Community discussions

MikroTik App
  4. RouterOS
  5. General

VLAN and CPU Swich correct setting

Post Reply
 
stef84
newbie
Topic Author
Posts: 41
Joined: Tue Apr 29, 2014 8:00 pm
Location: Assisi - Italy
Contact:
Contact stef84

VLAN and CPU Swich correct setting

Sat Feb 02, 2019 1:35 pm

Hello. I use my RB2011 with VLAN service. I've a problem with VLAN and i don't understed if my configration is correct, because i've an increase of RB CPU UP 70% with high traffic (~100Mbps with speedtest) and use the RB CPU rather than Switch CPU.

The SwitchCPU setting in VLAN mode, it must be FALLBACK or SECURE?

Thanks

Image Image Image
Top
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: VLAN and CPU Swich correct setting

Sat Feb 02, 2019 2:27 pm

Hey stef

You should list your current config: /export hide-sensitive compact, so that it can be examined.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11624
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN and CPU Swich correct setting

Sat Feb 02, 2019 2:33 pm

Switch will only handle traffic between ether ports connected to the same switch chip in hardware only. If you're running speedtest against WAN server then CPU will have to handle the traffic.

If you want more detailed and precise answer, then post configuration (/export hide-sensitive) and precisely describe test case ... screenshors don't help much ...
Top
 
stef84
newbie
Topic Author
Posts: 41
Joined: Tue Apr 29, 2014 8:00 pm
Location: Assisi - Italy
Contact:
Contact stef84

Re: VLAN and CPU Swich correct setting

Sat Feb 02, 2019 3:30 pm

Thank friends for the replay.

I've two connection, the older is in a ether5-wan, from a 30/3 wisp connection and is here only for backup, but now not work.

I'm actually use a VDSL ( ~ 90/20 ) from VLAN20 and the 2011 have a pppoe-client.

This is my configuration. I think the problem is the hardware, because the rb2011 can not support all the traffic, considering the many rules.

I'm considering to change the RB2011 for a RB4011 if is necessary.

