Community discussions

MikroTik App
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

IPv6 help

Wed Aug 25, 2021 8:44 am

I still have an issue where it's assigning ipv6 meant for other VLANs and then ipv6 is dying.

1875 is supposed to be for VLAN50, 1874 for VLAN45, 1873 for VLAN20, and 1872 for VLAN100.

My PC is on VLAN100 assigned 10.1.1.44, but it is getting an IPV6 address meant for other VLANs too.

Any assistance is appreciated, another issue is randomly the IPv6 will go unbound on DHCPv6 client causing ipv6 to die and many devices to not have internet until I restart them or turn off IPV6. I have AT&T fiber and use the Dot 1X client to bypass AT&T's RG requirement, from PCUnite's guide: viewtopic.php?t=154954.

Image

Image

Image

Image

Image

Image

I don't have that issue with my Ubiquiti UDM but I prefer using MikroTik as the Ubiquiti has it's own issues.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPv6 help

Wed Aug 25, 2021 8:52 am

Post full configuration export ... execute /export hide-sensitive file=anynameyouwish from terminal window, fetch resulting file, open it in text editor, obfuscate any remaining sensitive information (e.g. public IP addresses - but keep them the way they are still distinguishable from each other) and copy-paste it inside [code] [/code] environment.
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Thu Sep 23, 2021 10:04 pm

