# jan/06/2022 13:54:52 by RouterOS 7.1.1
# software id = BB3F-L5VJ
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F10D99618F
/interface bridge
add name=VPN-Bridge
/interface ethernet
set [ find default-name=sfp-sfpplus12 ] name=SFP12-WAN
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
name=UplinkToCisco-LAN
/interface list
add comment=defconf name=WAN
add name=Family
add comment=defconf include=Family name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Guest ranges=192.168.91.1-192.168.91.12
add name=Home ranges=192.168.90.10-192.168.90.200
add name=VPN ranges=192.168.94.10-192.168.94.50
add name=Work ranges=192.168.93.10-192.168.93.200
add name=WIFI ranges=192.168.92.10-192.168.92.200
/ip dhcp-server
add address-pool=Guest interface=UplinkToCisco-LAN lease-time=1d name=Guest \
relay=192.168.91.14
add address-pool=Home interface=UplinkToCisco-LAN lease-time=1w name=Home \
relay=192.168.90.254
add address-pool=WIFI interface=UplinkToCisco-LAN lease-time=1w name=Wifi \
relay=192.168.92.254
add address-pool=Work interface=UplinkToCisco-LAN lease-time=1w name=Work \
relay=192.168.93.254
/ipv6 dhcp-server option
add code=23 name=dns value=0x26006C48467F6E0202155DFFFE5A2403
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE bridge=VPN-Bridge dns-server=192.168.90.38 interface-list=LAN \
local-address=192.168.94.254 remote-address=VPN use-ipv6=no
/queue type
add cake-nat=yes kind=cake name=Cake
add cake-bandwidth=1400.0Mbps cake-nat=yes kind=cake name=Cake_Home_D
add cake-bandwidth=40.0Mbps cake-nat=yes kind=cake name=Cake_Home_U
add cake-bandwidth=20.0Mbps kind=cake name=Cake_Chance_U
add cake-bandwidth=20.0Mbps kind=cake name=Cake_Dad_U
add kind=pfifo name=Default_U pfifo-limit=1300
/queue simple
add max-limit=0/40M name=Parent_VPN queue=default-small/Cake_Dad_U target=\
DadNet,Chance,ChanceWG total-queue=Cake
add limit-at=0/5M max-limit=200M/20M name=Dad parent=Parent_VPN priority=7/7 \
queue=Cake/Cake_Dad_U target=DadNet total-queue=Cake
add max-limit=200M/20M name=Chance parent=Parent_VPN queue=Cake/Cake_Dad_U \
target=Chance,ChanceWG total-queue=Cake
/queue tree
add name=Global_In parent=UplinkToCisco-LAN queue=Cake_Home_D
add max-limit=40M name=Global_Out parent=SFP12-WAN queue=Cake_Home_U
add burst-time=9s limit-at=25M max-limit=900M name=Wifi_Download packet-mark=\
Wifi parent=Global_In priority=3 queue=Cake
add limit-at=3M max-limit=40M name=Wifi_Upload packet-mark=Wifi parent=\
Global_Out priority=3 queue=Cake_Home_U
add max-limit=900M name=Guest_Download packet-mark=Guest parent=Global_In \
priority=7 queue=Cake
add max-limit=10M name=Guest_Upload packet-mark=Guest parent=Global_Out \
priority=7 queue=Cake
add name=Home_Download packet-mark=Home parent=Global_In priority=2 queue=\
Cake
add limit-at=5M max-limit=40M name=Home_Upload packet-mark=Home parent=\
Global_Out priority=4 queue=Cake_Home_U
add max-limit=900M name=Catchall_Download packet-mark=no-mark parent=\
Global_In priority=5 queue=Cake
add max-limit=30M name=Catchall_Upload packet-mark=no-mark parent=Global_Out \
priority=3 queue=Cake
add max-limit=600M name=Tor_Download packet-mark=Tor parent=Global_In queue=\
default
add max-limit=35M name=Tor_Upload packet-mark=Tor parent=Global_Out queue=\
Default_U
/routing bgp template
set default disabled=yes output.network=bgp-networks
/routing id
add disabled=no id=1.1.1.1 name=OSPF select-dynamic-id=""
/routing ospf instance
add in-filter-chain=ospf-in name=Reid-Home router-id=OSPF
/routing ospf area
add instance=Reid-Home name=Backbone
add area-id=0.0.0.2 instance=Reid-Home name=ReidHome no-summaries type=stub
/routing pimsm instance
add afi=ipv4 disabled=no name=PIM vrf=main
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes identity="69f4a1a640:0:2a874989b43e2c35a2db768af\
50bc4ef887efc2f6c015f992ac334711bf05755908e2a98fba5eb6a54c46d9cdb1e9921ae6\
