# This is the core router at the office
# nov/22/2021 16:14:54 by RouterOS 6.49
# software id = R38N-59QM
#
# model = 2011UiAS
# serial number = 8C1B09809B79
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment="to Core" speed=\
100Mbps
set [ find default-name=ether2 ] disabled=yes speed=100Mbps
set [ find default-name=ether3 ] disabled=yes speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=sfp1 ] comment="to DCDI"
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp1 name=pppoe-out1 user=\
pppoe@user
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn_pool ranges=10.0.150.0/24
/ip dhcp-server
add address-pool=default-dhcp disabled=no name=defconf
/ppp profile
add dns-server=10.0.100.5 local-address=vpn_pool name=ovpn_profile \
remote-address=vpn_pool use-ipv6=no
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6
add interface=ether7
add interface=ether8
add interface=ether9
add interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add list=LAN
add interface=pppoe-out1 list=WAN
add interface=sfp1 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=ovpn_server cipher=aes256 enabled=yes mode=ethernet \
require-client-certificate=yes
/ip address
add address=10.0.0.2/29 comment="/30 route to Core" interface=ether1 network=\
10.0.0.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=local dns-server=1.1.1.1,8.8.8.8 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=75.174.14.139 comment="Employees" list=Makayla
add address=212.0.0.0/8 list=Unwanted
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=OVPN disabled=yes dst-port=1194 \
in-interface=pppoe-out1 log=yes log-prefix=" ! ovpn !" protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="hackers(lol)" src-address=\
212.0.0.0/8
add action=drop chain=input comment="hackers(lol)" src-address=\
27.0.0.0/8
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN NAT" ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="start PBX ports" dst-port=8443 \
in-interface-list=WAN protocol=tcp to-addresses=10.0.200.200 to-ports=\
8443
add action=dst-nat chain=dstnat dst-port=8043 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.200.200 to-ports=8043
add action=dst-nat chain=dstnat dst-port=2088 in-interface-list=WAN protocol=\
udp to-addresses=10.0.200.200 to-ports=2088
add action=dst-nat chain=dstnat dst-port=8081 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.200.200 to-ports=8081
add action=dst-nat chain=dstnat dst-port=5060 in-interface-list=WAN protocol=\
udp to-addresses=10.0.200.200 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.200.200 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5070 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.200.200 to-ports=5070
add action=dst-nat chain=dstnat dst-port=15000-15511 in-interface-list=WAN \
protocol=udp to-addresses=10.0.200.200 to-ports=15000-15511
add action=dst-nat chain=dstnat comment="start NVR ports" dst-port=7080 \
in-interface-list=WAN protocol=tcp to-addresses=10.0.230.200 to-ports=\
7080
add action=dst-nat chain=dstnat dst-port=7443 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.230.200 to-ports=7443
add action=dst-nat chain=dstnat dst-port=7445 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.230.200 to-ports=7445
add action=dst-nat chain=dstnat dst-port=7446 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.230.200 to-ports=7446
add action=dst-nat chain=dstnat dst-port=7447 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.230.200 to-ports=7447
add action=dst-nat chain=dstnat comment="start RDS ports" disabled=yes \
dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=10.0.100.6 \
to-ports=443
add action=dst-nat chain=dstnat comment="rdp to .5 from WAN" disabled=yes \
dst-port=3389 in-interface-list=WAN protocol=tcp to-addresses=10.0.100.5 \
to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
pppoe-out1 protocol=tcp src-address=96.18.88.44 to-addresses=10.0.100.6 \
to-ports=3389
add action=dst-nat chain=dstnat comment="Sophos (\?)" disabled=yes dst-port=\
4444 in-interface=pppoe-out1 protocol=tcp to-addresses=10.0.0.3 to-ports=\
4444
add action=dst-nat chain=dstnat disabled=yes dst-port=22 in-interface-list=\
WAN protocol=tcp to-addresses=10.0.100.190 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface-list=\
WAN protocol=tcp to-addresses=10.0.5.7 to-ports=3389