Post full configuration export ... execute /export hide-sensitive file=anynameyouwish from terminal window, fetch resulting file, open it in text editor, obfuscate any remaining sensitive information (e.g. public IP addresses - but keep them the way they are still distinguishable from each other) and copy-paste it inside [code] [/code] environment.
Sorry for late reply, Mikrotik forum didn't tell me anyone had replied.
# sep/18/2021 20:54:56 by RouterOS 6.48.4
# software id = 86CU-YT4V
#
# model = RB4011iGS+
# serial number = 
/interface bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=CENSORED
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment="temp meraki" disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
/interface vlan
add disabled=yes interface=sfp-sfpplus1 name="VLAN12_Hikvision VLAN" vlan-id=\
    12
add interface=sfp-sfpplus1 name=VLAN20 vlan-id=20
add disabled=yes interface=sfp-sfpplus1 name=VLAN40 vlan-id=40
add interface=sfp-sfpplus1 name=VLAN45 vlan-id=45
add interface=sfp-sfpplus1 name=VLAN50 vlan-id=50
add interface=sfp-sfpplus1 name=VLAN70 vlan-id=70
add disabled=yes interface=sfp-sfpplus1 name=VLAN99 vlan-id=99
add interface=sfp-sfpplus1 name=VLAN100 vlan-id=100
add disabled=yes interface=sfp-sfpplus1 name=VLAN200_mgmt vlan-id=200
add disabled=yes interface=sfp-sfpplus1 name=VLAN500 vlan-id=500
add disabled=yes interface=ether6 name=vlan20_temp vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
add name=No-InterVLAN
add name=m-InterVLAN
add include=none name=DMZ-IPCAMs
add include=none name=TrueDMZ
add name=mgmt
add name=noWAN_IOT
add name=DNS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
/ip ipsec policy group
add name=ike2-policies
add name=ike2-rw
/ip ipsec profile
add name=ike2-rw
/ip ipsec peer
add address=0.0.0.0/32 disabled=yes exchange-mode=ike2 name=\
    ike2-rw-client profile=ike2-rw
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 disabled=yes \
    enc-algorithms=3des
add disabled=yes name=ike2-rw pfs-group=none
/ip pool
add name=vlan20_guest ranges=10.10.10.11-10.10.10.250
add name=vlan70_ipcams ranges=192.168.70.11-192.168.70.254
add name=vlan100_lan ranges=10.1.1.11-10.1.1.250
add name=vlan40 ranges=10.4.1.2-10.4.1.6
add name=vlan45 ranges=10.5.1.2-10.5.1.6
add name=vlan50_work ranges=192.168.50.2-192.168.50.6
add name=ether10_mgmt ranges=192.168.18.2-192.168.18.6
add name=VLAN777 ranges=10.6.0.2-10.6.0.254
add name=VLAN88 ranges=192.168.0.2-192.168.0.254
add name=vlan12 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool21 ranges=172.20.120.20-172.20.120.240
add name=dhcp_pool22 ranges=10.200.200.2-10.200.200.254
add name=dhcp_pool23 ranges=10.0.0.99-10.0.0.250
add name=dhcp_pool24 ranges=172.16.0.11-172.16.0.254
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
add name=sstp-pool ranges=10.3.1.2-10.3.1.150
add name=dhcp_pool27 ranges=10.2.1.2-10.2.1.254
add name=dhcp_pool28 ranges=10.9.9.2-10.9.9.254
add name=dhcp_pool29 ranges=192.168.1.21-192.168.1.253
add name=dhcp_pool30 ranges=192.168.50.2-192.168.50.6
/ip dhcp-server
add add-arp=yes address-pool=vlan20_guest always-broadcast=yes disabled=no \
    interface=VLAN20 lease-time=6h name=vlan20
add add-arp=yes address-pool=vlan70_ipcams disabled=no interface=VLAN70 \
    lease-time=6h name=vlan70
add add-arp=yes address-pool=vlan100_lan disabled=no interface=VLAN100 \
    lease-time=6h name=vlan100_LAN
add add-arp=yes address-pool=vlan40 interface=VLAN40 lease-time=2d name=\
    vlan40
add add-arp=yes address-pool=vlan45 disabled=no interface=VLAN45 lease-time=\
    6h name=vlan45
add address-pool=ether10_mgmt interface=ether10 lease-time=12h name=mgmt-dhcp
add address-pool=vlan12 interface="VLAN12_Hikvision VLAN" lease-time=12h \
    name=vlan12
add address-pool=dhcp_pool22 interface=VLAN200_mgmt name=dhcp2
add address-pool=dhcp_pool24 interface=VLAN500 lease-time=6h name=dhcp1
add address-pool=dhcp_pool27 interface=ether6 lease-time=6h name=dhcp3
add address-pool=dhcp_pool28 interface=vlan20_temp lease-time=6h name=dhcp4
add address-pool=dhcp_pool29 disabled=no interface=sfp-sfpplus1 name=dhcp5
add address-pool=dhcp_pool30 disabled=no interface=VLAN50 lease-time=12h \
    name=dhcp6
/ipv6 dhcp-server option
add code=23 name=dnstest value="'2606:4700:4700::1111'"
/ppp profile
add change-tcp-mss=yes dns-server=10.3.1.1 name=sstpserver use-encryption=yes
/system logging action
add email-to=CENSORED name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add interface=ether10
add interface=ether9
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no
/interface dot1x client
add anon-identity=CENSORED certificate=\
    Client_CENSORED.pem_0 eap-methods=eap-tls identity=\
    CENSORED interface=ether1
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap2 enabled=yes max-mru=1460 \
    max-mtu=1460 use-ipsec=required
/interface list member
add interface=VLAN50 list=LAN
add interface=VLAN70 list=LAN
add interface=VLAN100 list=LAN
add interface=VLAN20 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=ether1 list=WAN
add interface=VLAN100 list=No-InterVLAN
add interface=VLAN20 list=No-InterVLAN
add interface=VLAN70 list=No-InterVLAN
add interface=VLAN50 list=m-InterVLAN
add interface=VLAN100 list=m-InterVLAN
add interface=VLAN70 list=m-InterVLAN
add interface=VLAN20 list=TrueDMZ
add interface=VLAN40 list=LAN
add interface=VLAN45 list=LAN
add interface=VLAN45 list=TrueDMZ
add interface=VLAN50 list=TrueDMZ
add interface=VLAN70 list=TrueDMZ
add interface=VLAN100 list=TrueDMZ
add interface=VLAN20 list=DMZ-IPCAMs
add interface=VLAN40 list=DMZ-IPCAMs
add interface=VLAN50 list=DMZ-IPCAMs
add interface=VLAN100 list=DMZ-IPCAMs
add interface=VLAN40 list=m-InterVLAN
add interface=VLAN45 list=m-InterVLAN
add interface=VLAN45 list=No-InterVLAN
add interface=VLAN40 list=No-InterVLAN
add interface=ether10 list=LAN
add interface="VLAN12_Hikvision VLAN" list=LAN
add interface=VLAN200_mgmt list=mgmt
add interface=VLAN100 list=mgmt
add interface="VLAN12_Hikvision VLAN" list=noWAN_IOT
add interface=VLAN70 list=noWAN_IOT
add interface=VLAN99 list=noWAN_IOT
add interface=VLAN200_mgmt list=LAN
add interface=VLAN500 list=LAN
add list=LAN
add interface=ether10 list=mgmt
add list=DNS
add list=mgmt
add interface=vlan20_temp list=LAN
add interface=vlan20_temp list=No-InterVLAN
add interface=vlan20_temp list=TrueDMZ
add interface=ether6 list=LAN
add interface=ether6 list=mgmt
add interface=ether6 list=DMZ-IPCAMs
/interface sstp-server server
set authentication=mschap2 certificate=server1 enabled=yes force-aes=yes pfs=\
    yes
/ip address
add address=10.10.10.1/24 interface=VLAN20 network=10.10.10.0
add address=192.168.50.1/29 interface=VLAN50 network=192.168.50.0
add address=10.1.1.1/24 interface=VLAN100 network=10.1.1.0
add address=10.5.1.1/29 interface=VLAN45 network=10.5.1.0
add address=10.4.1.1/29 disabled=yes interface=VLAN40 network=10.4.1.0
add address=192.168.18.1/29 disabled=yes interface=ether10 network=\
    192.168.18.0
add address=10.200.200.1/24 disabled=yes interface=VLAN200_mgmt network=\
    10.200.200.0
add address=45.23.16.173/29 disabled=yes network=45.23.16.168
add address=10.99.99.1/24 disabled=yes interface=VLAN99 network=10.99.99.0
add address=192.168.70.1/24 interface=VLAN70 network=192.168.70.0
add address=172.16.0.1/24 disabled=yes interface=VLAN500 network=172.16.0.0
add address=10.9.9.1/24 disabled=yes interface=vlan20_temp network=10.9.9.0
add address=10.2.1.1/24 disabled=yes interface=ether6 network=10.2.1.0
add address=192.168.1.1/24 interface=sfp-sfpplus1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.1.1.154 client-id=1:ce:ff:3b:dd:a4:b4 mac-address=\
    CE:FF:3B:DD:A4:B4 server=vlan100_LAN
add address=10.1.1.183 client-id=1:c:e4:41:da:d7:b4 mac-address=\
    0C:E4:41:DA:D7:B4 server=vlan100_LAN
add address=10.10.10.118 mac-address=48:E1:E9:48:8C:6E server=vlan20
add address=10.1.1.153 client-id=\
    ff:54:36:e2:97:0:2:0:0:ab:11:4f:8c:a8:5c:9e:ad:44:30 mac-address=\
    00:16:3E:C9:E2:6D server=vlan100_LAN
add address=10.1.1.44 client-id=1:0:2:c9:51:45:d6 mac-address=\
    00:02:C9:51:45:D6 server=vlan100_LAN
add address=10.10.10.99 client-id=1:88:57:1d:36:39:a0 mac-address=\
    88:57:1D:36:39:A0 server=vlan20
add address=10.10.10.46 mac-address=84:CC:A8:85:21:43 server=vlan20
add address=10.1.1.42 client-id=1:58:d3:49:3e:34:fb mac-address=\
    58:D3:49:3E:34:FB server=vlan100_LAN
add address=10.10.10.45 client-id=1:14:a:c5:ad:45:93 mac-address=\
    14:0A:C5:AD:45:93 server=vlan20
add address=10.10.10.155 client-id=1:78:e1:3:ba:83:53 mac-address=\
    78:E1:03:BA:83:53 server=vlan20
add address=10.10.10.117 client-id=1:f0:ef:86:f3:4f:c5 mac-address=\
    F0:EF:86:F3:4F:C5 server=vlan20
add address=10.1.1.40 client-id=1:c:8d:db:93:95:9b mac-address=\
    0C:8D:DB:93:95:9B server=vlan100_LAN
add address=10.10.10.238 client-id=ff:32:13:5f:74:0:3:0:1:44:61:32:13:5f:74 \
    mac-address=44:61:32:13:5F:74 server=vlan20
add address=10.10.10.242 mac-address=F0:F0:A4:07:12:8E server=vlan20
add address=10.1.1.200 client-id=\
    ff:5f:d1:de:3d:0:2:0:0:ab:11:3c:6:22:3b:42:43:5b:ec mac-address=\
    00:16:3E:0B:56:30 server=vlan100_LAN
add address=10.10.10.234 client-id=1:88:57:1d:32:14:8 mac-address=\
    88:57:1D:32:14:08 server=vlan20
add address=10.1.1.39 client-id=1:38:21:c7:cd:67:c4 mac-address=\
    38:21:C7:CD:67:C4 server=vlan100_LAN
add address=10.10.10.11 client-id=1:0:6:78:39:ed:58 mac-address=\
    00:06:78:39:ED:58 server=vlan20
add address=10.1.1.209 client-id=1:0:16:3e:a0:e2:fc mac-address=\
    00:16:3E:A0:E2:FC server=vlan100_LAN
add address=10.1.1.32 client-id=\
    ff:23:e6:1a:91:0:1:0:1:28:b1:f6:c7:30:9c:23:e6:1a:91 mac-address=\
    30:9C:23:E6:1A:91 server=vlan100_LAN
add address=10.10.10.185 client-id=1:ac:f1:8:3:be:48 mac-address=\
    AC:F1:08:03:BE:48 server=vlan20
add address=10.1.1.160 client-id=\
    ff:11:dd:1e:18:0:1:0:1:23:9b:17:51:e8:eb:11:dd:1e:18 mac-address=\
    E8:EB:11:DD:1E:18 server=vlan100_LAN
add address=10.10.10.22 client-id=1:64:d2:c4:d0:2f:90 mac-address=\
    64:D2:C4:D0:2F:90 server=vlan20
add address=192.168.70.28 client-id=1:30:5:5c:3d:19:e7 mac-address=\
    30:05:5C:3D:19:E7 server=vlan70
add address=10.1.1.190 client-id=1:c:8d:db:93:50:6e mac-address=\
    0C:8D:DB:93:50:6E server=vlan100_LAN
add address=10.10.10.175 client-id=1:54:e6:1b:f3:53:fd mac-address=\
    54:E6:1B:F3:53:FD server=vlan20
add address=10.1.1.31 client-id=1:68:d7:9a:2d:41:d3 mac-address=\
    68:D7:9A:2D:41:D3 server=vlan100_LAN
add address=10.1.1.128 client-id=\
    ff:3e:c8:67:ec:0:1:0:1:28:2c:92:5b:0:16:3e:c8:67:ec mac-address=\
    00:16:3E:C8:67:EC server=vlan100_LAN
add address=192.168.70.101 client-id=1:9c:8e:cd:2d:be:5c mac-address=\
    9C:8E:CD:2D:BE:5C server=vlan70
add address=192.168.70.23 client-id=1:bc:ba:c2:94:1b:74 mac-address=\
    BC:BA:C2:94:1B:74 server=vlan70
add address=192.168.70.27 client-id=1:bc:ba:c2:94:1b:8c mac-address=\
    BC:BA:C2:94:1B:8C server=vlan70
add address=192.168.70.22 client-id=1:bc:ba:c2:94:1b:a8 mac-address=\
    BC:BA:C2:94:1B:A8 server=vlan70
add address=10.10.10.54 client-id=1:4c:3b:df:c:4c:93 mac-address=\
    4C:3B:DF:0C:4C:93 server=vlan20
add address=10.10.10.57 client-id=1:38:1a:52:12:a0:cc mac-address=\
    38:1A:52:12:A0:CC server=vlan20
add address=10.10.10.15 client-id=1:a8:81:7e:9:2a:67 mac-address=\
    A8:81:7E:09:2A:67 server=vlan20
add address=10.10.10.235 client-id=1:58:fd:b1:90:d2:4c mac-address=\
    58:FD:B1:90:D2:4C server=vlan20
add address=192.168.50.6 client-id=1:18:7e:b9:8:b5:5 mac-address=\
    18:7E:B9:08:B5:05 server=dhcp6
add address=10.10.10.20 client-id=1:44:cb:8b:ec:fa:10 mac-address=\
    44:CB:8B:EC:FA:10 server=vlan20
add address=10.10.10.16 client-id=1:5a:1b:b4:61:61:11 mac-address=\
    5A:1B:B4:61:61:11 server=vlan20
add address=10.1.1.41 client-id=1:98:18:88:be:3:26 mac-address=\
    98:18:88:BE:03:26 server=vlan100_LAN
add address=10.10.10.13 client-id=1:1e:23:91:f6:7f:f9 mac-address=\
    1E:23:91:F6:7F:F9 server=vlan20
add address=10.10.10.21 client-id=1:a2:fd:f:86:1d:52 mac-address=\
    A2:FD:0F:86:1D:52 server=vlan20
add address=10.10.10.24 client-id=1:9e:a7:89:24:23:be mac-address=\
    9E:A7:89:24:23:BE server=vlan20
add address=10.10.10.19 client-id=1:b6:55:4c:a2:ab:d7 mac-address=\
    B6:55:4C:A2:AB:D7 server=vlan20
add address=10.10.10.25 client-id=1:8a:e8:76:40:5c:f mac-address=\
    8A:E8:76:40:5C:0F server=vlan20
add address=10.10.10.29 mac-address=70:2C:09:83:D5:17 server=vlan20
add address=10.1.1.26 client-id=1:74:8f:3c:42:f9:61 mac-address=\
    74:8F:3C:42:F9:61 server=vlan100_LAN
add address=10.10.10.137 client-id=1:ac:12:3:29:6b:d9 mac-address=\
    AC:12:03:29:6B:D9 server=vlan20
add address=10.10.10.30 mac-address=94:44:44:EA:DB:C5 server=vlan20
add address=10.1.1.43 client-id=1:98:18:88:be:b4:e4 mac-address=\
    98:18:88:BE:B4:E4 server=vlan100_LAN
add address=10.10.10.27 client-id=1:e8:61:7e:f8:10:5b mac-address=\
    E8:61:7E:F8:10:5B server=vlan20
add address=10.10.10.33 client-id=1:4a:68:75:d5:b2:ad mac-address=\
    4A:68:75:D5:B2:AD server=vlan20
add address=10.10.10.35 client-id=\