a6796c5c899096c7f559c466ecca9:ac3a900e2acfabe4beb94a52f23f6129702ac3d3b733\
36f042a95e482d57e2abb9bc125bfd60fe7c9a490a696fdc1235ad3f5ac7aa5f0f1a959d27\
4fc92cf5ed" name=zt1 port=9993
/zerotier interface
add disabled=yes instance=zt1 mac-address=A6:7A:74:A5:32:D3 name=zerotier1 \
network=1d719394048013a7
/caps-man access-list
add allow-signal-out-of-range=10s comment=Roku disabled=yes mac-address=\
8C:49:62:57:EA:58 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Roku " disabled=yes mac-address=\
8C:49:62:50:3C:35 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Neighbor Phone" disabled=yes \
mac-address=64:BC:0C:96:2E:A6 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Neighbor Iphone" disabled=yes \
mac-address=0E:C3:7D:F6:7D:87 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Natalie Phone" disabled=yes \
mac-address=38:6A:77:0C:2A:11 ssid-regexp=""
add allow-signal-out-of-range=10s comment="Reid Phone" disabled=yes \
mac-address=96:11:5D:52:62:07 ssid-regexp=""
add allow-signal-out-of-range=10s comment=Kindle disabled=yes mac-address=\
00:BB:3A:E7:97:BD ssid-regexp=""
add allow-signal-out-of-range=10s comment="Reid Phone" disabled=yes \
mac-address=38:6A:77:19:78:81 ssid-regexp=""
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=UplinkToCisco-LAN
add disabled=no forbid=yes interface=SFP12-WAN
/caps-man provisioning
add action=create-enabled comment=Audience disabled=yes radio-mac=\
C4:AD:34:B7:41:56 slave-configurations=*1,*4
add action=create-enabled comment=Audience disabled=yes radio-mac=\
C4:AD:34:B7:41:58 slave-configurations=*1,*4
add action=create-enabled comment=Audience disabled=yes radio-mac=\
C4:AD:34:B7:41:57 slave-configurations=*1,*4
add action=create-enabled comment="AC lite 2.4 GHZ" disabled=yes radio-mac=\
C4:AD:34:09:4C:BA slave-configurations=*1,*4
add action=create-enabled comment="AC lite 5GHZ" disabled=yes radio-mac=\
C4:AD:34:09:4C:B9 slave-configurations=*1,*4
add action=create-enabled comment="AC\B3 2.4GHZ" disabled=yes radio-mac=\
08:55:31:D0:11:0C slave-configurations=*1,*4
add action=create-enabled comment="AC\B3 5.0GHZ" disabled=yes radio-mac=\
08:55:31:D0:11:0D slave-configurations=*1,*4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set use-ipsec=required
/interface list member
add interface=SFP12-WAN list=WAN
add interface=Chance list=LAN
add interface=VPN-Bridge list=LAN
add interface=Chance list=Family
add interface=UplinkToCisco-LAN list=LAN
add interface=DadNet list=LAN
add interface=DadNetV6 list=LAN
add interface=DadNetV6 list=Family
add interface=DadNet list=Family
add interface=ChanceWG list=LAN
add interface=ChanceWG list=Family
/interface sstp-server server
set certificate="cert_export_SSTP Server.p12_0" default-profile=\
default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
add address=192.168.94.254/24 interface=VPN-Bridge network=192.168.94.0
add address=10.10.38.1/30 interface=Chance network=10.10.38.0
add address=192.168.255.1/29 interface=UplinkToCisco-LAN network=\
192.168.255.0
add address=172.28.0.1/30 interface=DadNet network=172.28.0.0
add address=172.28.0.5/30 interface=ChanceWG network=172.28.0.4
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add default-route-distance=10 interface=SFP12-WAN use-peer-dns=no
/ip dhcp-server lease
add address=192.168.90.60 client-id=1:0:15:5d:1:fe:3 comment="Chance Farm" \
mac-address=00:15:5D:01:FE:03 server=Home
add address=192.168.90.182 comment="Chance Linux" mac-address=\
00:15:5D:01:FE:02 server=Home
add address=192.168.90.180 client-id=1:c8:63:f1:30:50:ee mac-address=\
C8:63:F1:30:50:EE server=Home
add address=192.168.90.52 client-id=1:0:15:5d:1:fe:5 mac-address=\
00:15:5D:01:FE:05 server=Home
add address=192.168.90.59 comment="Roku Premium" mac-address=\
8C:49:62:57:EA:59 server=Home