/ip route
add distance=1 dst-address=10.0.5.0/24 gateway=10.0.0.1
add distance=1 dst-address=10.0.100.0/24 gateway=10.0.0.1
add distance=1 dst-address=10.0.200.0/24 gateway=10.0.0.1
add distance=1 dst-address=10.0.230.0/24 gateway=10.0.0.1
add distance=1 dst-address=208.98.183.168/29 gateway=10.0.0.1
/ip service
set telnet address=10.0.0.0/8,192.168.0.0/16,67.215.46.70/32
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/8,192.168.0.0/16,67.215.46.70/32
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/lcd
set time-interval=hour
/ppp secret
add local-address=67.215.46.70 name=jordan remote-address=10.0.100.237 \
service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Boise
/system identity
set name=ASE-Edge
/system ntp client
set enabled=yes primary-ntp=72.87.88.202 secondary-ntp=208.79.89.249
/system script
add dont-require-permissions=no name=firehol-blocklist owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
# Generic IP address list input\r\
\n ## Based on a script written by Sam Norris, ChangeIP.com 2008\r\
\n ## Edited by Andrew Cox, AccessPlus.com.au 2008\r\
\n :if ( [/file get [/file find name=firehol_level1.netset] size] > 0 ) \
do={\r\
\n # Remove exisiting addresses from the current Address list\r\
\n /ip firewall address-list remove [/ip firewall address-list find list\
=MY-IP-LIST]\r\
\n \r\
\n :global content [/file get [/file find name=firehol_level1.netset] co\
ntents] ;\r\
\n :global contentLen [ :len \$content ] ;\r\
\n \r\
\n :global lineEnd 0;\r\
\n :global line \"\";\r\
\n :global lastEnd 0;\r\
\n \r\
\n :do {\r\
\n :set lineEnd [:find \$content \"\\n\" \$lastEnd ] ;\r\
\n :set line [:pick \$content \$lastEnd \$lineEnd] ;\r\
\n :set lastEnd ( \$lineEnd + 1 ) ;\r\
\n #If the line doesn't start with a hash then process and add to \
the list\r\
\n :if ( [:pick \$line 0 1] != \"#\" ) do={\r\
\n \r\
\n :local entry [:pick \$line 0 \$lineEnd ]\r\
\n :if ( [:len \$entry ] > 0 ) do={\r\
\n /ip firewall address-list add list=MY-IP-LIST address=\$entry\
\r\
\n }\r\
\n }\r\
\n } while (\$lineEnd < \$contentLen)\r\
\n }"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# This is the LTE wAP Kit US' config
# nov/22/2021 18:22:44 by RouterOS 6.49
# software id = LZXF-3J9P
#
# model = RBwAPR-2nD
# serial number = E3530D55B9E5
/interface lte
set [ find ] name=lte1 network-mode=gsm,3g,lte
/interface bridge
add admin-mac=08:55:31:D9:27:A7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=outdoor mode=\
ap-bridge ssid=MikroTik-D927A8 station-roaming=enabled wireless-protocol=\
802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=we01.vzwstatic
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
/system logging action
set 1 disk-lines-per-file=50000
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=174.192.0.0/10 list=Verizon
add address=66.174.0.0/16 list=Verizon
add address=69.96.0.0/13 list=Verizon
add address=70.192.0.0/11 list=Verizon
add address=97.128.0.0/9 list=Verizon
add address=67.215.46.70 list=Verizon
add address=192.168.1.90-192.168.1.99 list=iPad
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="drop WAN ICMP" in-interface-list=WAN \
protocol=icmp src-address=!1.1.1.1 src-address-list=!Verizon
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"allow from Verizon and Office, need to add Sparklight" \
in-interface-list=WAN src-address-list=Verizon
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="drop all ipad traffic" \
in-interface-list=LAN src-address-list=iPad
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
add action=dst-nat chain=dstnat dst-port=4001 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.1.51 to-ports=4001
add action=dst-nat chain=dstnat dst-port=4001 in-interface-list=WAN protocol=\
udp to-addresses=192.168.1.51 to-ports=4001
add action=dst-nat chain=dstnat dst-port=4002 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.1.52 to-ports=4002
add action=dst-nat chain=dstnat dst-port=4002 in-interface-list=WAN protocol=\
udp to-addresses=192.168.1.52 to-ports=4002
/system clock
set time-zone-name=America/New_York
/system identity
set name=NickelFarms-11and12-AP
/system watchdog
set watch-address=1.1.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Let me know if you need anything else.
You do not have the required permissions to view the files attached to this post.