# model = CCR1016-12G
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether4 ] comment="Main WAN" name="WAN - Ether4"
set [ find default-name=ether2 ] comment="Backup WAN" name=" Ether2"
set [ find default-name=ether8 ] comment="Wifi Link - Ether 8" name=Wifi
set [ find default-name=ether9 ] arp=proxy-arp
set [ find default-name=ether10 ] arp=proxy-arp
set [ find default-name=ether11 ] arp=proxy-arp comment=LAN
/interface vlan
add interface=Wifi name=Vlan101-WifiGuest vlan-id=101
add interface=ether11 name=vlan10 vlan-id=10
add interface=ether11 name=vlan20 vlan-id=20
add interface=ether11 name=vlan30 vlan-id=30
add interface=ether11 name=vlan40 vlan-id=40
add interface=ether11 name=vlan50 vlan-id=50
add interface=ether11 name=vlan60 vlan-id=60
add interface=ether11 name=vlan70 vlan-id=70
add interface=ether11 name=vlan80 vlan-id=80
add interface=ether11 name=vlan90 vlan-id=90
add interface=ether11 name=vlan100 vlan-id=100
add interface=ether11 name=vlan110 vlan-id=110
add interface=ether11 name=vlan120 vlan-id=120
add interface=ether11 name=vlan130 vlan-id=130
add interface=ether11 name=vlan140 vlan-id=140
add interface=ether11 name=vlan150 vlan-id=150
add interface=ether11 name=vlan160 vlan-id=160
add interface=ether11 name=vlan170 vlan-id=170
add interface=ether11 name=vlan1000 vlan-id=1000
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.1.1.11-10.1.1.190
add name=openvpn-pool ranges=10.1.1.191-10.1.1.199
add name=dhcp_pool3 ranges=192.168.100.2-192.168.100.200
add name=dhcp_pool11 ranges=192.168.101.20-192.168.101.200
add name=dhcp_pool12 ranges=10.1.10.100-10.1.10.120
add name=dhcp_pool13 ranges=10.1.20.100-10.1.20.120
add name=dhcp_pool14 ranges=10.1.30.100-10.1.30.120
add name=dhcp_pool15 ranges=10.1.70.100-10.1.70.120
add name=dhcp_pool16 ranges=10.1.80.100-10.1.80.120
add name=dhcp_pool17 ranges=10.1.90.100-10.1.90.120
add name=dhcp_pool18 ranges=10.1.100.100-10.1.100.120
add name=dhcp_pool19 ranges=10.1.110.100-10.1.110.120
add name=dhcp_pool20 ranges=10.1.120.100-10.1.120.120
add name=dhcp_pool21 ranges=10.1.130.100-10.1.130.120
add name=dhcp_pool22 ranges=10.1.140.100-10.1.140.120
add name=dhcp_pool23 ranges=10.1.150.100-10.1.150.120
add name=dhcp_pool24 ranges=10.1.160.100-10.1.160.120
add name=dhcp_pool25 ranges=10.1.170.100-10.1.170.120
add name=dhcp_pool26 ranges=10.1.40.100-10.1.40.120
add name=dhcp_pool27 ranges=10.1.50.100-10.1.50.120
add name=dhcp_pool28 ranges=10.1.60.100-10.1.60.120
/ip dhcp-server
add address-pool=dhcp_pool1 allow-dual-stack-queue=no conflict-detection=no \
disabled=no interface=bridge1 lease-time=1d10m name="LAN dhcp" src-address=\
10.1.1.1
add address-pool=openvpn-pool name=VPN-dhcp src-address=10.1.2.1
add address-pool=dhcp_pool3 disabled=no interface=Wifi lease-time=1d10m name=\
"Wifi dhcp" src-address=192.168.100.1
add address-pool=dhcp_pool11 disabled=no interface=Vlan101-WifiGuest lease-time=\
2h10m name="WifiGuest dhcp"
add address-pool=dhcp_pool12 disabled=no interface=vlan10 lease-time=23h59m name=\
vlan10-dhcp
add address-pool=dhcp_pool13 disabled=no interface=vlan20 lease-time=23h59m name=\