    ff:76:de:30:a1:0:4:ac:f5:70:cc:2d:3f:11:b2:a8:5c:a6:5a:a3:4:f9:99 \
    mac-address=C8:5B:76:DE:30:A1 server=vlan20
add address=10.10.10.36 client-id=1:c8:5b:76:de:30:a1 mac-address=\
    C8:5B:76:DE:30:A1 server=vlan20
add address=10.10.10.32 client-id=1:ce:a8:22:ba:c:78 mac-address=\
    CE:A8:22:BA:0C:78 server=vlan20
add address=10.10.10.39 client-id=1:78:c8:81:82:c0:24 mac-address=\
    78:C8:81:82:C0:24 server=vlan20
add address=10.10.10.41 client-id=1:a0:4e:a7:8e:99:46 mac-address=\
    A0:4E:A7:8E:99:46 server=vlan20
add address=10.10.10.37 client-id=1:ea:e2:e2:b6:2f:1a mac-address=\
    EA:E2:E2:B6:2F:1A server=vlan20
add address=10.10.10.47 client-id=1:fa:51:7a:fe:e4:65 mac-address=\
    FA:51:7A:FE:E4:65 server=vlan20
add address=10.1.1.24 client-id=1:ca:5a:b8:57:19:e4 mac-address=\
    CA:5A:B8:57:19:E4 server=vlan100_LAN
add address=10.10.10.12 client-id=1:4c:bc:98:80:ad:42 mac-address=\
    4C:BC:98:80:AD:42 server=vlan20
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.1 gateway=10.1.1.1
add address=10.2.1.0/24 dns-server=10.2.1.1,8.8.4.4 gateway=10.2.1.1
add address=10.4.1.0/29 dns-server=10.4.1.1 gateway=10.4.1.1
add address=10.5.1.0/29 dns-server=10.5.1.1 gateway=10.5.1.1
add address=10.9.9.0/24 dns-server=10.9.9.1,8.8.4.4 gateway=10.9.9.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.200.200.0/24 dns-server=1.1.1.1,208.67.222.222 gateway=\
    10.200.200.1
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
add address=172.20.120.0/24 dns-server=172.20.120.1 gateway=172.20.120.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.10.0/28 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.18.0/24 dns-server=192.168.18.1 gateway=192.168.18.1
add address=192.168.50.0/29 gateway=192.168.50.1
add address=192.168.70.0/24 dns-server=192.168.70.1 gateway=192.168.70.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=100000 \
    max-concurrent-tcp-sessions=20000 servers=\
    8.8.8.8,1.1.1.1,2001:4860:4860::8888
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
add address=2606:4700::6810:f9f9 name=cloudflare-dns.com type=AAAA
add address=2606:4700::6810:f8f9 name=cloudflare-dns.com type=AAAA
add address=10.1.1.14 name=yt.home
add address=10.5.1.5 name=bitwarden.home
add address=10.5.1.5 name=bit.home
add address=10.1.1.60 name=b.home
add address=10.1.1.60 name=backup.home
add address=10.1.1.60 name=backups.home
add address=10.10.10.35 name=volumio.home
add address=10.10.10.35 name=volumio.local
add address=10.10.10.36 name=euphony.home
/ip firewall address-list
add address=b8f40b5fbc45.sn.mynetname.net list=WAN-IP
add address=216.218.206.78 list=IPSEC
add address=180.168.136.110 list=IPSEC
add address=216.218.206.118 list=IPSEC
add address=95.174.66.242 list=IPSEC
add address=202.96.99.84 list=IPSEC
add address=121.81.24.227 list=IPSEC
add address=181.129.42.188 list=IPSEC
add address=109.189.159.221 list=IPSEC
add address=45.23.16.169-45.23.16.173 list=static
add address=10.10.10.54 list=Plex-Bypass-Firewall
add address=10.10.10.48 list=Plex-Bypass-Firewall
add address=192.168.77.0/24 list=vpn
add address=10.3.1.0/24 list=vpn
add address=172.16.0.0/24 list=local
add address=10.9.9.245 list=Plex-Bypass-Firewall
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="allow established related" \
    connection-state=established,related in-interface=all-vlan out-interface=\
    VLAN100
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" disabled=\
    yes in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
    disabled=yes dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input disabled=yes dst-port=443 in-interface=ether1 \
    protocol=tcp
add action=accept chain=forward disabled=yes src-address=10.3.1.0/24
add action=accept chain=forward comment="Allow VPN to internet" disabled=yes \
    out-interface-list=WAN src-address-list=vpn
add action=accept chain=input comment="Allow established related untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all other input"
add action=accept chain=forward comment=\
    "Allow static /29 from AT&T to receive traffic from the public/clearweb!" \
    disabled=yes in-interface-list=WAN out-interface=*20
add action=accept chain=forward comment="Allow DNS for all" \
    out-interface-list=DNS
add action=drop chain=forward comment=\
    "no WAN for VLAN70 (ipcameras), VLAN12, and VLAN99" in-interface-list=\
    noWAN_IOT out-interface-list=WAN
add action=accept chain=forward disabled=yes out-interface=VLAN100 \
    src-address-list=Plex-Bypass-Firewall
add action=accept chain=forward disabled=yes dst-address-list=\
    Plex-Bypass-Firewall in-interface=VLAN100
add action=accept chain=forward comment="Allow established related untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="no inter-vlan for Sutherland VLAN50" \
    in-interface=VLAN50 out-interface-list=No-InterVLAN
add action=drop chain=forward comment="no intervlan for m's network" \
    in-interface=VLAN20 out-interface-list=m-InterVLAN
add action=drop chain=forward comment=dmz disabled=yes in-interface=VLAN45 \
    out-interface-list=DMZ-IPCAMs
add action=drop chain=forward comment=truedmz disabled=yes in-interface=\
    VLAN40 out-interface-list=TrueDMZ
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow LAN" in-interface-list=LAN
add action=accept chain=forward comment="Allow port forwards (dst nat)" \
    connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=forward disabled=yes out-interface-list=mgmt
add action=drop chain=forward comment="drop all other forward"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=to_vpn \
    passthrough=yes src-address-list=local
add action=change-mss chain=forward disabled=yes new-mss=1360 passthrough=yes \
    protocol=tcp src-address-list=local tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes src-address=10.3.1.0/24
add action=masquerade chain=srcnat comment="Default masq" out-interface-list=\
    WAN
add action=dst-nat chain=dstnat comment="OVPN Portfoward" disabled=yes \
    dst-address=CENSORED dst-port=1194 in-interface-list=WAN protocol=\
    udp to-addresses=10.5.1.3
add action=dst-nat chain=dstnat comment=wireguard dst-address=CENSORED \
    dst-port=51820 in-interface-list=WAN protocol=udp to-addresses=10.5.1.2
add action=dst-nat chain=dstnat comment=apache2 disabled=yes dst-address=\
    CENSORED dst-port=80 in-interface-list=WAN protocol=tcp \
    to-addresses=10.4.1.4
add action=dst-nat chain=dstnat comment=ssh disabled=yes dst-address=\
    CENSORED dst-port=22 in-interface-list=WAN protocol=tcp \
    to-addresses=10.4.1.4
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=vpnclient.p12_1 \
    generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client \
    policy-template-group=ike2-rw
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add group=ike2-rw proposal=ike2-rw template=yes
/ip route
add disabled=yes distance=1 gateway=vpn_blackhole routing-mark=to_vpn
/ip route vrf
add disabled=yes interfaces=VLAN500,*23 routing-mark=guestvpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.1.1.0/24 disabled=yes
set www-ssl address=10.1.1.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=VLAN20 type=internal
add interface=VLAN50 type=internal
add interface=VLAN100 type=internal
/ipv6 address
add address=2600:1700:48e8:1871:CENSORED eui-64=yes interface=\
    ether1
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
    VLAN20
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
    VLAN100
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
    VLAN45
add address=2600:1700:48e8:CENSORED:de9b eui-64=yes interface=\
    VLAN50
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 \
    pool-prefix-length=60 prefix-hint=::/64 request=prefix
/ipv6 firewall filter
add action=accept chain=input comment=\
    "Accept (established, related untracked)" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept DHCP (10/sec)" \
    in-interface-list=WAN limit=10,20:packet protocol=udp src-port=547
add action=drop chain=input comment="Drop DHCP (>10/sec)" in-interface-list=\
    WAN protocol=udp src-port=547
add action=accept chain=input comment="Accept external ICMP (10/sec)" \
    in-interface-list=WAN limit=10,20:packet protocol=icmpv6
add action=drop chain=input comment="Drop external ICMP (>10/sec)" \
    in-interface-list=WAN protocol=icmpv6
add action=accept chain=input comment="Accept internal ICMP" \
    in-interface-list=!WAN protocol=icmpv6
add action=drop chain=input comment="Drop external" in-interface-list=WAN
add action=drop chain=input comment="Reject everything else"
add action=accept chain=output comment="Accept all"
add action=accept chain=forward comment=\
    "Accept (established, related, untracked)" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop (invalid)" connection-state=\
    invalid
add action=accept chain=forward comment="Accept external ICMP (20/sec)" \
    in-interface-list=WAN limit=20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec)" \
    in-interface-list=WAN protocol=icmpv6
add action=accept chain=forward comment="Accept internal" in-interface-list=\
    !WAN
add action=accept chain=forward comment="Accept outgoing" out-interface-list=\
    WAN
add action=drop chain=forward comment="Drop external" in-interface-list=WAN
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=VLAN100 other-configuration=yes ra-interval=20s-1m
add interface=VLAN50 other-configuration=yes ra-interval=20s-1m
add interface=VLAN20 other-configuration=yes ra-interval=20s-1m
add interface=ether1 other-configuration=yes ra-interval=20s-1m
add disabled=yes interface=VLAN40 other-configuration=yes ra-interval=20s-1m
add interface=VLAN45 other-configuration=yes ra-interval=20s-1m
add disabled=yes interface=VLAN200_mgmt ra-interval=20s-1m
add disabled=yes interface=VLAN500 other-configuration=yes ra-interval=20s-1m
/ipv6 nd prefix
add interface=VLAN20 prefix=2600:1700:48e8:1873::/64
add disabled=yes interface=VLAN40 prefix=2600:1700:48e8:1876::/64
add interface=ether1 prefix=2600:1700:48e8:1871::/64
add interface=VLAN100 prefix=2600:1700:48e8:1872::/64
add interface=VLAN50 prefix=2600:1700:48e8:1875::/64
add interface=VLAN45 prefix=2600:1700:48e8:1874::/64
add disabled=yes interface=VLAN500 prefix=2600:1700:48e8:1877::/64
/ppp secret
add local-address=10.3.1.1 name=Laptop profile=sstpserver remote-address=\
    10.3.1.100 service=sstp
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=MikroTik-RB4011
/system scheduler
add interval=5m name="Find IPSEC" on-event=Find_IPSEC policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/24/2020 start-time=03:25:11
add disabled=yes interval=1h name=email_logs on-event="/log print file=logs\r\
    \ndelay 10\r\
    \n/tool e-mail send to=\"me@tlopez.cc\" subject=\"\$[/system identity get \
    name]  logs\" \\\r\
    \nbody=\"\$[/system clock get date] log file\" file=logs.txt" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/27/2020 start-time=08:51:35
/system script
add dont-require-permissions=no name=Find_IPSEC owner=kazuma policy=\
    read,write,policy,test,password,sniff,sensitive,romon source="# Created Jo\
    tne 2019 v1.2\r\
    \n#\r\
    \n# This script add ip of user who with \"IPSEC negotiation failed\" and \
    \"SPI* not registered\" to a block list for 24hour\r\
    \n# Schedule the script to run every 5 min\r\
    \n# It should run on all routerOS version\r\
    \n\r\
    \n\r\
    \n\r\
    \n# Find all \"negotiation failed\" error last 5 min\r\
    \n:local loglistN [:toarray [/log find  time>([/system clock get time] - 5\
    m) message~\"negotiation failed\"]]\r\
    \n\r\
    \n# for all error do\r\
    \n:foreach i in=\$loglistN do={\r\
    \n\r\
    \n# find message\r\
    \n\t:local logMessageN [/log get \$i message]\r\
    \n# find ip\r\
    \n\t:local ipN [:pick \$logMessageN 0 [:find \$logMessageN \" \"]]\r\
    \n\r\
    \n# Add ip to accesslist\t\r\
    \n\t/ip firewall address-list add address=\$ipN list=IPSEC timeout=24h\r\
    \n# Send a message to the log\t\r\
    \n\t:log info message=\"script=IPSEC_failed src_ip=\$ipN why=negotiation_f\
    ailed\"\r\
    \n\t}\r\
    \n\r\
    \n\t\r\
    \n\r\
    \n# Find all \"SPI* not registered\"\" error last 5 min\r\
    \n:local loglistS [:toarray [/log find  time>([/system clock get time] - 5\
    m) message~\"SPI.*not regist\"]]\r\
    \n\r\
    \n# for all error do\r\
    \n:foreach j in=\$loglistS do={\r\
    \n\r\
    \n# find message\r\
    \n\t:local logMessageS [/log get \$j message]\r\
    \n# find ip\r\
    \n\t:local ipS [:pick \$logMessageS ([:find \$logMessageS \"for \"]+4) [:f\
    ind \$logMessageS \"[\"]]\r\
    \n\r\
    \n# Add ip to accesslist\t\r\
    \n\t/ip firewall address-list add address=\$ipS list=IPSEC timeout=24h\r\
    \n# Send a message to the log\t\r\
    \n\t:log info message=\"script=IPSEC_failed src_ip=\$ipS why=SPI_not_regis\
    tered\"\r\
    \n\t}\r\
    \n\t"
/tool e-mail
set address=smtp.gmail.com from=CENSORED port=587 start-tls=yes user=\
    CENSORED
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: IPv6 help