Thanks
Code: Select all
/caps-man channel
add band=2ghz-b/g/n extension-channel=Ce frequency=2412 name=channel1
add band=2ghz-b/g/n extension-channel=eC frequency=2462 name=channel11
add band=2ghz-b/g/n extension-channel=Ce frequency=2412 name=channel1
add band=2ghz-b/g/n extension-channel=eC frequency=2462 name=channel11
/caps-man datapath
add client-to-client-forwarding=yes name=datapath-raspy
add client-to-client-forwarding=yes name=datapath1
add client-to-client-forwarding=yes name=datapath-guest
add client-to-client-forwarding=yes name=datapath-raspy
add client-to-client-forwarding=yes name=datapath1
add client-to-client-forwarding=yes name=datapath-guest
/interface bridge
add name=bridge-TRUNK
/interface ethernet
set [ find default-name=ether1 ] comment=F300_ST speed=100Mbps
set [ find default-name=ether2 ] comment=QRT_AP speed=100Mbps
set [ find default-name=ether3 ] comment="Switch Sottoscala" speed=100Mbps
set [ find default-name=ether4 ] comment="Appart. Lau" speed=100Mbps
set [ find default-name=ether5 ] arp=proxy-arp comment=\
    "************ WLAN -  D0 LAN ************" name=ether5-WAN speed=\
    100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "RB750 Labor. Radio"
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "Acces Point 1P"
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    MANAGEMENT
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "Camera Stef"
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add disabled=yes interface=ether8 name=vlan11 vlan-id=11
add interface=bridge-TRUNK name=vlan11-LAN vlan-id=11
add disabled=yes interface=ether8 name=vlan12 vlan-id=12
add interface=bridge-TRUNK name=vlan12-Guest vlan-id=12
add interface=bridge-TRUNK name=vlan15-Voip1 vlan-id=15
add interface=bridge-TRUNK name=vlan16-Voip2 vlan-id=16
add interface=bridge-TRUNK name=vlan17-security vlan-id=17
add arp=proxy-arp interface=bridge-TRUNK name=vlan19-SkyQ vlan-id=19
add interface=bridge-TRUNK name=vlan20-PPPoE vlan-id=20
add interface=bridge-TRUNK name=vlan100-Hotspot vlan-id=100
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=vlan20-PPPoE \
    keepalive-timeout=60 name=pppoe-out1 password=******** use-peer-dns=yes \
    user=*************
/caps-man security
add authentication-types=wpa-psk encryption=aes-ccm name=security1 \
    passphrase=*********
add authentication-types=wpa-psk encryption=aes-ccm name=security-guest \
    passphrase=***********
add authentication-types=wpa2-psk encryption=aes-ccm name=security-raspy \
    passphrase=***********
add authentication-types=wpa-psk encryption=aes-ccm name=security1 \
    passphrase=***********
add authentication-types=wpa-psk encryption=aes-ccm name=security-guest \
    passphrase=***********
add authentication-types=wpa2-psk encryption=aes-ccm name=security-raspy \
    passphrase=***********
/caps-man configuration
add country=italy datapath=datapath1 distance=indoors hide-ssid=no mode=ap \
    name=cfg-master security=security1 ssid=XXXXXXXX
add country=italy datapath=datapath-guest name=cfg-guest security=\
    security-guest ssid=XXXXXXXXXXXXXXXXXX
add country=italy datapath=datapath1 distance=indoors hide-ssid=no mode=ap \
    name=cfg-master security=security1 ssid=XXXXXXXXXXXXXXX
add country=italy datapath=datapath-guest name=cfg-guest security=\
    security-guest ssid=XXXXXXXXXXXX
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=fallback
set 6 vlan-mode=secure
set 7 vlan-mode=secure
set 8 vlan-mode=secure
set 9 vlan-mode=fallback
set 10 default-vlan-id=11 vlan-mode=secure
set 11 vlan-mode=fallback
set 12 vlan-mode=fallback
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des name=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    pfs-group=none
/ip pool
add name=dhcp_pool_LAN ranges=192.168.1.201-192.168.1.250
add name=dhcp_pool_GUEST ranges=10.10.15.50-10.10.15.150
add name=dhcp_pool_Hotspot ranges=172.16.0.10-172.16.0.255
add name=dhcp_pool_SkyQ ranges=10.90.90.2-10.90.90.14
add name=dhcp_pool_Voip1 ranges=192.168.61.100-192.168.61.200
add name=l2tp_pool ranges=10.10.0.2-10.10.0.100
add name=pool_security ranges=90.90.90.10-90.90.90.250
/ip dhcp-server
add address-pool=dhcp_pool_LAN authoritative=after-2sec-delay disabled=no \
    interface=vlan11-LAN lease-time=23h59m name=dhcp-LAN
add address-pool=dhcp_pool_GUEST disabled=no interface=vlan12-Guest name=\
    dhcp-GUEST
add address-pool=dhcp_pool_Hotspot authoritative=after-2sec-delay disabled=no \
    interface=vlan100-Hotspot lease-time=1h name=dhcp-Hotspot
add address-pool=dhcp_pool_SkyQ disabled=no interface=vlan19-SkyQ name=\
    dhcp-SkyQ
add address-pool=dhcp_pool_Voip1 disabled=no interface=vlan15-Voip1 name=\
    dhcp-Voip1
/ip hotspot user profile
add address-pool=dhcp_pool_Hotspot name=Trial rate-limit=512k/4M \
    transparent-proxy=yes
/ip hotspot profile
add dns-name=hotspot.granatalauro.it hotspot-address=172.16.0.1 \
    http-cookie-lifetime=1d login-by=cookie,http-chap,trial name=hsprof1 \
    trial-uptime-limit=2h trial-user-profile=Trial
/ip hotspot
add address-pool=dhcp_pool_Hotspot addresses-per-mac=1 disabled=no interface=\
    vlan100-Hotspot name=hotspot1 profile=hsprof1
/ppp profile
add local-address=10.10.0.1 name=L2TP-VPN remote-address=l2tp_pool \
    use-encryption=yes
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4 local-address=192.168.1.1 \
    remote-address=192.168.1.233
/queue simple
add max-limit=1M/6M name=user1 target=10.10.15.1/32
add max-limit=1M/6M name=user2 target=10.10.15.2/32
add max-limit=1M/6M name=user3 target=10.10.15.3/32
add max-limit=1M/6M name=user4 target=10.10.15.4/32
add max-limit=1M/6M name=user5 target=10.10.15.5/32
add max-limit=1M/6M name=user6 target=10.10.15.6/32
add max-limit=1M/6M name=user7 target=10.10.15.7/32
add max-limit=1M/6M name=user8 target=10.10.15.8/32
add max-limit=1M/6M name=user9 target=10.10.15.9/32
add max-limit=1M/6M name=user10 target=10.10.15.10/32
add max-limit=1M/6M name=user11 target=10.10.15.11/32
add max-limit=1M/6M name=user12 target=10.10.15.12/32
add max-limit=1M/6M name=user13 target=10.10.15.13/32
add max-limit=1M/6M name=user14 target=10.10.15.14/32
add max-limit=1M/6M name=user15 target=10.10.15.15/32
add max-limit=1M/6M name=user16 target=10.10.15.16/32
add max-limit=1M/6M name=user17 target=10.10.15.17/32
add max-limit=1M/6M name=user18 target=10.10.15.18/32
add max-limit=1M/6M name=user19 target=10.10.15.19/32
add max-limit=1M/6M name=user20 target=10.10.15.20/32
