=netmap chain=dstnat comment=TEST_TOPSECRET_PYTHON
disabled=yes dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp
to-addresses=192.168.6.74
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer1
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=yes dst-address=192.168.0.0/24 gateway=bridge-local pref-src=
192.168.6.64
add disabled=no dst-address=192.168.1.0/24 gateway=10.20.31.2
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=10.20.32.2
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=bridge-local
pref-src=192.168.5.1 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=172.16.2.2
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.6.0/24,192.168.5.0/24,TOPSECRET/32
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET
remote-address=192.168.6.120 service=ovpn
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET
remote-address=192.168.6.121 service=ovpn
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET
remote-address=192.168.6.122 service=ovpn
/system clock
set time-zone-name=Europe/Prague
/system logging
add disabled=yes prefix=TOPSECRET topics=ipsec
add action=TOPSECRET prefix=TOPSECRET topics=firewall,info
add disabled=yes topics=ovpn,debug
/system ntp client
set enabled=yes
/system ntp client servers
add address=TOPSECRET
add address=TOPSECRET
/system package update
set channel=long-term
/system scheduler
add name=schedule1 on-event=“:delay 30\r
\n/system script run script1” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add disabled=yes interval=5m name=schedule2_wifi_bad_pw_check on-event=
“/system script run wifi_bad_password_ban” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=apr/12/2022 start-time=18:12:26
/system script
add dont-require-permissions=no name=dhcpleasescript owner=admin policy=
read,write,policy,test,sniff,sensitive,romon source=“”
add dont-require-permissions=no name=script1 owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:
delay 1\r
\n\r
\n:local reportBody ""\r
\n\r
\n:local deviceName [/system identity get name]\r
\n:local deviceDate [/system clock get date]\r
\n:local deviceTime [/system clock get time]\r
\n:local hwModel [/system routerboard get model]\r
\n:local rosVersion [/system package get system version]\r
\n:local currentFirmware [/system routerboard get current-firmware]\r
\n:local upgradeFirmware [/system routerboard get upgrade-firmware]\r
\n\r
\n\r
\n:set reportBody ($reportBody . "Router Reboot Report for $deviceName
\n")\r
\n:set reportBody ($reportBody . "Report generated on $deviceDate at $
deviceTime\n\n")\r
\n\r
\n:set reportBody ($reportBody . "Hardware Model: $hwModel\n")\r
\n:set reportBody ($reportBody . "RouterOS Version: $rosVersion\n")\r
\n:set reportBody ($reportBody . "Current Firmware: $currentFirmware\n
")\r
\n:set reportBody ($reportBody . "Upgrade Firmware: $upgradeFirmware")
\r
\nif ( $currentFirmware < $upgradeFirmware) do={\r
\n:set reportBody ($reportBody . "NOTE: You should upgrade the RouterBOA
RD firmware!\n")\r
\n}\r
\n\r
\n:set reportBody ($reportBody . "\n\n=== Critical Log Events ===\n"
_)\r
\n\r
\n:local x\r
\n:local ts\r
\n:local msg\r
\nforeach i in=([/log find where topics~"critical"]) do={\r
\n:set $ts [/log get $i time]\r
\n:set $msg [/log get $i message]\r
\n:set $reportBody ($reportBody . $ts . " " . $msg . "\n" )\r
\n}\r
\n\r
\n:set reportBody ($reportBody . "\n=== end of report ===\n")\r
\n\r
\n/tool e-mail send subject="[$deviceName] Router Reboot Report" to="a
lert@biotal.cz> " body=$reportBody”
add dont-require-permissions=no name=wifi_bad_password_ban owner=admin
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source=“:local pop 4\r
\n:local mac\r
\n:local wifi [/log find message~"disconnected, unicast key exchange time
out"]\r
\n\r
\nforeach i in=$wifi do={\r
\n:set mac [:pick [/log get $i message ] 0 ([:len [/log get $i message ]
]-71)]\r
\n:log warning $mac\r
\nif ([:len [/log find message~($mac . "@wlan1: disconnected, unicast ke
y exchange timeout")] ] >= $pop) do={\r
\nif ([/interface wireless access-list find mac-address=$mac] = "" ) do
={\r
\n/interface wireless access-list add mac-address=$mac authentication=no
interface=all\r
\n}\r
\n}\r
\n}\r
\n:log warning "FINISH"”
/system watchdog
set automatic-supout=no ping-start-after-boot=2h ping-timeout=2m
watch-address=1.1.1.1 watchdog-timer=no
/tool e-mail
set address=TOPSECRET from=TOPSECRET port=TOPSECRET tls=starttls user=
TOPSECRET
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=pppoe-out1
/tool traffic-monitor
add disabled=yes interface=ether2-master-local name=tmon1 on-event=
“log info "ETH2 A LOT TX"” threshold=5000000