Thu Sep 23, 2021 11:11 pm

I don't see an issue with your vlan config on the router, but you could have an issue with your switch.

As for the IPv6 config, you really should not hard reference a prefix allocation unless you are 100% sure they are static as you will break your config easily.

The default IPv6 address assignment has advertise=yes set, so by adding an IP address and adding a specific nd prefix you are getting duplicates.

You should just have each VLAN get an ipv6 address from the pool and assign the interface to the ipv6 nd list:
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=comcast_ipv6 prefix-hint=::/60 request=address,prefix use-peer-dns=no

/ipv6 address
add from-pool=comcast_ipv6 interface=vlan500
add from-pool=comcast_ipv6 interface=vlan400
add from-pool=comcast_ipv6 interface=vlan100
add from-pool=comcast_ipv6 interface=vlan600

/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes
add interface=vlan400 other-configuration=yes ra-delay=5s ra-interval=5s-30s
add interface=vlan500 other-configuration=yes ra-delay=5s ra-interval=30s-1m
add interface=vlan600 ra-delay=5s ra-interval=5s-30s
add interface=vlan100 other-configuration=yes ra-delay=5s ra-interval=5s-30s
If you want static local addresses or prefixes assign ipv6 addresses to your vlan interfaces from the ULA range (fd00::/8). They won't be accessible outside your network but you have full control over it.
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Tue Sep 28, 2021 10:51 am

I don't see an issue with your vlan config on the router, but you could have an issue with your switch.

As for the IPv6 config, you really should not hard reference a prefix allocation unless you are 100% sure they are static as you will break your config easily.

The default IPv6 address assignment has advertise=yes set, so by adding an IP address and adding a specific nd prefix you are getting duplicates.

You should just have each VLAN get an ipv6 address from the pool and assign the interface to the ipv6 nd list:
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=comcast_ipv6 prefix-hint=::/60 request=address,prefix use-peer-dns=no

/ipv6 address
add from-pool=comcast_ipv6 interface=vlan500
add from-pool=comcast_ipv6 interface=vlan400
add from-pool=comcast_ipv6 interface=vlan100
add from-pool=comcast_ipv6 interface=vlan600

/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes
add interface=vlan400 other-configuration=yes ra-delay=5s ra-interval=5s-30s
add interface=vlan500 other-configuration=yes ra-delay=5s ra-interval=30s-1m
add interface=vlan600 ra-delay=5s ra-interval=5s-30s
add interface=vlan100 other-configuration=yes ra-delay=5s ra-interval=5s-30s
If you want static local addresses or prefixes assign ipv6 addresses to your vlan interfaces from the ULA range (fd00::/8). They won't be accessible outside your network but you have full control over it.
Thank you, that worked.
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Tue Sep 28, 2021 11:19 am

Hmm, I got error duplicate address detected and ipv6 was not working on VLAN100 or VLAN20. To fix that I had to enable EUI64. Any suggestions?

Only thing that stood out to me is in ipv6-nd it seems by default there is a setting for ether1 and all.

Should I remove those?

Image
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: IPv6 help

Tue Sep 28, 2021 11:28 am

Set the Pool Prefix Length in your DHCPv6 client to 64.. it will not affect the acquired prefix length, but it will limit the pool assignments to /64.