add max-limit=1M/6M name=user21 target=10.10.15.21/32
add max-limit=1M/6M name=user22 target=10.10.15.22/32
add max-limit=1M/6M name=user23 target=10.10.15.23/32
add max-limit=1M/6M name=user24 target=10.10.15.24/32
add max-limit=1M/6M name=user25 target=10.10.15.25/32
add max-limit=1M/6M name=user26 target=10.10.15.26/32
add max-limit=1M/6M name=user27 target=10.10.15.27/32
add max-limit=1M/6M name=user28 target=10.10.15.28/32
add max-limit=1M/6M name=user29 target=10.10.15.29/32
add max-limit=1M/6M name=user30 target=10.10.15.30/32
add max-limit=1M/6M name=user31 target=10.10.15.31/32
add max-limit=1M/6M name=user32 target=10.10.15.32/32
add max-limit=1M/6M name=user33 target=10.10.15.33/32
add max-limit=1M/6M name=user34 target=10.10.15.34/32
add max-limit=1M/6M name=user35 target=10.10.15.35/32
add max-limit=1M/6M name=user36 target=10.10.15.36/32
add max-limit=1M/6M name=user37 target=10.10.15.37/32
add max-limit=1M/6M name=user38 target=10.10.15.38/32
add max-limit=1M/6M name=user39 target=10.10.15.39/32
add max-limit=1M/6M name=user40 target=10.10.15.40/32
add max-limit=1M/6M name=user41 target=10.10.15.41/32
add max-limit=1M/6M name=user42 target=10.10.15.42/32
add max-limit=1M/6M name=user43 target=10.10.15.43/32
add max-limit=1M/6M name=user44 target=10.10.15.44/32
add max-limit=1M/6M name=user45 target=10.10.15.45/32
add max-limit=1M/6M name=user46 target=10.10.15.46/32
add max-limit=1M/6M name=user47 target=10.10.15.47/32
add max-limit=1M/6M name=user48 target=10.10.15.48/32
add max-limit=1M/6M name=user49 target=10.10.15.49/32
add max-limit=1M/6M name=user50 target=10.10.15.50/32
add max-limit=1M/6M name=user51 target=10.10.15.51/32
add max-limit=1M/6M name=user52 target=10.10.15.52/32
add max-limit=1M/6M name=user53 target=10.10.15.53/32
add max-limit=1M/6M name=user54 target=10.10.15.54/32
add max-limit=1M/6M name=user55 target=10.10.15.55/32
add disabled=yes max-limit=1M/6M name=user56 target=10.10.15.56/32
add disabled=yes max-limit=1M/6M name=user57 target=10.10.15.57/32
add max-limit=1M/6M name=user58 target=10.10.15.58/32
add max-limit=1M/6M name=user59 target=10.10.15.59/32
add max-limit=1M/6M name=user60 target=10.10.15.60/32
add max-limit=1M/6M name=user61 target=10.10.15.61/32
add max-limit=1M/6M name=user62 target=10.10.15.62/32
add max-limit=1M/6M name=user63 target=10.10.15.63/32
add max-limit=1M/6M name=user64 target=10.10.15.64/32
add max-limit=1M/6M name=user65 target=10.10.15.55/32
add max-limit=1M/6M name=user66 target=10.10.15.66/32
add max-limit=1M/6M name=user67 target=10.10.15.67/32
add max-limit=1M/6M name=user68 target=10.10.15.68/32
add max-limit=1M/6M name=user69 target=10.10.15.69/32
add max-limit=1M/6M name=user70 target=10.10.15.70/32
add max-limit=1M/6M name=user71 target=10.10.15.71/32
add max-limit=1M/6M name=user72 target=10.10.15.72/32
add max-limit=1M/6M name=user73 target=10.10.15.73/32
add max-limit=1M/6M name=user74 target=10.10.15.74/32
add max-limit=1M/6M name=user75 target=10.10.15.75/32
add max-limit=1M/6M name=user76 target=10.10.15.76/32
add max-limit=1M/6M name=user77 target=10.10.15.77/32
add max-limit=1M/6M name=user78 target=10.10.15.88/32
add max-limit=1M/6M name=user79 target=10.10.15.79/32
add max-limit=1M/6M name=user80 target=10.10.15.80/32
add max-limit=1M/6M name=user81 target=10.10.15.81/32
add max-limit=1M/6M name=user82 target=10.10.15.82/32
add max-limit=1M/6M name=user83 target=10.10.15.83/32
add max-limit=1M/6M name=user84 target=10.10.15.84/32
add max-limit=1M/6M name=user85 target=10.10.15.85/32
add max-limit=1M/6M name=user86 target=10.10.15.86/32
add max-limit=1M/6M name=user87 target=10.10.15.87/32
add max-limit=1M/6M name=user88 target=10.10.15.88/32
add max-limit=1M/6M name=user89 target=10.10.15.89/32
add max-limit=1M/6M name=user90 target=10.10.15.90/32
add max-limit=1M/6M name=user91 target=10.10.15.91/32
add max-limit=1M/6M name=user92 target=10.10.15.92/32
add max-limit=1M/6M name=user93 target=10.10.15.93/32
add max-limit=1M/6M name=user94 target=10.10.15.94/32
add max-limit=1M/6M name=user95 target=10.10.15.95/32
add max-limit=1M/6M name=user96 target=10.10.15.96/32
add max-limit=1M/6M name=user97 target=10.10.15.97/32
add max-limit=1M/6M name=user98 target=10.10.15.98/32
add max-limit=1M/6M name=user99 target=10.10.15.99/32
add max-limit=1M/6M name=user100 target=10.10.15.100/32
add max-limit=1M/6M name=user101 target=10.10.15.101/32
add max-limit=1M/6M name=user102 target=10.10.15.102/32
add max-limit=1M/6M name=user103 target=10.10.15.103/32
add max-limit=1M/6M name=user104 target=10.10.15.104/32
add max-limit=1M/6M name=user105 target=10.10.15.105/32
add max-limit=1M/6M name=user106 target=10.10.15.106/32
add max-limit=1M/6M name=user107 target=10.10.15.107/32
add max-limit=1M/6M name=user108 target=10.10.15.108/32
add max-limit=1M/6M name=user109 target=10.10.15.109/32
add max-limit=1M/6M name=user110 target=10.10.15.110/32
add max-limit=1M/6M name=user111 target=10.10.15.111/32
add max-limit=1M/6M name=user112 target=10.10.15.112/32
add max-limit=1M/6M name=user113 target=10.10.15.113/32
add max-limit=1M/6M name=user114 target=10.10.15.114/32
add max-limit=1M/6M name=user115 target=10.10.15.115/32
add max-limit=1M/6M name=user116 target=10.10.15.116/32
add max-limit=1M/6M name=user117 target=10.10.15.117/32
add max-limit=1M/6M name=user118 target=10.10.15.118/32
add max-limit=1M/6M name=user119 target=10.10.15.119/32
add max-limit=1M/6M name=user120 target=10.10.15.120/32
add max-limit=1M/6M name=user121 target=10.10.15.121/32
add max-limit=1M/6M name=user122 target=10.10.15.122/32
add max-limit=1M/6M name=user123 target=10.10.15.123/32
add max-limit=1M/6M name=user124 target=10.10.15.124/32
add max-limit=1M/6M name=user125 target=10.10.15.125/32
add max-limit=1M/6M name=user126 target=10.10.15.126/32
add max-limit=1M/6M name=user127 target=10.10.15.127/32
add max-limit=1M/6M name=user128 target=10.10.15.128/32
add max-limit=1M/6M name=user129 target=10.10.15.129/32
add max-limit=1M/6M name=user130 target=10.10.15.130/32
add max-limit=1M/6M name=user131 target=10.10.15.131/32
add max-limit=1M/6M name=user132 target=10.10.15.132/32
add max-limit=1M/6M name=user133 target=10.10.15.133/32
add max-limit=1M/6M name=user134 target=10.10.15.134/32
add max-limit=1M/6M name=user135 target=10.10.15.135/32
add max-limit=1M/6M name=user136 target=10.10.15.136/32
add max-limit=1M/6M name=user137 target=10.10.15.137/32
add max-limit=1M/6M name=user138 target=10.10.15.138/32