add address=192.168.90.58 client-id=1:0:15:5d:5a:c7:1 mac-address=\
00:15:5D:5A:C7:01 server=Home
add address=192.168.90.51 client-id=1:0:15:5d:5a:c7:0 mac-address=\
00:15:5D:5A:C7:00 server=Home
add address=192.168.90.50 client-id=1:0:15:5d:5a:c7:2 mac-address=\
00:15:5D:5A:C7:02 server=Home
add address=192.168.90.48 client-id=1:0:15:5d:5a:c7:3 mac-address=\
00:15:5D:5A:C7:03 server=Home
add address=192.168.90.46 client-id=1:0:15:5d:5a:c7:4 mac-address=\
00:15:5D:5A:C7:04 server=Home
add address=192.168.90.47 client-id=1:c0:48:e6:e8:b5:78 mac-address=\
C0:48:E6:E8:B5:78 server=Home
add address=192.168.90.42 client-id=1:0:15:5d:5a:c7:6 comment=PIHOLE \
mac-address=00:15:5D:5A:C7:06 server=Home
add address=192.168.90.41 comment=Onion mac-address=00:E7:5C:68:26:8F server=\
Home
add address=192.168.90.193 client-id=1:0:15:5d:5a:24:0 mac-address=\
00:15:5D:5A:24:00 server=Home
add address=192.168.90.40 client-id=1:0:15:5d:5a:c7:8 comment=FultonSnoop \
mac-address=00:15:5D:5A:C7:08 server=Home
add address=192.168.92.11 mac-address=8C:49:62:57:EA:58 server=Wifi
add address=192.168.92.14 client-id=1:38:6a:77:c:2a:11 mac-address=\
38:6A:77:0C:2A:11 server=Wifi
add address=192.168.93.200 client-id=1:78:2b:cb:49:f6:43 mac-address=\
78:2B:CB:49:F6:43 server=Work
add address=192.168.92.18 client-id=1:38:6a:77:19:78:81 mac-address=\
38:6A:77:19:78:81 server=Wifi
add address=192.168.92.19 mac-address=00:BB:3A:E7:97:BD server=Wifi
add address=192.168.90.199 client-id=1:fc:34:97:2e:ca:6c mac-address=\
FC:34:97:2E:CA:6C server=Home
add address=192.168.90.186 client-id=1:f0:2f:74:65:ad:ea mac-address=\
F0:2F:74:65:AD:EA server=Home
add address=192.168.92.13 comment=Switch mac-address=5C:0C:E6:F5:43:EC \
server=Wifi
add address=192.168.90.39 comment=Nin-Switch mac-address=80:D2:E5:89:83:28 \
server=Home
add address=192.168.90.38 client-id=\
ff:ad:19:67:e5:0:2:0:0:ab:11:dc:b:62:90:85:14:bd:ee comment=Adguard \
mac-address=00:15:5D:5A:24:03 server=Home
add address=192.168.90.37 client-id=1:d4:9d:c0:ed:d9:7d comment=\
"Livingroom TV" mac-address=D4:9D:C0:ED:D9:7D server=Home
add address=192.168.90.36 client-id=1:0:e:c6:5f:19:dd mac-address=\
00:0E:C6:5F:19:DD server=Home
add address=192.168.90.34 client-id=1:ec:71:db:82:17:da comment=\
"Livingroom Camera" mac-address=EC:71:DB:82:17:DA server=Home
add address=192.168.90.33 comment=Roku mac-address=84:EA:ED:8F:ED:95 server=\
Home
add address=192.168.92.10 comment="Roku Bedroom I think" mac-address=\
8C:49:62:50:3C:35 server=Wifi
add address=192.168.90.32 client-id=1:0:15:5d:5a:24:4 mac-address=\
00:15:5D:5A:24:04 server=Home
/ip dhcp-server network
add address=192.168.90.0/24 dns-server=192.168.90.38 domain=fultonit.net \
gateway=192.168.90.254 netmask=24
add address=192.168.91.0/28 dns-server=1.1.1.1 gateway=192.168.91.14 netmask=\
28
add address=192.168.92.0/24 dns-server=192.168.90.38 domain=fultonit.net \
gateway=192.168.92.254 netmask=24
add address=192.168.93.0/24 dns-server=192.168.90.38 domain=fultonit.net \
gateway=192.168.93.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.150.198 name=fultonserver.fultonit.ddns.net
add address=192.168.90.186 name=athens.fultonit.net
add address=2600:6c48:467f:6e02:7967:db8b:4ff1:b85 name=athens.fultonit.net \
type=AAAA
add address=192.168.90.186 name=athens
add address=127.0.0.1 name=facebook.com
add address=192.168.90.193 name=fultonisland.fultonit.net
add address=192.168.90.193 name=fultonisland
add address=2600:6c48:467f:6e02:7967:db8b:4ff1:b85 name=athens type=AAAA
add address=2600:6c48:467f:6e02:7967:db8b:4ff1:b85 name=plex.fultonit.net \
type=AAAA
add address=192.168.90.186 name=plex.fultonit.net
/ip firewall filter
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"Bullshit Devices that don't need to reach internet" out-interface-list=\
WAN src-address-list=Internal