Note that MT will keep incrementing the prefix with from-pool setting on each configuration change, as soon as you assign multiple ip's from pool. You may want to switch to static ip's without from-pool for the additional vlans, if possible.
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Tue Sep 28, 2021 11:30 am

It seems I am getting IPV6 working on my PC and iPhone, then it stops.

I ran ipconfig and again I'm being assigned multiple addresses from other VLANs.

Image
Last edited by archerious on Tue Sep 28, 2021 11:31 am, edited 1 time in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Tue Sep 28, 2021 11:31 am

Set the Pool Prefix Length in your DHCPv6 client to 64.. it will not affect the acquired prefix length, but it will limit the pool assignments to /64.

Note that MT will keep incrementing the prefix with from-pool setting on each configuration change, as soon as you assign multiple ip's from pool. You may want to switch to static ip's without from-pool for the additional vlans, if possible.
I think that's how I had it set before, but was told to change that.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: IPv6 help

Tue Sep 28, 2021 11:40 am

Ok, sorry, I based my post on the 'no prefixes available' message earlier, not the duplicate addresses problem. Not sure what causes that.

Can you post a (anonymized) screenshot of the Used Prefixes tab of the IPv6 Pool?
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Tue Sep 28, 2021 11:48 am

Ok, sorry, I based my post on the 'no prefixes available' message earlier, not the duplicate addresses problem. Not sure what causes that.

Can you post a (anonymized) screenshot of the Used Prefixes tab of the IPv6 Pool?
I will get that, but can you show me how you static assign your ipv6? This was how I was trying to do it, but then the other poster advised I use dynamic only which then gave me the duplicate pool error and doesn't let me make sure to keep the same /64 assigned per vlan which I prefer to do as then I don't have to worry about my PC getting ipv6 from like 1871, 1872, etc then ipv6 failing.

Image

Also does ipv6-nd default that says "all" need to be enabled or can I minus/delete it?
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Tue Sep 28, 2021 11:51 am

Ok, sorry, I based my post on the 'no prefixes available' message earlier, not the duplicate addresses problem. Not sure what causes that.

Can you post a (anonymized) screenshot of the Used Prefixes tab of the IPv6 Pool?
Here is what's used:

Image
Leaving 1872, 1876 etc not used but the issue is it will randomly think one is being duplicate, then I have to disable then reenable to get it working. Really weird with dynamic, sort of want to just static assign ipv6 pools/prefixes again to avoid this.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: IPv6 help  [SOLVED]

Tue Sep 28, 2021 11:54 am

ROS doesn't support prefix-hint for ipv6 address yet, so it depends whether the assignment from comcast is dynamic, static or generally static (hardly changing). You can set the prefix per vlan to static by unsetting the 'From Pool' attribute in the IPv6 address.
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Tue Sep 28, 2021 11:59 am

ROS doesn't support prefix-hint for ipv6 address yet, so it depends whether the assignment from comcast is dynamic, static or generally static (hardly changing). You can set the prefix per vlan to static by unsetting the 'From Pool' attribute in the IPv6 address.
I did that, last question is now under neighbor discover prefixes is empty, do I need to manually add them here too?

EDIT: Nvm I see them in green here, I had to enable EUI64 to get them to work though without doing duplicate address. I am on AT&T Fiber btw.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: IPv6 help

Tue Sep 28, 2021 12:05 pm

Remove the remaining static neighbor discovery prefixes - dynamic entries should appear even with EUI64 disabled (try re-enabling the IPv6 address for reactivation).
 
User avatar
archerious
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: IPv6 help

Tue Sep 28, 2021 12:06 pm

Remove the remaining static neighbor discovery prefixes - dynamic entries should appear even with EUI64 disabled (try re-enabling the IPv6 address for reactivation).
Image
Image
 
mdadigital
newbie
Posts: 34
Joined: Tue Feb 21, 2023 7:48 pm

Re: IPv6 help

Mon Apr 24, 2023 12:02 pm

Post full configuration export ... execute /export hide-sensitive file=anynameyouwish from terminal window, fetch resulting file, open it in text editor, obfuscate any remaining sensitive information (e.g. public IP addresses - but keep them the way they are still distinguishable from each other) and copy-paste it inside [code] [/code] environment.
Sorry for late reply, Mikrotik forum didn't tell me anyone had replied.
# sep/18/2021 20:54:56 by RouterOS 6.48.4
# software id = 86CU-YT4V
#
# model = RB4011iGS+
# serial number = 
/interface bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=CENSORED
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment="temp meraki" disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
/interface vlan
add disabled=yes interface=sfp-sfpplus1 name="VLAN12_Hikvision VLAN" vlan-id=\
    12
add interface=sfp-sfpplus1 name=VLAN20 vlan-id=20
add disabled=yes interface=sfp-sfpplus1 name=VLAN40 vlan-id=40
add interface=sfp-sfpplus1 name=VLAN45 vlan-id=45
add interface=sfp-sfpplus1 name=VLAN50 vlan-id=50
add interface=sfp-sfpplus1 name=VLAN70 vlan-id=70
add disabled=yes interface=sfp-sfpplus1 name=VLAN99 vlan-id=99
add interface=sfp-sfpplus1 name=VLAN100 vlan-id=100
add disabled=yes interface=sfp-sfpplus1 name=VLAN200_mgmt vlan-id=200
add disabled=yes interface=sfp-sfpplus1 name=VLAN500 vlan-id=500
add disabled=yes interface=ether6 name=vlan20_temp vlan-id=20
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
add name=No-InterVLAN
add name=m-InterVLAN
add include=none name=DMZ-IPCAMs
add include=none name=TrueDMZ
add name=mgmt
add name=noWAN_IOT
add name=DNS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
/ip ipsec policy group
add name=ike2-policies
add name=ike2-rw
/ip ipsec profile
add name=ike2-rw
/ip ipsec peer
add address=0.0.0.0/32 disabled=yes exchange-mode=ike2 name=\
    ike2-rw-client profile=ike2-rw
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 disabled=yes \
    enc-algorithms=3des
add disabled=yes name=ike2-rw pfs-group=none
/ip pool
add name=vlan20_guest ranges=10.10.10.11-10.10.10.250
add name=vlan70_ipcams ranges=192.168.70.11-192.168.70.254
add name=vlan100_lan ranges=10.1.1.11-10.1.1.250
add name=vlan40 ranges=10.4.1.2-10.4.1.6
add name=vlan45 ranges=10.5.1.2-10.5.1.6
add name=vlan50_work ranges=192.168.50.2-192.168.50.6
add name=ether10_mgmt ranges=192.168.18.2-192.168.18.6
add name=VLAN777 ranges=10.6.0.2-10.6.0.254
add name=VLAN88 ranges=192.168.0.2-192.168.0.254
add name=vlan12 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool21 ranges=172.20.120.20-172.20.120.240
add name=dhcp_pool22 ranges=10.200.200.2-10.200.200.254
add name=dhcp_pool23 ranges=10.0.0.99-10.0.0.250
add name=dhcp_pool24 ranges=172.16.0.11-172.16.0.254
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
add name=sstp-pool ranges=10.3.1.2-10.3.1.150
add name=dhcp_pool27 ranges=10.2.1.2-10.2.1.254
add name=dhcp_pool28 ranges=10.9.9.2-10.9.9.254
add name=dhcp_pool29 ranges=192.168.1.21-192.168.1.253
add name=dhcp_pool30 ranges=192.168.50.2-192.168.50.6
/ip dhcp-server
add add-arp=yes address-pool=vlan20_guest always-broadcast=yes disabled=no \
    interface=VLAN20 lease-time=6h name=vlan20
add add-arp=yes address-pool=vlan70_ipcams disabled=no interface=VLAN70 \
    lease-time=6h name=vlan70
add add-arp=yes address-pool=vlan100_lan disabled=no interface=VLAN100 \
    lease-time=6h name=vlan100_LAN
add add-arp=yes address-pool=vlan40 interface=VLAN40 lease-time=2d name=\
    vlan40
add add-arp=yes address-pool=vlan45 disabled=no interface=VLAN45 lease-time=\
    6h name=vlan45
add address-pool=ether10_mgmt interface=ether10 lease-time=12h name=mgmt-dhcp
add address-pool=vlan12 interface="VLAN12_Hikvision VLAN" lease-time=12h \
    name=vlan12
add address-pool=dhcp_pool22 interface=VLAN200_mgmt name=dhcp2
add address-pool=dhcp_pool24 interface=VLAN500 lease-time=6h name=dhcp1
add address-pool=dhcp_pool27 interface=ether6 lease-time=6h name=dhcp3
add address-pool=dhcp_pool28 interface=vlan20_temp lease-time=6h name=dhcp4
add address-pool=dhcp_pool29 disabled=no interface=sfp-sfpplus1 name=dhcp5
add address-pool=dhcp_pool30 disabled=no interface=VLAN50 lease-time=12h \
    name=dhcp6
/ipv6 dhcp-server option
add code=23 name=dnstest value="'2606:4700:4700::1111'"
/ppp profile
add change-tcp-mss=yes dns-server=10.3.1.1 name=sstpserver use-encryption=yes
/system logging action
add email-to=CENSORED name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add interface=ether10
add interface=ether9
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no
/interface dot1x client
add anon-identity=CENSORED certificate=\
    Client_CENSORED.pem_0 eap-methods=eap-tls identity=\
    CENSORED interface=ether1
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap2 enabled=yes max-mru=1460 \
    max-mtu=1460 use-ipsec=required
/interface list member
add interface=VLAN50 list=LAN
add interface=VLAN70 list=LAN
add interface=VLAN100 list=LAN
add interface=VLAN20 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=ether1 list=WAN
add interface=VLAN100 list=No-InterVLAN
add interface=VLAN20 list=No-InterVLAN
add interface=VLAN70 list=No-InterVLAN
add interface=VLAN50 list=m-InterVLAN
add interface=VLAN100 list=m-InterVLAN
add interface=VLAN70 list=m-InterVLAN
add interface=VLAN20 list=TrueDMZ
add interface=VLAN40 list=LAN
add interface=VLAN45 list=LAN
add interface=VLAN45 list=TrueDMZ
add interface=VLAN50 list=TrueDMZ
add interface=VLAN70 list=TrueDMZ
add interface=VLAN100 list=TrueDMZ
add interface=VLAN20 list=DMZ-IPCAMs
add interface=VLAN40 list=DMZ-IPCAMs
add interface=VLAN50 list=DMZ-IPCAMs
add interface=VLAN100 list=DMZ-IPCAMs
add interface=VLAN40 list=m-InterVLAN
add interface=VLAN45 list=m-InterVLAN
add interface=VLAN45 list=No-InterVLAN
add interface=VLAN40 list=No-InterVLAN
add interface=ether10 list=LAN
add interface="VLAN12_Hikvision VLAN" list=LAN
add interface=VLAN200_mgmt list=mgmt
add interface=VLAN100 list=mgmt
add interface="VLAN12_Hikvision VLAN" list=noWAN_IOT
add interface=VLAN70 list=noWAN_IOT
add interface=VLAN99 list=noWAN_IOT
add interface=VLAN200_mgmt list=LAN
add interface=VLAN500 list=LAN
add list=LAN
add interface=ether10 list=mgmt
add list=DNS
add list=mgmt
add interface=vlan20_temp list=LAN
add interface=vlan20_temp list=No-InterVLAN
add interface=vlan20_temp list=TrueDMZ
add interface=ether6 list=LAN
add interface=ether6 list=mgmt
add interface=ether6 list=DMZ-IPCAMs
/interface sstp-server server
set authentication=mschap2 certificate=server1 enabled=yes force-aes=yes pfs=\
    yes
/ip address
add address=10.10.10.1/24 interface=VLAN20 network=10.10.10.0
add address=192.168.50.1/29 interface=VLAN50 network=192.168.50.0
add address=10.1.1.1/24 interface=VLAN100 network=10.1.1.0
add address=10.5.1.1/29 interface=VLAN45 network=10.5.1.0
add address=10.4.1.1/29 disabled=yes interface=VLAN40 network=10.4.1.0
add address=192.168.18.1/29 disabled=yes interface=ether10 network=\
    192.168.18.0
add address=10.200.200.1/24 disabled=yes interface=VLAN200_mgmt network=\
    10.200.200.0
add address=45.23.16.173/29 disabled=yes network=45.23.16.168
add address=10.99.99.1/24 disabled=yes interface=VLAN99 network=10.99.99.0
add address=192.168.70.1/24 interface=VLAN70 network=192.168.70.0
add address=172.16.0.1/24 disabled=yes interface=VLAN500 network=172.16.0.0
add address=10.9.9.1/24 disabled=yes interface=vlan20_temp network=10.9.9.0
add address=10.2.1.1/24 disabled=yes interface=ether6 network=10.2.1.0
add address=192.168.1.1/24 interface=sfp-sfpplus1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.1.1.154 client-id=1:ce:ff:3b:dd:a4:b4 mac-address=\
    CE:FF:3B:DD:A4:B4 server=vlan100_LAN
add address=10.1.1.183 client-id=1:c:e4:41:da:d7:b4 mac-address=\
    0C:E4:41:DA:D7:B4 server=vlan100_LAN
add address=10.10.10.118 mac-address=48:E1:E9:48:8C:6E server=vlan20
add address=10.1.1.153 client-id=\
    ff:54:36:e2:97:0:2:0:0:ab:11:4f:8c:a8:5c:9e:ad:44:30 mac-address=\
    00:16:3E:C9:E2:6D server=vlan100_LAN
add address=10.1.1.44 client-id=1:0:2:c9:51:45:d6 mac-address=\
    00:02:C9:51:45:D6 server=vlan100_LAN
add address=10.10.10.99 client-id=1:88:57:1d:36:39:a0 mac-address=\
    88:57:1D:36:39:A0 server=vlan20
add address=10.10.10.46 mac-address=84:CC:A8:85:21:43 server=vlan20
add address=10.1.1.42 client-id=1:58:d3:49:3e:34:fb mac-address=\
    58:D3:49:3E:34:FB server=vlan100_LAN
add address=10.10.10.45 client-id=1:14:a:c5:ad:45:93 mac-address=\
    14:0A:C5:AD:45:93 server=vlan20
add address=10.10.10.155 client-id=1:78:e1:3:ba:83:53 mac-address=\
    78:E1:03:BA:83:53 server=vlan20
add address=10.10.10.117 client-id=1:f0:ef:86:f3:4f:c5 mac-address=\
    F0:EF:86:F3:4F:C5 server=vlan20
add address=10.1.1.40 client-id=1:c:8d:db:93:95:9b mac-address=\
    0C:8D:DB:93:95:9B server=vlan100_LAN
add address=10.10.10.238 client-id=ff:32:13:5f:74:0:3:0:1:44:61:32:13:5f:74 \
    mac-address=44:61:32:13:5F:74 server=vlan20
add address=10.10.10.242 mac-address=F0:F0:A4:07:12:8E server=vlan20
add address=10.1.1.200 client-id=\
    ff:5f:d1:de:3d:0:2:0:0:ab:11:3c:6:22:3b:42:43:5b:ec mac-address=\
    00:16:3E:0B:56:30 server=vlan100_LAN
add address=10.10.10.234 client-id=1:88:57:1d:32:14:8 mac-address=\
    88:57:1D:32:14:08 server=vlan20
add address=10.1.1.39 client-id=1:38:21:c7:cd:67:c4 mac-address=\
    38:21:C7:CD:67:C4 server=vlan100_LAN
add address=10.10.10.11 client-id=1:0:6:78:39:ed:58 mac-address=\
    00:06:78:39:ED:58 server=vlan20
add address=10.1.1.209 client-id=1:0:16:3e:a0:e2:fc mac-address=\
    00:16:3E:A0:E2:FC server=vlan100_LAN
add address=10.1.1.32 client-id=\
    ff:23:e6:1a:91:0:1:0:1:28:b1:f6:c7:30:9c:23:e6:1a:91 mac-address=\
    30:9C:23:E6:1A:91 server=vlan100_LAN
add address=10.10.10.185 client-id=1:ac:f1:8:3:be:48 mac-address=\
    AC:F1:08:03:BE:48 server=vlan20
add address=10.1.1.160 client-id=\
    ff:11:dd:1e:18:0:1:0:1:23:9b:17:51:e8:eb:11:dd:1e:18 mac-address=\
    E8:EB:11:DD:1E:18 server=vlan100_LAN
add address=10.10.10.22 client-id=1:64:d2:c4:d0:2f:90 mac-address=\
    64:D2:C4:D0:2F:90 server=vlan20
add address=192.168.70.28 client-id=1:30:5:5c:3d:19:e7 mac-address=\
    30:05:5C:3D:19:E7 server=vlan70
add address=10.1.1.190 client-id=1:c:8d:db:93:50:6e mac-address=\
    0C:8D:DB:93:50:6E server=vlan100_LAN
add address=10.10.10.175 client-id=1:54:e6:1b:f3:53:fd mac-address=\
    54:E6:1B:F3:53:FD server=vlan20
add address=10.1.1.31 client-id=1:68:d7:9a:2d:41:d3 mac-address=\
    68:D7:9A:2D:41:D3 server=vlan100_LAN
add address=10.1.1.128 client-id=\
    ff:3e:c8:67:ec:0:1:0:1:28:2c:92:5b:0:16:3e:c8:67:ec mac-address=\
    00:16:3E:C8:67:EC server=vlan100_LAN
add address=192.168.70.101 client-id=1:9c:8e:cd:2d:be:5c mac-address=\
    9C:8E:CD:2D:BE:5C server=vlan70
add address=192.168.70.23 client-id=1:bc:ba:c2:94:1b:74 mac-address=\
    BC:BA:C2:94:1B:74 server=vlan70
add address=192.168.70.27 client-id=1:bc:ba:c2:94:1b:8c mac-address=\
    BC:BA:C2:94:1B:8C server=vlan70
add address=192.168.70.22 client-id=1:bc:ba:c2:94:1b:a8 mac-address=\
    BC:BA:C2:94:1B:A8 server=vlan70
add address=10.10.10.54 client-id=1:4c:3b:df:c:4c:93 mac-address=\
    4C:3B:DF:0C:4C:93 server=vlan20
add address=10.10.10.57 client-id=1:38:1a:52:12:a0:cc mac-address=\
    38:1A:52:12:A0:CC server=vlan20
add address=10.10.10.15 client-id=1:a8:81:7e:9:2a:67 mac-address=\
    A8:81:7E:09:2A:67 server=vlan20
add address=10.10.10.235 client-id=1:58:fd:b1:90:d2:4c mac-address=\
    58:FD:B1:90:D2:4C server=vlan20
add address=192.168.50.6 client-id=1:18:7e:b9:8:b5:5 mac-address=\
    18:7E:B9:08:B5:05 server=dhcp6
add address=10.10.10.20 client-id=1:44:cb:8b:ec:fa:10 mac-address=\
    44:CB:8B:EC:FA:10 server=vlan20
add address=10.10.10.16 client-id=1:5a:1b:b4:61:61:11 mac-address=\
    5A:1B:B4:61:61:11 server=vlan20
add address=10.1.1.41 client-id=1:98:18:88:be:3:26 mac-address=\
    98:18:88:BE:03:26 server=vlan100_LAN
add address=10.10.10.13 client-id=1:1e:23:91:f6:7f:f9 mac-address=\
    1E:23:91:F6:7F:F9 server=vlan20
add address=10.10.10.21 client-id=1:a2:fd:f:86:1d:52 mac-address=\
    A2:FD:0F:86:1D:52 server=vlan20
add address=10.10.10.24 client-id=1:9e:a7:89:24:23:be mac-address=\
    9E:A7:89:24:23:BE server=vlan20
add address=10.10.10.19 client-id=1:b6:55:4c:a2:ab:d7 mac-address=\
    B6:55:4C:A2:AB:D7 server=vlan20
add address=10.10.10.25 client-id=1:8a:e8:76:40:5c:f mac-address=\
    8A:E8:76:40:5C:0F server=vlan20
add address=10.10.10.29 mac-address=70:2C:09:83:D5:17 server=vlan20
add address=10.1.1.26 client-id=1:74:8f:3c:42:f9:61 mac-address=\
    74:8F:3C:42:F9:61 server=vlan100_LAN
add address=10.10.10.137 client-id=1:ac:12:3:29:6b:d9 mac-address=\
    AC:12:03:29:6B:D9 server=vlan20
add address=10.10.10.30 mac-address=94:44:44:EA:DB:C5 server=vlan20
add address=10.1.1.43 client-id=1:98:18:88:be:b4:e4 mac-address=\
    98:18:88:BE:B4:E4 server=vlan100_LAN
add address=10.10.10.27 client-id=1:e8:61:7e:f8:10:5b mac-address=\
    E8:61:7E:F8:10:5B server=vlan20
add address=10.10.10.33 client-id=1:4a:68:75:d5:b2:ad mac-address=\
    4A:68:75:D5:B2:AD server=vlan20
add address=10.10.10.35 client-id=\
    ff:76:de:30:a1:0:4:ac:f5:70:cc:2d:3f:11:b2:a8:5c:a6:5a:a3:4:f9:99 \
    mac-address=C8:5B:76:DE:30:A1 server=vlan20
add address=10.10.10.36 client-id=1:c8:5b:76:de:30:a1 mac-address=\
    C8:5B:76:DE:30:A1 server=vlan20
add address=10.10.10.32 client-id=1:ce:a8:22:ba:c:78 mac-address=\
    CE:A8:22:BA:0C:78 server=vlan20
add address=10.10.10.39 client-id=1:78:c8:81:82:c0:24 mac-address=\
    78:C8:81:82:C0:24 server=vlan20
add address=10.10.10.41 client-id=1:a0:4e:a7:8e:99:46 mac-address=\
    A0:4E:A7:8E:99:46 server=vlan20
add address=10.10.10.37 client-id=1:ea:e2:e2:b6:2f:1a mac-address=\
    EA:E2:E2:B6:2F:1A server=vlan20
add address=10.10.10.47 client-id=1:fa:51:7a:fe:e4:65 mac-address=\
    FA:51:7A:FE:E4:65 server=vlan20
add address=10.1.1.24 client-id=1:ca:5a:b8:57:19:e4 mac-address=\
    CA:5A:B8:57:19:E4 server=vlan100_LAN
add address=10.10.10.12 client-id=1:4c:bc:98:80:ad:42 mac-address=\
    4C:BC:98:80:AD:42 server=vlan20
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.1 gateway=10.1.1.1
add address=10.2.1.0/24 dns-server=10.2.1.1,8.8.4.4 gateway=10.2.1.1
add address=10.4.1.0/29 dns-server=10.4.1.1 gateway=10.4.1.1
add address=10.5.1.0/29 dns-server=10.5.1.1 gateway=10.5.1.1
add address=10.9.9.0/24 dns-server=10.9.9.1,8.8.4.4 gateway=10.9.9.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=10.200.200.0/24 dns-server=1.1.1.1,208.67.222.222 gateway=\
    10.200.200.1
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
add address=172.20.120.0/24 dns-server=172.20.120.1 gateway=172.20.120.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.10.0/28 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.18.0/24 dns-server=192.168.18.1 gateway=192.168.18.1
add address=192.168.50.0/29 gateway=192.168.50.1
add address=192.168.70.0/24 dns-server=192.168.70.1 gateway=192.168.70.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=100000 \
    max-concurrent-tcp-sessions=20000 servers=\
    8.8.8.8,1.1.1.1,2001:4860:4860::8888
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
add address=2606:4700::6810:f9f9 name=cloudflare-dns.com type=AAAA
add address=2606:4700::6810:f8f9 name=cloudflare-dns.com type=AAAA
add address=10.1.1.14 name=yt.home
add address=10.5.1.5 name=bitwarden.home
add address=10.5.1.5 name=bit.home
add address=10.1.1.60 name=b.home
add address=10.1.1.60 name=backup.home
add address=10.1.1.60 name=backups.home
add address=10.10.10.35 name=volumio.home
add address=10.10.10.35 name=volumio.local
add address=10.10.10.36 name=euphony.home
/ip firewall address-list
add address=b8f40b5fbc45.sn.mynetname.net list=WAN-IP
add address=216.218.206.78 list=IPSEC
add address=180.168.136.110 list=IPSEC
add address=216.218.206.118 list=IPSEC
add address=95.174.66.242 list=IPSEC
add address=202.96.99.84 list=IPSEC
add address=121.81.24.227 list=IPSEC
add address=181.129.42.188 list=IPSEC
add address=109.189.159.221 list=IPSEC
add address=45.23.16.169-45.23.16.173 list=static
add address=10.10.10.54 list=Plex-Bypass-Firewall
add address=10.10.10.48 list=Plex-Bypass-Firewall
add address=192.168.77.0/24 list=vpn
add address=10.3.1.0/24 list=vpn
add address=172.16.0.0/24 list=local
add address=10.9.9.245 list=Plex-Bypass-Firewall
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="allow established related" \
    connection-state=established,related in-interface=all-vlan out-interface=\
    VLAN100
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" disabled=\
    yes in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
    disabled=yes dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input disabled=yes dst-port=443 in-interface=ether1 \
    protocol=tcp
add action=accept chain=forward disabled=yes src-address=10.3.1.0/24
add action=accept chain=forward comment="Allow VPN to internet" disabled=yes \
    out-interface-list=WAN src-address-list=vpn
add action=accept chain=input comment="Allow established related untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all other input"
add action=accept chain=forward comment=\
    "Allow static /29 from AT&T to receive traffic from the public/clearweb!" \
    disabled=yes in-interface-list=WAN out-interface=*20
add action=accept chain=forward comment="Allow DNS for all" \
    out-interface-list=DNS
add action=drop chain=forward comment=\
    "no WAN for VLAN70 (ipcameras), VLAN12, and VLAN99" in-interface-list=\
    noWAN_IOT out-interface-list=WAN
add action=accept chain=forward disabled=yes out-interface=VLAN100 \
    src-address-list=Plex-Bypass-Firewall