add max-limit=1M/6M name=user139 target=10.10.15.139/32
add max-limit=1M/6M name=user140 target=10.10.15.140/32
add max-limit=1M/6M name=user141 target=10.10.15.141/32
add max-limit=1M/6M name=user142 target=10.10.15.142/32
add max-limit=1M/6M name=user143 target=10.10.15.143/32
add max-limit=1M/6M name=user144 target=10.10.15.144/32
add max-limit=1M/6M name=user145 target=10.10.15.145/32
add max-limit=1M/6M name=user146 target=10.10.15.146/32
add max-limit=1M/6M name=user147 target=10.10.15.147/32
add max-limit=1M/6M name=user148 target=10.10.15.148/32
add max-limit=1M/6M name=user149 target=10.10.15.149/32
add max-limit=1M/6M name=user150 target=10.10.15.150/32
add max-limit=1M/6M name=user151 target=10.10.15.151/32
add max-limit=1M/6M name=user152 target=10.10.15.152/32
add max-limit=1M/6M name=user153 target=10.10.15.153/32
add max-limit=1M/6M name=user154 target=10.10.15.154/32
add max-limit=1M/6M name=user155 target=10.10.15.155/32
add max-limit=1M/6M name=user156 target=10.10.15.156/32
add max-limit=1M/6M name=user157 target=10.10.15.157/32
add max-limit=1M/6M name=user158 target=10.10.15.158/32
add max-limit=1M/6M name=user159 target=10.10.15.159/32
add max-limit=1M/6M name=user160 target=10.10.15.160/32
add max-limit=1M/6M name=user161 target=10.10.15.161/32
add max-limit=1M/6M name=user162 target=10.10.15.162/32
add max-limit=1M/6M name=user163 target=10.10.15.163/32
add max-limit=1M/6M name=user164 target=10.10.15.164/32
add max-limit=1M/6M name=user165 target=10.10.15.155/32
add max-limit=1M/6M name=user166 target=10.10.15.166/32
add max-limit=1M/6M name=user167 target=10.10.15.167/32
add max-limit=1M/6M name=user168 target=10.10.15.168/32
add max-limit=1M/6M name=user169 target=10.10.15.169/32
add max-limit=1M/6M name=user170 target=10.10.15.170/32
add max-limit=1M/6M name=user171 target=10.10.15.171/32
add max-limit=1M/6M name=user172 target=10.10.15.172/32
add max-limit=1M/6M name=user173 target=10.10.15.173/32
add max-limit=1M/6M name=user174 target=10.10.15.174/32
add max-limit=1M/6M name=user175 target=10.10.15.175/32
add max-limit=1M/6M name=user176 target=10.10.15.176/32
add max-limit=1M/6M name=user177 target=10.10.15.177/32
add max-limit=1M/6M name=user178 target=10.10.15.188/32
add max-limit=1M/6M name=user179 target=10.10.15.179/32
add max-limit=1M/6M name=user180 target=10.10.15.180/32
add max-limit=1M/6M name=user181 target=10.10.15.181/32
add max-limit=1M/6M name=user182 target=10.10.15.182/32
add max-limit=1M/6M name=user183 target=10.10.15.183/32
add max-limit=1M/6M name=user184 target=10.10.15.184/32
add max-limit=1M/6M name=user185 target=10.10.15.185/32
add max-limit=1M/6M name=user186 target=10.10.15.186/32
add max-limit=1M/6M name=user187 target=10.10.15.187/32
add max-limit=1M/6M name=user188 target=10.10.15.188/32
add max-limit=1M/6M name=user189 target=10.10.15.189/32
add max-limit=1M/6M name=user190 target=10.10.15.190/32
add max-limit=1M/6M name=user191 target=10.10.15.191/32
add max-limit=1M/6M name=user192 target=10.10.15.192/32
add max-limit=1M/6M name=user193 target=10.10.15.193/32
add max-limit=1M/6M name=user194 target=10.10.15.194/32
add max-limit=1M/6M name=user195 target=10.10.15.195/32
add max-limit=1M/6M name=user196 target=10.10.15.196/32
add max-limit=1M/6M name=user197 target=10.10.15.197/32
add max-limit=1M/6M name=user198 target=10.10.15.198/32
add max-limit=1M/6M name=user199 target=10.10.15.199/32
add max-limit=1M/6M name=user200 target=10.10.15.200/32
add max-limit=1M/6M name=user201 target=10.10.15.201/32
add max-limit=1M/6M name=user202 target=10.10.15.202/32
add max-limit=1M/6M name=user203 target=10.10.15.203/32
add max-limit=1M/6M name=user204 target=10.10.15.204/32
add max-limit=1M/6M name=user205 target=10.10.15.205/32
add max-limit=1M/6M name=user206 target=10.10.15.206/32
add max-limit=1M/6M name=user207 target=10.10.15.207/32
add max-limit=1M/6M name=user208 target=10.10.15.208/32
add max-limit=1M/6M name=user209 target=10.10.15.209/32
add max-limit=1M/6M name=user210 target=10.10.15.210/32
add max-limit=1M/6M name=user211 target=10.10.15.211/32
add max-limit=1M/6M name=user212 target=10.10.15.212/32
add max-limit=1M/6M name=user213 target=10.10.15.213/32
add max-limit=1M/6M name=user214 target=10.10.15.214/32
add max-limit=1M/6M name=user215 target=10.10.15.215/32
add max-limit=1M/6M name=user216 target=10.10.15.216/32
add max-limit=1M/6M name=user217 target=10.10.15.217/32
add max-limit=1M/6M name=user218 target=10.10.15.218/32
add max-limit=1M/6M name=user219 target=10.10.15.219/32
add max-limit=1M/6M name=user220 target=10.10.15.220/32
add max-limit=1M/6M name=user221 target=10.10.15.221/32
add max-limit=1M/6M name=user222 target=10.10.15.222/32
add max-limit=1M/6M name=user223 target=10.10.15.223/32
add max-limit=1M/6M name=user224 target=10.10.15.224/32
add max-limit=1M/6M name=user225 target=10.10.15.225/32
add max-limit=1M/6M name=user226 target=10.10.15.226/32
add max-limit=1M/6M name=user227 target=10.10.15.227/32
add max-limit=1M/6M name=user228 target=10.10.15.228/32
add max-limit=1M/6M name=user229 target=10.10.15.229/32
add max-limit=1M/6M name=user230 target=10.10.15.230/32
add max-limit=1M/6M name=user231 target=10.10.15.231/32
add max-limit=1M/6M name=user232 target=10.10.15.232/32
add max-limit=1M/6M name=user233 target=10.10.15.233/32
add max-limit=1M/6M name=user234 target=10.10.15.234/32
add max-limit=1M/6M name=user235 target=10.10.15.235/32
add max-limit=1M/6M name=user236 target=10.10.15.236/32
add max-limit=1M/6M name=user237 target=10.10.15.237/32
add max-limit=1M/6M name=user238 target=10.10.15.238/32
add max-limit=1M/6M name=user239 target=10.10.15.239/32
add max-limit=1M/6M name=user240 target=10.10.15.240/32
add max-limit=1M/6M name=user241 target=10.10.15.241/32
add max-limit=1M/6M name=user242 target=10.10.15.242/32
add max-limit=1M/6M name=user243 target=10.10.15.243/32
add max-limit=1M/6M name=user244 target=10.10.15.244/32
add max-limit=1M/6M name=user245 target=10.10.15.245/32
add max-limit=1M/6M name=user246 target=10.10.15.246/32
add max-limit=1M/6M name=user247 target=10.10.15.247/32
add max-limit=1M/6M name=user248 target=10.10.15.248/32
add max-limit=1M/6M name=user249 target=10.10.15.249/32
add max-limit=1M/6M name=user250 target=10.10.15.250/32
add max-limit=1M/6M name=user251 target=10.10.15.251/32
add max-limit=1M/6M name=user252 target=10.10.15.252/32
add max-limit=1M/6M name=user253 target=10.10.15.253/32
add disabled=yes max-limit=1M/6M name=user254 target=10.10.15.254/32
add max-limit=512k/512k name=Android target=192.168.1.249/32
add comment=UBUNTU max-limit=256k/8M name=UBUNTU queue=\
    pcq-upload-default/pcq-download-default target=192.168.1.41/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=100
/caps-man access-list
add action=accept disabled=no mac-address=D4:F4:6F:A0:21:7B ssid-regexp=""
add action=accept disabled=no mac-address=00:1E:C2:9E:58:CB ssid-regexp=""
add action=reject disabled=no ssid-regexp=""
add action=accept disabled=yes signal-range=-79..120 ssid-regexp=""
add action=reject disabled=yes signal-range=-120..-80 ssid-regexp=""
add action=accept disabled=no mac-address=D4:F4:6F:A0:21:7B ssid-regexp=""
add action=accept disabled=no mac-address=00:1E:C2:9E:58:CB ssid-regexp=""
add action=reject disabled=no ssid-regexp=""
add action=accept disabled=yes signal-range=-79..120 ssid-regexp=""
add action=reject disabled=yes signal-range=-120..-80 ssid-regexp=""
/caps-man provisioning
add action=create-enabled master-configuration=cfg-master \
    slave-configurations=cfg-guest
add action=create-enabled master-configuration=cfg-master \
    slave-configurations=cfg-guest
/interface bridge port
add bridge=bridge-TRUNK interface=ether2
add bridge=bridge-TRUNK interface=ether1
add bridge=bridge-TRUNK interface=ether4
add bridge=bridge-TRUNK interface=ether8
add bridge=bridge-TRUNK interface=ether7
add bridge=bridge-TRUNK interface=ether3
add bridge=bridge-TRUNK interface=ether9
add bridge=bridge-TRUNK interface=ether10
add bridge=bridge-TRUNK interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=all
/interface ethernet switch vlan
add independent-learning=no ports=ether1,ether2,ether3,ether4,switch1-cpu \
    switch=switch1 vlan-id=11
add independent-learning=no ports=ether1,ether2,ether4,switch1-cpu switch=\
    switch1 vlan-id=13
add independent-learning=no ports=ether1,ether2,ether3,ether4,switch1-cpu \
    switch=switch1 vlan-id=12
add independent-learning=no ports=ether1,ether2,ether4,switch1-cpu switch=\
    switch1 vlan-id=14
add independent-learning=no ports=ether1,ether2,ether4,switch1-cpu switch=\
    switch1 vlan-id=19
add independent-learning=no ports=ether1,ether2,ether4,switch1-cpu switch=\
    switch1 vlan-id=15
add independent-learning=no ports=ether1,ether2,ether4,switch1-cpu switch=\
    switch1 vlan-id=16
add ports=ether6,ether7,ether8,ether10,switch2-cpu switch=switch2 vlan-id=11
add ports=ether7,ether8,ether10,switch2-cpu switch=switch2 vlan-id=12
add ports=switch2-cpu switch=switch2 vlan-id=13
add ports=ether7,ether8,switch2-cpu switch=switch2 vlan-id=16
add ports=ether7,ether8,ether10,switch2-cpu switch=switch2 vlan-id=19
add independent-learning=no ports=ether1,ether2,switch1-cpu switch=switch1 \
    vlan-id=17
add independent-learning=no ports=ether1,ether2,ether3,ether4,switch1-cpu \
    switch=switch1 vlan-id=100
add ports=ether6,ether7,ether8,ether10,switch2-cpu switch=switch2 vlan-id=100
add independent-learning=no ports=ether1,ether2,ether3,ether4,switch1-cpu \
    switch=switch1 vlan-id=18
add ports=ether6,ether7,ether8,ether10,switch2-cpu switch=switch2 vlan-id=18
add independent-learning=no ports=ether1,switch1-cpu switch=switch1 vlan-id=\
    20
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP-VPN enabled=yes \
    max-mru=1460 max-mtu=1460 use-ipsec=yes
/interface ovpn-server server
set certificate=ca.crt_0 cipher=blowfish128,aes128,aes192,aes256 enabled=yes \
    port=1190
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=vlan11-LAN network=192.168.1.0
add address=192.168.50.1/24 interface=vlan11-LAN network=192.168.50.0
add address=10.10.15.1/24 interface=vlan12-Guest network=10.10.15.0
add address=192.168.61.1/24 comment="VOIP Negozio 0758039683" interface=\
    vlan15-Voip1 network=192.168.61.0
add address=192.168.62.1/24 comment="VOIP Casa Lauro 0758039821" interface=\
    vlan16-Voip2 network=192.168.62.0
add address=192.168.30.1/24 interface=vlan11-LAN network=192.168.30.0
add address=10.90.90.1/28 interface=vlan19-SkyQ network=10.90.90.0
add address=172.16.0.1/24 interface=vlan100-Hotspot network=172.16.0.0
add address=192.168.20.254/24 interface=vlan20-PPPoE network=192.168.20.0
add address=192.168.0.254/24 interface=vlan11-LAN network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether5-WAN \
    use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.200 always-broadcast=yes mac-address=70:EE:50:1C:2D:28 \
    server=dhcp-LAN
add address=192.168.1.51 always-broadcast=yes client-id=1:f4:6d:4:96:b6:94 \
    mac-address=F4:6D:04:96:B6:94 server=dhcp-LAN
add address=192.168.1.58 client-id=1:0:1e:ec:50:53:a1 mac-address=\
    00:1E:EC:50:53:A1 server=dhcp-LAN
add address=192.168.1.73 client-id=1:18:ee:69:4e:f7:3b mac-address=\
    18:EE:69:4E:F7:3B server=dhcp-LAN
add address=192.168.1.57 client-id=1:54:35:30:71:a:e3 mac-address=\
    54:35:30:71:0A:E3 server=dhcp-LAN
add address=192.168.1.59 client-id=1:34:2:86:5b:2a:1b mac-address=\
    34:02:86:5B:2A:1B server=dhcp-LAN
add address=192.168.1.38 client-id=1:dc:71:44:4d:c7:46 mac-address=\
    DC:71:44:4D:C7:46 server=dhcp-LAN
add address=192.168.1.81 always-broadcast=yes client-id=1:0:1e:c2:9e:58:cb \
    mac-address=00:1E:C2:9E:58:CB server=dhcp-LAN
add address=192.168.1.82 always-broadcast=yes client-id=1:0:1e:c2:7:e4:79 \
    mac-address=00:1E:C2:07:E4:79 server=dhcp-LAN
add address=192.168.1.79 always-broadcast=yes client-id=1:dc:41:5f:1d:2:15 \
    mac-address=DC:41:5F:1D:02:15 server=dhcp-LAN
add address=192.168.1.55 always-broadcast=yes client-id=1:54:4:a6:1c:c1:20 \
    mac-address=54:04:A6:1C:C1:20 server=dhcp-LAN
add address=192.168.1.100 client-id=1:0:1d:60:36:88:93 mac-address=\
    00:1D:60:36:88:93 server=dhcp-LAN
add address=192.168.1.74 always-broadcast=yes client-id=1:dc:9b:9c:a:d7:66 \
    mac-address=DC:9B:9C:0A:D7:66 server=dhcp-LAN
add address=192.168.1.78 always-broadcast=yes client-id=1:1c:5c:f2:49:9e:3a \
    mac-address=1C:5C:F2:49:9E:3A server=dhcp-LAN
add address=192.168.1.42 always-broadcast=yes client-id=1:f4:f2:6d:13:d8:ad \
    mac-address=F4:F2:6D:13:D8:AD server=dhcp-LAN
add address=192.168.1.43 client-id=1:b8:27:eb:d6:8:18 mac-address=\
    B8:27:EB:D6:08:18 server=dhcp-LAN
add address=192.168.1.44 client-id=1:b8:27:eb:ed:6e:25 mac-address=\
    B8:27:EB:ED:6E:25 server=dhcp-LAN
add address=192.168.1.41 mac-address=02:19:04:80:E0:FC server=dhcp-LAN
add address=192.168.1.39 always-broadcast=yes client-id=1:88:83:5d:3f:a3:84 \