add action=tarpit chain=forward disabled=yes protocol=tcp src-address-list=\
Malicious
add action=tarpit chain=input disabled=yes log-prefix=TARPIT protocol=tcp \
src-address-list=Malicious
add action=drop chain=input comment="DNS from WAN" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=input comment="DNS from WAN" dst-port=53 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" limit=1,5:packet \
protocol=icmp
add action=accept chain=input comment="Bootp Guest" dst-port=67 protocol=udp \
src-address=192.168.91.14
add action=drop chain=input comment="Guest into Mikrotik" log=yes log-prefix=\
"Guest Into Tik" src-address-list=Guest
add action=drop chain=forward comment="Block Guest from Family" \
out-interface-list=Family src-address-list=Guest
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=SSTP dst-port=443 in-interface=\
SFP12-WAN limit=1,2:packet protocol=tcp
add action=accept chain=input comment=ipsec limit=1,5:packet protocol=\
ipsec-esp
add action=accept chain=input comment=l2tp/ipsec limit=1,3:packet log=yes \
log-prefix="IPSEC ATTEMPT" port=500,1701,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix="Drop Invalid"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix=Drop
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
new-connection-mark=Tor_Conn passthrough=yes src-address=192.168.90.193
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.90.193 new-connection-mark=Tor_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Tor_Conn \
new-packet-mark=Tor passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
new-connection-mark=Home_Conn passthrough=yes src-address=192.168.90.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.90.0/24 new-connection-mark=Home_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Home_Conn \
new-packet-mark=Home passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
new-connection-mark=Wifi_Conn passthrough=yes src-address=192.168.92.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.92.0/24 new-connection-mark=Wifi_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Wifi_Conn \
new-packet-mark=Wifi passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
new-connection-mark=Guest_Conn passthrough=yes src-address=\
192.168.91.0/28
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=192.168.91.0/28 new-connection-mark=Guest_Conn passthrough=\
yes
add action=mark-packet chain=prerouting connection-mark=Guest_Conn \
new-packet-mark=Guest passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.90.186 to-ports=\
32400
add action=dst-nat chain=dstnat comment="Rocketchat-NetwatchRule 2" \
dst-address=192.30.153.190 dst-port=3000 in-interface=UplinkToCisco-LAN \
protocol=tcp to-addresses=192.168.106.18 to-ports=443
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.106.18 \
dst-port=443 protocol=tcp to-ports=443
add action=dst-nat chain=dstnat comment="Free Orion" disabled=yes dst-port=\
12346 in-interface-list=WAN protocol=tcp to-addresses=192.168.90.199 \
to-ports=12346
add action=dst-nat chain=dstnat comment=SFTP disabled=yes dst-port=69 \
in-interface-list=WAN limit=1,3:packet log=yes log-prefix="SFTP ATTEMPT" \
protocol=udp to-addresses=192.168.90.193 to-ports=69
add action=dst-nat chain=dstnat comment=Terraria disabled=yes dst-port=7777 \
in-interface-list=WAN limit=5/1m,3:packet log=yes log-prefix=TERRARIA \
protocol=tcp to-addresses=192.168.90.186 to-ports=7777
add action=accept chain=dstnat comment="Accept Guest" disabled=yes dst-port=\
53 in-interface=UplinkToCisco-LAN protocol=udp src-address=\
192.168.91.0/28
add action=accept chain=dstnat comment="Accept Guest" disabled=yes dst-port=\
53 in-interface=UplinkToCisco-LAN protocol=tcp src-address=\
192.168.91.0/28
add action=dst-nat chain=dstnat dst-address=!192.168.90.38 dst-port=53 \
in-interface=UplinkToCisco-LAN protocol=udp src-address=!192.168.90.38 \
