Thu Sep 19, 2019 11:44 pm
here are my configs
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf fast-forward=no \
name=bridge
/interface pptp-server
add name=Advcom user=xxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge name=2GHZ ssid=xxxx wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
5GHZ ssid=Home wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add enc-algorithm=aes-256,aes-128,3des name=profile1
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.253
add name=VPN ranges=10.0.0.1,10.0.0.254
add add-arp=yes address-pool=dhcp always-broadcast=yes disabled=no interface=\
bridge lease-time=1d name=defconf
/ppp profile
add local-address=dhcp name=VPN remote-address=VPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2GHZ
add bridge=bridge comment=defconf interface=5GHZ
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Advcom list=VPN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN enabled=yes \
max-mru=1400 max-mtu=1400
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.100.254/24 comment=defconf interface=ether2 network=\
192.168.100.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.100.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="accept vpn" in-interface-list=VPN
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NVR NAT RULE" disabled=yes dst-port=\
80,6036,554,443 in-interface=ether1 protocol=tcp to-addresses=\
192.168.100.150
add action=masquerade chain=srcnat comment="VPN MASK" out-interface-list=VPN
add action=masquerade chain=srcnat out-interface=Advcom src-address=\
192.168.100.0/24
/ip firewall service-port
set ftp ports=70
/ip route
add distance=1 gateway=169.1.254.1
add comment="VPN ACCESS ROUTE" distance=1 dst-address=192.168.1.0/24 gateway=\
10.0.0.1
add distance=1 dst-address=192.168.100.0/24 gateway=169.1.254.1
/ip service
set telnet port=90
set ftp port=43
set ssh port=68
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*4
/ppp secret
add local-address=192.168.100.1 name=admin profile=VPN remote-address=10.0.0.1 \
service=pptp
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Turnberry
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN