Thu Aug 23, 2018 12:01 am
LTE Device
Office Public IP = X.X.X.X
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/ip neighbor discovery
set lte1 discover=no
/interface list
add name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
add enc-algorithms=3des name=wifi pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether1 name=defconf
/ppp profile
set *0 change-tcp-mss=default
set *FFFFFFFE change-tcp-mss=default use-encryption=default
/interface l2tp-client
add connect-to=X.X.X.X disabled=no ipsec-secret=wifi max-mru=1460 \
max-mtu=1460 name=l2tp-out1 password=1234 profile=default user=test
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface list member
add interface=ether1 list=discover
add interface=ether1 list=mactel
add interface=ether1 list=mac-winbox
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether1 network=\
192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=172.16.0.1
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=\
tcp
add action=accept chain=input comment="Allow WinBox API" dst-port=8728 \
protocol=tcp
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=\
ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="Allow local network" src-address=\
192.168.1.0/24
add action=accept chain=input comment="Allow DNS for trusted network" \
dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=input comment="Allow DNS for trusted network" \
dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=lte1
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=lte1
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
lte1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
lte1 protocol=tcp
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1400 out-interface=\
l2tp-out1 passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=PPTP passthrough=\
yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=l2tp-out1 \
src-address=172.16.0.0/12
add action=masquerade chain=srcnat out-interface=lte1
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip route
add disabled=yes distance=1 gateway=172.16.0.1 routing-mark=PPTP
add distance=1 gateway=lte1
add distance=1 dst-address=172.16.0.0/12 gateway=172.16.0.1
add distance=1 dst-address=172.168.1.0/24 gateway=172.16.0.1
add distance=1 dst-address=192.168.0.0/24 gateway=172.16.0.1
add distance=1 dst-address=192.168.0.1/32 gateway=172.16.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
CRS Office
/interface bridge
add name=Wlan
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] disabled=yes master-port=ether3
set [ find default-name=ether5 ]
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] comment="Tom Network 16"
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] master-port=ether1
set [ find default-name=ether24 ] master-port=ether1
set [ find default-name=sfp1 ] master-port=ether1
/interface l2tp-server
add name=l2tp-in1 user=test
/ip pool
add name=vpn-l2tp ranges=172.16.0.2-172.32.255.255
/ppp profile
set *0 change-tcp-mss=default local-address=172.16.0.1 remote-address=\
vpn-l2tp
set *FFFFFFFE use-encryption=required
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface l2tp-server server
set default-profile=default enabled=yes keepalive-timeout=60 max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=\
yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=172.16.0.1
/ip dns static
add address=8.8.8.8 name=dns1
add address=8.8.4.4 name=dns2
/ip firewall filter
add action=accept chain=input comment="VPN L2TP UDP 500" dst-port=500 \
protocol=udp
add action=accept chain=input comment="VPN L2TP 4500" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1723 \
protocol=udp
add action=accept chain=input comment="VPN L2TP ESP" protocol=ipsec-esp
add action=accept chain=input comment="VPN L2TP AH" protocol=ipsec-ah
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Established, Related" \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=accept chain=input comment="Accept DNS - UDP" dst-port=53 \
protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" dst-port=53 \
protocol=tcp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=Wlan \
log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.0.0/12
add action=masquerade chain=srcnat out-interface=Wlan
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=test password=1234 service=l2tp
/system identity
set name=Office