    mac-address=88:83:5D:3F:A3:84 server=dhcp-LAN
add address=192.168.1.49 client-id=1:f8:d0:27:e5:10:d5 mac-address=\
    F8:D0:27:E5:10:D5 server=dhcp-LAN
add address=192.168.1.29 always-broadcast=yes comment=XXXXXXXXXXXXXXXXXXXX mac-address=\
    00:19:BA:0B:30:F5 server=dhcp-LAN
add address=10.90.90.2 always-broadcast=yes comment=SkyQ mac-address=\
    20:47:ED:F8:5E:DA server=dhcp-SkyQ
add address=192.168.1.45 client-id=1:dc:56:e7:47:e4:1f mac-address=\
    DC:56:E7:47:E4:1F server=dhcp-LAN
add address=192.168.1.25 client-id=1:80:5e:c0:14:c4:33 comment=\
    "Yealink Negozio" mac-address=80:5E:C0:14:C4:33 server=dhcp-LAN
add address=10.90.90.3 always-broadcast=yes comment="Mini Camera" \
    mac-address=20:47:ED:F0:4A:52 server=dhcp-SkyQ
add address=192.168.1.32 client-id=1:0:1d:ec:a:6d:df mac-address=\
    00:1D:EC:0A:6D:DF server=dhcp-LAN
add address=192.168.1.72 client-id=1:3c:2e:ff:1a:c2:a8 mac-address=\
    3C:2E:FF:1A:C2:A8 server=dhcp-LAN
add address=192.168.1.211 mac-address=4E:FA:EB:1D:ED:4C server=dhcp-LAN
add address=192.168.1.226 client-id=1:d8:8f:76:32:18:e3 mac-address=\
    D8:8F:76:32:18:E3 server=dhcp-GUEST
add address=192.168.1.218 client-id=1:ec:9b:f3:7a:69:20 mac-address=\
    EC:9B:F3:7A:69:20 server=dhcp-GUEST
add address=192.168.1.76 client-id=1:d0:2b:20:c7:41:f2 mac-address=\
    D0:2B:20:C7:41:F2 server=dhcp-LAN
add address=192.168.1.26 client-id=1:0:21:29:1f:85:26 comment=\
    "LynkSys PAP NEGOZIO" mac-address=00:21:29:1F:85:26 server=dhcp-LAN
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.15.0/24 gateway=10.10.15.1
add address=10.90.90.0/28 gateway=10.90.90.1
add address=15.15.30.0/24 gateway=15.15.30.1
add address=90.90.90.0/24 gateway=90.90.90.1
add address=172.16.0.0/24 comment="hotspot network" gateway=172.16.0.1
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.15.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.15.1
add address=192.168.61.0/24 gateway=192.168.61.1
/ip dns
set cache-max-ttl=5m servers=8.8.8.8
/ip firewall address-list
add address=10.0.0.0/8 disabled=yes list=allow-ip
add address=10.10.15.0/24 disabled=yes list=allow-ip
add address=10.34.2.0/23 disabled=yes list=allow-ip
add address=10.90.90.0/24 disabled=yes list=allow-ip
add address=10.90.90.0/28 disabled=yes list=allow-ip
add address=10.255.255.245 disabled=yes list=allow-ip
add address=192.168.1.0/24 disabled=yes list=allow-ip
add address=192.168.30.0/24 disabled=yes list=allow-ip
add address=192.168.50.0/24 disabled=yes list=allow-ip
add address=192.168.55.0/24 disabled=yes list=allow-ip
add address=192.168.61.0/24 disabled=yes list=allow-ip
add address=192.168.62.0/24 disabled=yes list=allow-ip
add address=192.168.70.0/24 disabled=yes list=allow-ip
add address=92.245.170.0/23 disabled=yes list=Reti_Pubbliche_WISP
add address=92.245.172.0/23 disabled=yes list=Reti_Pubbliche_WISP
add address=212.69.136.0/21 disabled=yes list=Reti_Pubbliche_WISP
add address=89.32.156.0/22 disabled=yes list=Reti_Pubbliche_WISP
add address=89.36.204.0/22 disabled=yes list=Reti_Pubbliche_WISP
add address=46.102.112.0/22 disabled=yes list=Reti_Pubbliche_WISP
add address=185.39.24.0/22 disabled=yes list=Reti_Pubbliche_WISP
add address=79.143.112.0/21 disabled=yes list=Reti_Pubbliche_WISP
add address=91.231.172.0/23 disabled=yes list=Reti_Pubbliche_WISP
add address=87.252.106.0/23 disabled=yes list=Reti_Pubbliche_WISP
add address=185.84.84.0/22 disabled=yes list=Reti_Pubbliche_WISP
add address=10.0.0.0/8 disabled=yes list=Reti_Private_WISP
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Blocco TUTTO da LAN a GUEST" disabled=\
    yes dst-address=10.10.15.0/24 src-address=192.168.1.0/24
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=forward comment=\
    "ACCETTA da LAN solo verso il dispositivo XX:XX:XX:XX:X di GUEST" \
    dst-address=192.168.1.0/24 src-address=10.10.15.0/24 src-mac-address=\
    20:47:ED:F8:5E:DA
add action=accept chain=forward comment=\
    "ACCETTA da LAN solo verso il dispositivo XX:XX:XX:XX:X di GUEST" \
    dst-address=192.168.1.0/24 src-address=10.90.90.0/24 src-mac-address=\
    20:47:ED:F8:5E:DA
add action=drop chain=forward comment="DROP da GUEST a LAN" dst-address=\
    192.168.1.0/24 src-address=10.10.15.0/24
add action=drop chain=forward comment="DROP da SkyQ a LAN" dst-address=\
    192.168.1.0/24 src-address=10.90.90.0/24
add action=drop chain=forward comment="DROP da LAN a Security" disabled=yes \
    dst-address=90.90.90.11 log=yes src-address=192.168.1.0/24 \
    src-mac-address=!F4:6D:04:96:B6:94
add action=drop chain=forward comment="DROP da LAN a Security" disabled=yes \
    dst-address=90.90.90.11 log=yes src-address=192.168.1.0/24 \
    src-mac-address=!3C:2E:FF:97:AA:A5
add action=accept chain=input comment="ACCEPT SSH e TELNET da Bridge-LAN" \
    dst-port=22-23 in-interface=vlan11-LAN protocol=tcp
add action=drop chain=input comment="DROOP 80 from PPPOE" dst-port=80 \
    in-interface=pppoe-out1 protocol=tcp
add action=accept chain=input comment="ACCEPT 80 from LAN" dst-port=80 \
    in-interface=vlan11-LAN protocol=tcp
add action=drop chain=input comment="DROOP ALL 80 " dst-port=80 protocol=tcp
add action=drop chain=input dst-port=22-23 protocol=tcp src-address-list=\
    IP_BlackList
add action=accept chain=output comment="Drop FTP Brute Forcers" content=\
    "530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=FTP_BlackList \
    address-list-timeout=1d chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input dst-port=21 protocol=tcp src-address-list=\
    FTP_BlackList
add action=add-src-to-address-list address-list=SSH_BlackList_1 \
    address-list-timeout=1m chain=input comment=\
    "Drop SSH&TELNET Brute Forcers" connection-state=new dst-port=22-23 \
    protocol=tcp
add action=add-src-to-address-list address-list=SSH_BlackList_2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22-23 \
    protocol=tcp src-address-list=SSH_BlackList_1
add action=add-src-to-address-list address-list=SSH_BlackList_3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22-23 \
    protocol=tcp src-address-list=SSH_BlackList_2
add action=add-src-to-address-list address-list=IP_BlackList \
    address-list-timeout=1d chain=input connection-state=new dst-port=22-23 \
    protocol=tcp src-address-list=SSH_BlackList_3
add action=drop chain=input comment=drop_ssh_brute_forcers dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment=drop_telnet_brute_forcers dst-port=23 \
    protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp
add action=drop chain=input comment=drop_winbox_brute_forcers dst-port=8291 \
    protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp
add action=drop chain=input comment=drop_ftp_brute_forcers dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=add-src-to-address-list address-list=ftp_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=21 \
    protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=21 \
    protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=21 \
    protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=21 \
    protocol=tcp
add action=drop chain=input dst-port=4145 protocol=tcp
add action=drop chain=input dst-port=4145 protocol=udp
add action=drop chain=output comment=Block_Telnet_internal_AS \
    dst-address-list=Reti_Pubbliche_WISP dst-port=23 protocol=tcp \
    src-address-list=Reti_Pubbliche_WISP
add action=drop chain=output comment=Block_SSH_internal_AS dst-address-list=\
    Reti_Pubbliche_WISP dst-port=22 protocol=tcp src-address-list=\
    Reti_Pubbliche_WISP
add action=drop chain=output comment=Block_FTP_internal_AS dst-address-list=\
    Reti_Pubbliche_WISP dst-port=21 protocol=tcp src-address-list=\
    Reti_Pubbliche_WISP
add action=drop chain=output comment=Block_Winbox_internal_AS \
    dst-address-list=Reti_Pubbliche_WISP dst-port=8291 protocol=tcp \
    src-address-list=Reti_Pubbliche_WISP
add action=drop chain=output comment=Block_Telnet_internal_AS \
    dst-address-list=Reti_Private_WISP dst-port=23 protocol=tcp
add action=drop chain=output comment=Block_SSH_internal_AS dst-address-list=\
    Reti_Private_WISP dst-port=22 protocol=tcp
add action=accept chain=input comment="ACCEPT 80 from L2TP" dst-port=80 \
    in-interface=all-ppp protocol=tcp
add action=drop chain=output comment=Block_Winbox_internal_AS \
    dst-address-list=Reti_Private_WISP dst-port=8291 protocol=tcp
add action=drop chain=output comment=Block_FTP_internal_AS dst-address-list=\
    Reti_Private_WISP dst-port=21 protocol=tcp
add action=accept chain=input comment="VPN L2TP UDP 500" dst-port=500 \
    in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1701 \
    in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="VPN L2TP 4500" dst-port=4500 \
    in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="VPN L2TP ESP" in-interface=pppoe-out1 \
    protocol=ipsec-esp
add action=accept chain=input comment="VPN L2TP AH" in-interface=pppoe-out1 \
    protocol=ipsec-ah
add action=drop chain=input comment="L2TP brutforce IP IPSec drop" \
    connection-state=new log=yes protocol=ipsec-esp src-address-list=\
    l2tp-brutforce
add action=drop chain=input comment="L2TP brutforce IP drop" \
    connection-state=new dst-port=1701,500,4500 log=yes protocol=udp \
    src-address-list=l2tp-brutforce
add action=add-src-to-address-list address-list=l2tp-brutforce \
    address-list-timeout=2w chain=input comment="L2TP brutforce IP to list" \
    connection-state=new dst-port=1701 protocol=udp src-address-list=probe2
add action=add-src-to-address-list address-list=probe2 address-list-timeout=\
    1m chain=input comment="L2TP brutforce protection stage 2" \
    connection-state=new dst-port=1701 protocol=udp src-address-list=probe1
add action=add-src-to-address-list address-list=probe1 address-list-timeout=\
    1m chain=input comment="L2TP brutforce protection stage 1" \
    connection-state=new dst-port=1701 protocol=udp
add action=add-dst-to-address-list address-list=l2tp-brutforce \
    address-list-timeout=1m chain=output comment=\
    "L2TP-brutforce protection stage 3 v2" content="M=bad" dst-address-list=\
    l2tp-brutforce-level2
add action=add-dst-to-address-list address-list=l2tp-brutforce-level2 \
    address-list-timeout=1m chain=output comment=\
    "L2TP-brutforce protection stage 2  v2" content="M=bad" dst-address-list=\
    l2tp-brutforce-level1
add action=add-dst-to-address-list address-list=l2tp-brutforce-level1 \
    address-list-timeout=1m chain=output comment=\
    "L2TP-brutforce protection stage 1  v2" content="M=bad"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    L2TPVPN passthrough=no src-address=10.90.90.2-10.90.90.14
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=dstnat disabled=yes in-interface=*F src-address=\
    192.168.1.31
add action=accept chain=dstnat disabled=yes in-interface=vlan11-LAN \
    src-address=192.168.1.41
add action=accept chain=dstnat disabled=yes in-interface=vlan11-LAN \
    src-address=192.168.1.31
add action=masquerade chain=srcnat comment=IP_ePMP1000 out-interface=\
    ether5-WAN
add action=masquerade chain=srcnat comment=IP_ePMP1000 out-interface=\
    vlan20-PPPoE
add action=masquerade chain=srcnat comment=PPPOE out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=L2TP disabled=yes out-interface=\
    *30
add action=masquerade chain=srcnat comment=GUEST-VLAN out-interface=\
    vlan11-LAN src-address=10.10.15.0/24
add action=masquerade chain=srcnat dst-address=192.168.50.0/24
add action=masquerade chain=srcnat dst-address=10.90.90.50
add action=masquerade chain=srcnat dst-address=192.168.70.0/24
add action=masquerade chain=srcnat dst-address=192.168.15.0/24
add action=masquerade chain=srcnat dst-address=192.168.20.0/24
add action=masquerade chain=srcnat dst-address=192.168.10.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.61.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.61.200
add action=masquerade chain=srcnat dst-address=192.168.62.0/24
add action=masquerade chain=srcnat dst-address=192.168.62.254
add action=dst-nat chain=dstnat comment=VPN dst-port=1193 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.1.31 to-ports=1193
add action=dst-nat chain=dstnat comment="VPN .41" dst-port=1199 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.1.41
add action=dst-nat chain=dstnat comment=Voip_Tel_Stef disabled=yes dst-port=\
    5071 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.43 \
    to-ports=5060
add action=dst-nat chain=dstnat comment=Voip_Tel_Stef disabled=yes dst-port=\
    5071 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.43 \
    to-ports=5061
add action=dst-nat chain=dstnat comment=Voip_Tel_Stef disabled=yes dst-port=\
    5361 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.43
add action=dst-nat chain=dstnat comment=Voip_Tel_Stef disabled=yes dst-port=\
    5060 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.43
add action=dst-nat chain=dstnat comment=VPN dst-port=1190 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.1.1
add action=dst-nat chain=dstnat comment=VPN dst-port=443 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.1.31 to-ports=443
add action=dst-nat chain=dstnat comment="eMule .41" dst-port=4711-4712 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.41
add action=dst-nat chain=dstnat comment="eMule .41" dst-port=5041 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.41
add action=dst-nat chain=dstnat comment="eMule .41" dst-port=5046 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.41
add action=dst-nat chain=dstnat comment="eMule .41" dst-port=5049 \
    in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.41
add action=dst-nat chain=dstnat comment="eMule .51" dst-port=11051 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.51
add action=dst-nat chain=dstnat comment="eMule .51" dst-port=11052 \
    in-interface=pppoe-out1 protocol=udp to-addresses=192.168.1.51
add action=dst-nat chain=dstnat comment="Torrent .51" dst-port=10051 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.51
add action=dst-nat chain=dstnat comment="PlexServer .41" dst-port=32400 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.41 to-ports=\
    32400
add action=dst-nat chain=dstnat comment=Homebridge dst-port=8080 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.42 to-ports=\
    8080
add action=dst-nat chain=dstnat comment="WEBIF NAS2" dst-port=8022 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.22 to-ports=\
    80
add action=dst-nat chain=dstnat comment="FTP NAS2" dst-port=2122 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.22 to-ports=\
    21
add action=dst-nat chain=dstnat comment="FTP NAS1" dst-port=21 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.1.21 to-ports=21
add action=dst-nat chain=dstnat comment="WakeUP .51" dst-port=7 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.1.51 to-ports=7
add action=dst-nat chain=dstnat comment="WakeUP .51" dst-port=9 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.1.51 to-ports=9
add action=dst-nat chain=dstnat comment="WakeUP .100" dst-port=90 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.100 to-ports=\
    90
add action=dst-nat chain=dstnat comment="Transmission .41" dst-port=51413 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.41 to-ports=\
    51413
add action=dst-nat chain=dstnat comment="uTorrent .100" dst-port=50100 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.100 to-ports=\
    50100
add action=dst-nat chain=dstnat comment=DVR dst-port=8333 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.30.240 to-ports=8333
add action=dst-nat chain=dstnat comment=DVR dst-port=5333 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.30.240 to-ports=5333
add action=dst-nat chain=dstnat comment="eMule .81" dst-port=10381 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.81 to-ports=\
    10381
add action=dst-nat chain=dstnat comment=uTorrent.100 dst-port=10100 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.100 to-ports=\
    10100
add action=dst-nat chain=dstnat comment=uTorrent.51 dst-port=10051 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.51
add action=dst-nat chain=dstnat comment=uTorrent.55 dst-port=10155 \
    in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.55
add action=dst-nat chain=dstnat comment=echolink dst-port=5198 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.1.222 to-ports=5198
add action=dst-nat chain=dstnat comment=echolink dst-port=5199 in-interface=\
    pppoe-out1 protocol=udp to-addresses=192.168.1.222 to-ports=5199
add action=dst-nat chain=dstnat comment=echolink dst-port=5200 in-interface=\
    pppoe-out1 protocol=tcp to-addresses=192.168.1.222 to-ports=5200
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.10.98.0/23
add action=dst-nat chain=dstnat comment="DMZ .199" disabled=yes in-interface=\
    pppoe-out1 to-addresses=192.168.0.199
add action=masquerade chain=srcnat comment="PROVOCA PROBLEMI FIREWALL" \
    disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=172.16.0.1
/ip ipsec peer
add address=0.0.0.0/0 generate-policy=port-strict passive=yes profile=\
    profile_1 secret=***************
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set port=41258
/ip route
add distance=1 gateway=*30 routing-mark=L2TPVPN
add distance=1 dst-address=10.34.2.38/32 gateway=10.34.2.35
add distance=2 dst-address=10.90.90.0/24 gateway=vlan11-LAN
add distance=1 dst-address=169.254.1.1/32 gateway=vlan11-LAN
add distance=1 dst-address=192.168.1.37/32 gateway=192.168.1.31
add distance=1 dst-address=192.168.10.1/32 gateway=192.168.10.2
add distance=1 dst-address=192.168.10.1/32 gateway=192.168.10.254
add distance=1 dst-address=192.168.20.1/32 gateway=192.168.50.17
add distance=1 dst-address=192.168.20.20/32 gateway=192.168.20.254
add distance=1 dst-address=192.168.55.0/24 gateway=192.168.1.11
add distance=1 dst-address=192.168.70.0/24 gateway=192.168.1.238
/ip service
set telnet disabled=yes
set ftp disabled=yes port=2180
set ssh disabled=yes
/ppp secret
add name=XXXXXX password=XXXXXXXXXXXXXXXXXXXX profile=L2TP-VPN service=l2tp
/system clock
set time-zone-name=Europe/Zurich
/system identity
set name=XXXXXXXXXXXXXXXXX
/system ntp client
set enabled=yes primary-ntp=193.204.114.232
/system scheduler
add comment="Update No-IP DDNS" disabled=yes interval=5m name=\
    no-ip_ddns_update on-event=no-ip_ddns_update policy=read,write,test \
    start-date=feb/26/2017 start-time=17:42:17
add interval=1d name=Day on-event=\
    "/queue simple\r\
    \nset [find comment=UBUNTU] max-limit=256K/8M\r\
    \n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=jan/01/1970 start-time=07:30:00
add interval=1d name=Night on-event=\
    "/queue simple\r\
    \nset [find comment=UBUNTU] max-limit=5M/0\r\
    \n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=jan/01/1970 start-time=01:30:00
add interval=5m name=fetch_new on-event=fetch_new policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/07/2018 start-time=09:25:15
/system script
add dont-require-permissions=no name=fetch_new owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    tool fetch host=\"freedns.afraid.org\" url=\"https://freedns.afraid.org/dy\
    namic/update.php\\\?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\" keep-result=\
    no\r\
    \n"
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], kosyot, strods and 94 guests
  4. RouterOS
  5. General