CRS328...
# apr/02/2021 10:02:06 by RouterOS 6.48.1
# software id =
#
# model = CRS328-24P-4S+
# serial number = D*************
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether11 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether12 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether13 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether14 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether15 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether16 pvid=30
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus3
add bridge=bridge interface=sfp-sfpplus4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether11,ether12 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether13,ether14 vlan-ids=20
add bridge=bridge tagged=sfp-sfpplus1 untagged=ether15,ether16 vlan-ids=30
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip dhcp-client
add disabled=no interface=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=CSR328
/system routerboard settings
set boot-os=router-os
RB4011...
# apr/02/2021 10:05:58 by RouterOS 6.48.1
# software id =
#
# model = RB4011iGS+
# serial number = D****************
/interface bridge
add admin-mac=08:00:00:C0:00:00 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="PoE <<<" disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment="WAN >>>"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment=">>> CRS328"
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface ethernet switch port
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 name=pihole value="'192.168.50.11'"
/ip pool
add name=dhcp ranges=192.168.50.100-192.168.50.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=vlan10_pool ranges=192.168.10.2-192.168.10.254
add name=vlan20_pool ranges=192.168.20.2-192.168.20.254
add name=vlan30_pool ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name=defconf
add address-pool=vlan10_pool disabled=no interface=vlan10 name=vlan10_pool
add address-pool=vlan20_pool disabled=no interface=vlan20 name=vlan20_pool
add address-pool=vlan30_pool disabled=no interface=vlan30 name=vlan30_pool
/ppp profile
set *FFFFFFFE dns-server=192.168.50.1 local-address=192.168.89.1 remote-address=vpn
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled
add action=create-dynamic-enabled
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
add bridge=bridge tagged=bridge vlan-ids=30
/interface l2tp-server server
set one-session-per-host=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether6 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=192.168.50.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="internet detect" disabled=no interface=ether6 use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.50.15 client-id=1:0:18:dd:25:f:d1 mac-address=00:18:DD:25:0F:D1 server=defconf
add address=192.168.50.16 client-id=1:0:18:dd:25:12:1e mac-address=00:18:DD:25:12:1E server=defconf
add address=192.168.50.41 client-id=1:0:2a:2a:4b:8d:a8 comment=cctv1 mac-address=00:2A:2A:4B:8D:A8 server=defconf
add address=192.168.50.42 client-id=1:b4:a3:82:f:7:29 comment=cctv2 mac-address=B4:A3:82:0F:07:29 server=defconf
add address=192.168.50.43 client-id=1:b4:a3:82:f:5:da comment=cctv3 mac-address=B4:A3:82:0F:05:DA server=defconf
add address=192.168.50.44 client-id=1:b4:a3:82:f:6:1b comment=cctv4 mac-address=B4:A3:82:0F:06:1B server=defconf
add address=192.168.50.11 client-id=1:78:24:af:82:df:b2 mac-address=78:24:AF:82:DF:B2 server=defconf
add address=192.168.50.18 client-id=1:74:da:88:14:2d:b9 mac-address=74:DA:88:14:2D:B9 server=defconf
add address=192.168.50.21 client-id=1:0:4:4b:b1:da:f9 comment=Shield dhcp-option=pihole mac-address=00:04:4B:B1:DA:F9 server=defconf
add address=192.168.50.7 client-id=1:84:d8:1b:59:0:92 mac-address=84:D8:1B:59:00:92 server=defconf
add address=192.168.50.19 client-id=1:60:32:b1:b9:79:ae mac-address=60:32:B1:B9:79:AE server=defconf
add address=192.168.50.31 dhcp-option=pihole mac-address=C8:3A:6B:F6:74:D4 server=defconf
add address=192.168.50.29 dhcp-option=pihole mac-address=40:06:A0:A7:CD:E0 server=defconf
add address=192.168.50.28 dhcp-option=pihole mac-address=10:CE:A9:50:87:C0 server=defconf
add address=192.168.50.27 client-id=1:64:16:66:8f:d4:46 dhcp-option=pihole mac-address=64:16:66:8F:D4:46 server=defconf
add address=192.168.50.26 client-id=1:38:f7:3d:a9:c4:dc dhcp-option=pihole mac-address=38:F7:3D:A9:C4:DC server=defconf
add address=192.168.50.25 client-id=1:3c:5c:c4:43:a:14 dhcp-option=pihole mac-address=3C:5C:C4:43:0A:14 server=defconf
add address=192.168.50.12 client-id=1:78:24:af:82:df:b3 mac-address=78:24:AF:82:DF:B3 server=defconf
add address=192.168.50.9 client-id=1:0:15:17:dd:cf:ac mac-address=00:15:17:DD:CF:AC server=defconf
add address=192.168.50.10 client-id=1:0:15:17:dd:cf:ad mac-address=00:15:17:DD:CF:AD server=defconf
add address=192.168.50.32 client-id=1:5c:a3:9d:2d:a8:ad comment=Small_SamsungTV dhcp-option=pihole mac-address=5C:A3:9D:2D:A8:AD server=defconf
add address=192.168.50.35 client-id=1:fc:45:96:c6:8c:3c comment=my_watch dhcp-option=pihole mac-address=FC:45:96:C6:8C:3C server=defconf
add address=192.168.50.37 client-id=1:a4:db:30:50:f1:d7 dhcp-option=pihole mac-address=A4:DB:30:50:F1:D7 server=defconf
add address=192.168.50.23 client-id=1:d6:2d:76:4e:aa:21 dhcp-option=pihole mac-address=D6:2D:76:4E:AA:21 server=defconf
add address=192.168.50.2 client-id=1:8:55:31:26:f8:1d mac-address=08:55:31:26:F8:1D server=defconf
add address=192.168.50.6 client-id=1:60:32:b1:d1:63:40 mac-address=60:32:B1:D1:63:40 server=defconf
add address=192.168.50.4 client-id=1:60:32:b1:97:a4:70 mac-address=60:32:B1:97:A4:70 server=defconf
add address=192.168.50.5 client-id=1:60:32:b1:97:a4:86 mac-address=60:32:B1:97:A4:86 server=defconf
add address=192.168.50.38 client-id=1:24:4b:fe:b7:35:57 mac-address=24:4B:FE:B7:35:57 server=defconf
add address=192.168.50.33 client-id=1:ae:b6:6a:cd:4a:88 dhcp-option=pihole mac-address=AE:B6:6A:CD:4A:88 server=defconf
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 gateway=192.168.50.1 netmask=24
/ip dns static
add address=192.168.50.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=not_from_LAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=Invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="not DSTNATed"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN
add action=dst-nat chain=dstnat comment="emby forwarding" dst-port=8096 in-interface=ether6 log=yes log-prefix=emby_CONNECT protocol=tcp to-addresses=192.168.50.11 to-ports=8096
add action=dst-nat chain=dstnat comment="channels forwarding" dst-port=8089 in-interface=ether6 log=yes protocol=tcp to-addresses=192.168.50.11 to-ports=8089
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.50.9/32 disabled=yes
set ssh disabled=yes port=2369
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=WORKGROUP enabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB4011
/system ntp client
set enabled=yes primary-ntp=51.89.151.183 secondary-ntp=178.62.250.107
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.50.10/32
add allow-address=192.168.50.18/32
add allow-address=192.168.50.9/32
/tool graphing queue
add allow-address=192.168.50.10/32
/tool graphing resource
add allow-address=192.168.50.10/32
add allow-address=192.168.50.18/32
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no