to-addresses=192.168.90.38 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.90.38 dst-port=53 \
in-interface=UplinkToCisco-LAN protocol=tcp src-address=!192.168.90.38 \
to-addresses=192.168.90.38 to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.90.38 dst-port=53 \
out-interface=UplinkToCisco-LAN protocol=udp to-ports=53
add action=masquerade chain=srcnat dst-address=192.168.90.38 dst-port=53 \
out-interface=UplinkToCisco-LAN protocol=tcp to-ports=53
/ip firewall raw
add action=drop chain=prerouting src-address=192.168.108.0/24
add action=drop chain=prerouting disabled=yes dst-address=206.221.180.138
add action=drop chain=prerouting comment="Outside Malicious" disabled=yes \
protocol=udp src-address-list=Malicious
add action=drop chain=prerouting comment=Countries disabled=yes \
src-address-list=CountryIPBlocks
/ip firewall service-port
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer="Chance 2"
add peer=Chance
add peer=Dad
/ip route
add disabled=no distance=160 dst-address=192.168.90.0/24 gateway=\
192.168.255.2
add disabled=no distance=90 dst-address=192.168.50.0/30 gateway=\
172.28.0.2%DadNet pref-src="" routing-table=main scope=20 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=160 dst-address=192.168.91.0/28 gateway=\
192.168.255.2%UplinkToCisco-LAN routing-table=main scope=20 \
suppress-hw-offload=no target-scope=10
/ipv6 route
add disabled=no distance=1 dst-address=2600:6c48:427f:1900::/56 gateway=\
DadNetV6 scope=30 target-scope=10
add disabled=yes distance=1 dst-address=\
2600:6c48:700c:100:385f:ca27:89df:e2f7/128 gateway=DadNetV6 scope=30 \
target-scope=10
/ip service
set telnet disabled=yes
set www address=192.168.90.0/24
/ip upnp interfaces
add interface=SFP12-WAN type=external
add interface=UplinkToCisco-LAN type=internal
/ipv6 address
add address=2600:6c48:467f:6e01::2 interface=UplinkToCisco-LAN
add address=2600:6c48:467f:6e06::1 advertise=no interface=DadNetV6
/ipv6 dhcp-client
add add-default-route=yes interface=SFP12-WAN pool-name=Home \
pool-prefix-length=56 prefix-hint=::/56 request=address,prefix \
use-peer-dns=no
/ipv6 dhcp-server
add address-pool=Home dhcp-option=dns interface=UplinkToCisco-LAN name=\
REID-HOME
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=2600:6c48:467f:6e02:f886:f4:a0a9:6559/128 list=Athens
add address=d1270beda968.sn.mynetname.net list=Dad
/ipv6 firewall filter
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input in-interface=SFP12-WAN protocol=udp \
src-address=2600:6c48:700c:100:385f:ca27:89df:e2f7/128 src-port=13232
add action=accept chain=forward comment=Plex dst-address-list=Athens \
dst-port=443 in-interface=SFP12-WAN out-interface=UplinkToCisco-LAN \
protocol=tcp
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=input comment="Drop Guest into Router" src-address=\
2600:6c48:467f:6e05::/64
add action=accept chain=input in-interface=SFP12-WAN protocol=gre \
src-address=2600:6c48:700c:100:385f:ca27:89df:e2f7/128
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix=Drop
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall mangle
add action=mark-connection chain=prerouting comment=Home connection-mark=\
no-mark new-connection-mark=Home_Conn passthrough=yes src-address=\
2600:6c48:467f:6e02::/64
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=2600:6c48:467f:6e02::/64 new-connection-mark=Home_Conn \
passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Home_Conn \
new-packet-mark=Home packet-mark=no-mark passthrough=no
add action=mark-connection chain=prerouting comment=Wifi connection-mark=\
no-mark new-connection-mark=Wifi_Conn passthrough=yes src-address=\
2600:6c48:467f:6e03::/64
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=2600:6c48:467f:6e03::/64 new-connection-mark=Wifi_Conn \
passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Wifi_Conn \