add action=accept chain=forward disabled=yes dst-address-list=\
    Plex-Bypass-Firewall in-interface=VLAN100
add action=accept chain=forward comment="Allow established related untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="no inter-vlan for Sutherland VLAN50" \
    in-interface=VLAN50 out-interface-list=No-InterVLAN
add action=drop chain=forward comment="no intervlan for m's network" \
    in-interface=VLAN20 out-interface-list=m-InterVLAN
add action=drop chain=forward comment=dmz disabled=yes in-interface=VLAN45 \
    out-interface-list=DMZ-IPCAMs
add action=drop chain=forward comment=truedmz disabled=yes in-interface=\
    VLAN40 out-interface-list=TrueDMZ
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow LAN" in-interface-list=LAN
add action=accept chain=forward comment="Allow port forwards (dst nat)" \
    connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=forward disabled=yes out-interface-list=mgmt
add action=drop chain=forward comment="drop all other forward"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=to_vpn \
    passthrough=yes src-address-list=local
add action=change-mss chain=forward disabled=yes new-mss=1360 passthrough=yes \
    protocol=tcp src-address-list=local tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes src-address=10.3.1.0/24
add action=masquerade chain=srcnat comment="Default masq" out-interface-list=\
    WAN
add action=dst-nat chain=dstnat comment="OVPN Portfoward" disabled=yes \
    dst-address=CENSORED dst-port=1194 in-interface-list=WAN protocol=\
    udp to-addresses=10.5.1.3
add action=dst-nat chain=dstnat comment=wireguard dst-address=CENSORED \
    dst-port=51820 in-interface-list=WAN protocol=udp to-addresses=10.5.1.2
add action=dst-nat chain=dstnat comment=apache2 disabled=yes dst-address=\
    CENSORED dst-port=80 in-interface-list=WAN protocol=tcp \
    to-addresses=10.4.1.4
add action=dst-nat chain=dstnat comment=ssh disabled=yes dst-address=\
    CENSORED dst-port=22 in-interface-list=WAN protocol=tcp \
    to-addresses=10.4.1.4
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=vpnclient.p12_1 \
    generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client \
    policy-template-group=ike2-rw
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add group=ike2-rw proposal=ike2-rw template=yes
/ip route
add disabled=yes distance=1 gateway=vpn_blackhole routing-mark=to_vpn
/ip route vrf
add disabled=yes interfaces=VLAN500,*23 routing-mark=guestvpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.1.1.0/24 disabled=yes
set www-ssl address=10.1.1.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=VLAN20 type=internal
add interface=VLAN50 type=internal
add interface=VLAN100 type=internal
/ipv6 address
add address=2600:1700:48e8:1871:CENSORED eui-64=yes interface=\
    ether1
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
    VLAN20
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
    VLAN100
add address=2600:1700:48e8:CENSORED eui-64=yes interface=\
    VLAN45
add address=2600:1700:48e8:CENSORED:de9b eui-64=yes interface=\
    VLAN50
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=general-pool6 \
    pool-prefix-length=60 prefix-hint=::/64 request=prefix
/ipv6 firewall filter
add action=accept chain=input comment=\
    "Accept (established, related untracked)" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop (invalid)" connection-state=invalid
add action=accept chain=input comment="Accept DHCP (10/sec)" \
    in-interface-list=WAN limit=10,20:packet protocol=udp src-port=547
add action=drop chain=input comment="Drop DHCP (>10/sec)" in-interface-list=\
    WAN protocol=udp src-port=547
add action=accept chain=input comment="Accept external ICMP (10/sec)" \
    in-interface-list=WAN limit=10,20:packet protocol=icmpv6
add action=drop chain=input comment="Drop external ICMP (>10/sec)" \
    in-interface-list=WAN protocol=icmpv6
add action=accept chain=input comment="Accept internal ICMP" \
    in-interface-list=!WAN protocol=icmpv6
add action=drop chain=input comment="Drop external" in-interface-list=WAN
add action=drop chain=input comment="Reject everything else"
add action=accept chain=output comment="Accept all"
add action=accept chain=forward comment=\
    "Accept (established, related, untracked)" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop (invalid)" connection-state=\
    invalid
add action=accept chain=forward comment="Accept external ICMP (20/sec)" \
    in-interface-list=WAN limit=20,50:packet protocol=icmpv6
add action=drop chain=forward comment="Drop external ICMP (>20/sec)" \
    in-interface-list=WAN protocol=icmpv6
add action=accept chain=forward comment="Accept internal" in-interface-list=\
    !WAN
add action=accept chain=forward comment="Accept outgoing" out-interface-list=\
    WAN
add action=drop chain=forward comment="Drop external" in-interface-list=WAN
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=VLAN100 other-configuration=yes ra-interval=20s-1m
add interface=VLAN50 other-configuration=yes ra-interval=20s-1m
add interface=VLAN20 other-configuration=yes ra-interval=20s-1m
add interface=ether1 other-configuration=yes ra-interval=20s-1m
add disabled=yes interface=VLAN40 other-configuration=yes ra-interval=20s-1m
add interface=VLAN45 other-configuration=yes ra-interval=20s-1m
add disabled=yes interface=VLAN200_mgmt ra-interval=20s-1m
add disabled=yes interface=VLAN500 other-configuration=yes ra-interval=20s-1m
/ipv6 nd prefix
add interface=VLAN20 prefix=2600:1700:48e8:1873::/64
add disabled=yes interface=VLAN40 prefix=2600:1700:48e8:1876::/64
add interface=ether1 prefix=2600:1700:48e8:1871::/64
add interface=VLAN100 prefix=2600:1700:48e8:1872::/64
add interface=VLAN50 prefix=2600:1700:48e8:1875::/64
add interface=VLAN45 prefix=2600:1700:48e8:1874::/64
add disabled=yes interface=VLAN500 prefix=2600:1700:48e8:1877::/64
/ppp secret
add local-address=10.3.1.1 name=Laptop profile=sstpserver remote-address=\
    10.3.1.100 service=sstp
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=MikroTik-RB4011
/system scheduler
add interval=5m name="Find IPSEC" on-event=Find_IPSEC policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=feb/24/2020 start-time=03:25:11
add disabled=yes interval=1h name=email_logs on-event="/log print file=logs\r\
    \ndelay 10\r\
    \n/tool e-mail send to=\"me@tlopez.cc\" subject=\"\$[/system identity get \
    name]  logs\" \\\r\
    \nbody=\"\$[/system clock get date] log file\" file=logs.txt" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/27/2020 start-time=08:51:35
/system script
add dont-require-permissions=no name=Find_IPSEC owner=kazuma policy=\
    read,write,policy,test,password,sniff,sensitive,romon source="# Created Jo\
    tne 2019 v1.2\r\
    \n#\r\
    \n# This script add ip of user who with \"IPSEC negotiation failed\" and \
    \"SPI* not registered\" to a block list for 24hour\r\
    \n# Schedule the script to run every 5 min\r\
    \n# It should run on all routerOS version\r\
    \n\r\
    \n\r\
    \n\r\
    \n# Find all \"negotiation failed\" error last 5 min\r\
    \n:local loglistN [:toarray [/log find  time>([/system clock get time] - 5\
    m) message~\"negotiation failed\"]]\r\
    \n\r\
    \n# for all error do\r\
    \n:foreach i in=\$loglistN do={\r\
    \n\r\
    \n# find message\r\
    \n\t:local logMessageN [/log get \$i message]\r\
    \n# find ip\r\
    \n\t:local ipN [:pick \$logMessageN 0 [:find \$logMessageN \" \"]]\r\
    \n\r\
    \n# Add ip to accesslist\t\r\
    \n\t/ip firewall address-list add address=\$ipN list=IPSEC timeout=24h\r\
    \n# Send a message to the log\t\r\
    \n\t:log info message=\"script=IPSEC_failed src_ip=\$ipN why=negotiation_f\
    ailed\"\r\
    \n\t}\r\
    \n\r\
    \n\t\r\
    \n\r\
    \n# Find all \"SPI* not registered\"\" error last 5 min\r\
    \n:local loglistS [:toarray [/log find  time>([/system clock get time] - 5\
    m) message~\"SPI.*not regist\"]]\r\
    \n\r\
    \n# for all error do\r\
    \n:foreach j in=\$loglistS do={\r\
    \n\r\
    \n# find message\r\
    \n\t:local logMessageS [/log get \$j message]\r\
    \n# find ip\r\
    \n\t:local ipS [:pick \$logMessageS ([:find \$logMessageS \"for \"]+4) [:f\
    ind \$logMessageS \"[\"]]\r\
    \n\r\
    \n# Add ip to accesslist\t\r\
    \n\t/ip firewall address-list add address=\$ipS list=IPSEC timeout=24h\r\
    \n# Send a message to the log\t\r\
    \n\t:log info message=\"script=IPSEC_failed src_ip=\$ipS why=SPI_not_regis\
    tered\"\r\
    \n\t}\r\
    \n\t"
/tool e-mail
set address=smtp.gmail.com from=CENSORED port=587 start-tls=yes user=\
    CENSORED

out of curiosity were did you get the ip 180.168.136.110 above from? I get malicious requests from this IP so much now that it needs to go into ip block

Who is online

Users browsing this forum: mkx, xaar and 57 guests