new-packet-mark=Wifi packet-mark=no-mark passthrough=no
add action=mark-connection chain=prerouting comment=Guest connection-mark=\
no-mark new-connection-mark=Guest_Conn passthrough=yes src-address=\
2600:6c48:467f:6e05::/64
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=2600:6c48:467f:6e05::/64 new-connection-mark=Guest_Conn \
passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Guest_Conn \
new-packet-mark=Guest packet-mark=no-mark passthrough=no
add action=mark-connection chain=prerouting comment=Catchall connection-mark=\
no-mark disabled=yes new-connection-mark=Home_Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Home_Conn disabled=\
yes new-packet-mark=Home packet-mark=no-mark passthrough=no
/ipv6 firewall nat
add action=dst-nat chain=dstnat dst-port=53 in-interface=UplinkToCisco-LAN \
protocol=tcp src-address=!2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 \
to-address=2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 in-interface=UplinkToCisco-LAN \
protocol=udp src-address=!2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 \
to-address=2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 to-ports=53
add action=masquerade chain=srcnat dst-address=\
2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 dst-port=53 out-interface=\
UplinkToCisco-LAN protocol=tcp to-ports=53
add action=masquerade chain=srcnat dst-address=\
2600:6c48:467f:6e02:215:5dff:fe5a:2403/128 dst-port=53 out-interface=\
UplinkToCisco-LAN protocol=udp to-ports=53
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=SFP12-WAN
add interface=UplinkToCisco-LAN
/ipv6 nd prefix
add interface=UplinkToCisco-LAN
/ppp secret
add name=Reid profile=default-encryption
add name=Chance profile=default-encryption
add name=Dad profile=default-encryption
add name=Nat profile=default-encryption
/routing filter rule
add chain=ospf-in disabled=no rule="if (dst in 10.10.102.1 ) { reject;}\r\
\nif (dst in 10.10.110.1) {\
\n reject;\
\n} \r\
\nif (dst in 10.8.1.0/24) {\
\n reject;\
\n} \r\
\nif (dst in 192.168.1.0/24) {\
\n reject;\
\n} \r\
\nif (dst in 192.168.108.0/24) {\
\n reject;\
\n} \r\
\nif (dst in 192.168.2.0/24) {\
\n reject;\
\n} \r\
\n\r\
\nelse {accept}"
/routing igmp-proxy interface
add interface=UplinkToCisco-LAN
add interface=Chance
add disabled=yes
add interface=DadNet
/routing ospf area range
add area=ReidHome prefix=192.168.90.0/21
/routing ospf interface-template
add area=ReidHome interfaces=UplinkToCisco-LAN networks=192.168.255.0/29
add area=Backbone cost=50 interfaces=Chance networks=10.10.38.0/30
add area=Backbone interfaces=DadNet networks=172.28.0.0/30
add area=Backbone networks=192.168.94.0/24 passive
add area=Backbone interfaces=ChanceWG networks=172.28.0.4/30
/routing pimsm interface-template
add disabled=no instance=PIM interfaces=DadNet source-addresses=""
add disabled=no instance=PIM interfaces=UplinkToCisco-LAN source-addresses=""
/system clock
set time-zone-name=America/Detroit
/system identity
set name=ReidTik
/system logging
set 0 topics=info,!ipsec
set 1 topics=error,!ipsec
add disabled=yes topics=ospf
add disabled=yes topics=dhcp
/system note
set note="They Don't Think It Be Like It Is, But It Do.\r\
\n"
/system resource irq rps
set ether1 disabled=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=Chance store-on-disk=no
add store-on-disk=no
add store-on-disk=no
add interface=SFP12-WAN store-on-disk=no
add interface=UplinkToCisco-LAN store-on-disk=no
add interface=VPN-Bridge store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool netwatch
add comment="RocketChat NAT RULE" down-script="/ip/firewall/nat/ disable 2" \
host=192.168.106.18 interval=10s timeout=15s up-script=\
"/ip/firewall/nat/ enable 2"
/tool sniffer
set file-name=Test filter-ip-address=192.168.91.5/32
Let me know if you find the rule in question.