vlan20-dhcp
add address-pool=dhcp_pool14 disabled=no interface=vlan30 lease-time=23h59m name=\
vlan30-dhcp
add address-pool=dhcp_pool15 disabled=no interface=vlan70 lease-time=23h59m name=\
vlan70-dhcp
add address-pool=dhcp_pool16 disabled=no interface=vlan80 lease-time=23h59m name=\
vlan80-dhcp
add address-pool=dhcp_pool17 disabled=no interface=vlan90 lease-time=23h59m name=\
vlan90-dhcp
add address-pool=dhcp_pool18 disabled=no interface=vlan100 lease-time=23h59m name=\
vlan100-dhcp
add address-pool=dhcp_pool19 disabled=no interface=vlan110 lease-time=23h59m name=\
vlan110-dhcp
add address-pool=dhcp_pool20 disabled=no interface=vlan120 lease-time=23h59m name=\
vlan120-dhcp
add address-pool=dhcp_pool21 disabled=no interface=vlan130 lease-time=23h59m name=\
vlan130-dhcp
add address-pool=dhcp_pool22 disabled=no interface=vlan140 lease-time=23h59m name=\
vlan140-dhcp
add address-pool=dhcp_pool23 disabled=no interface=vlan150 lease-time=23h59m name=\
vlan150-dhcp
add address-pool=dhcp_pool24 disabled=no interface=vlan160 lease-time=23h59m name=\
vlan160-dhcp
add address-pool=dhcp_pool25 disabled=no interface=vlan170 lease-time=23h59m name=\
vlan170-dhcp
add address-pool=dhcp_pool26 disabled=no interface=vlan40 lease-time=23h59m name=\
vlan40-dhcp
add address-pool=dhcp_pool27 disabled=no interface=vlan50 lease-time=23h59m name=\
vlan50-dhcp
add address-pool=dhcp_pool28 disabled=no interface=vlan60 lease-time=23h59m name=\
vlan60-dhcp
/ppp profile
add dns-server=10.1.1.10 local-address=10.1.1.1 name=openvpn-profile remote-address=\
openvpn-pool
/queue simple
add comment="Bandwidth total " name="Total Bandwidth" target=\
10.1.0.0/16
add comment="Bandwidth total WIFI" name="Bandwidthi total WIFI" target=\
192.168.100.0/24
add comment="Bandwidth total WIFI" name="Bandwitdhi total WifiGuest" target=\
192.168.101.0/24
/queue type
add kind=pcq name=pcq-download-user pcq-classifier=dst-address pcq-rate=20M
add kind=pcq name=pcq-upload-user pcq-classifier=src-address pcq-rate=20M
add kind=pcq name=pcq-download-vip100 pcq-classifier=dst-address pcq-rate=100M
add kind=pcq name=pcq-upload-vip100 pcq-classifier=src-address pcq-rate=100M
add kind=pcq name=pcq-download-wifiuser pcq-classifier=dst-address pcq-rate=15M
add kind=pcq name=pcq-upload-wifiuser pcq-classifier=src-address pcq-rate=10M
add kind=pcq name=pcq-download-vip100-wifi pcq-classifier=dst-address pcq-rate=100M
add kind=pcq name=pcq-upload-vip100-wifi pcq-classifier=src-address pcq-rate=100M
/queue simple
add comment="UP dhe DOWN " name="IP 100up-100down" parent=\
"Total Bandwidth" queue=pcq-upload-vip100/pcq-download-vip100 target=\
10.1.10.102/32
add comment="UP DOWN Wifi" disabled=yes name=\
"UP DOWN Wifi" packet-marks="" parent=\
"Bandwidth total WIFI" queue=pcq-upload-vip100-wifi/pcq-download-vip100-wifi \
target=192.168.100.135/32
add comment="Limit for each user max. 20U and 20D " name=" Users" parent=\
"Total Bandwidth" queue=pcq-upload-user/pcq-download-user target=10.1.0.0/16
add comment="Limit for each wifi user max. 10U and 15D " name=" Wifi Users" \
parent="Bandwidth total WIFI" queue=pcq-upload-wifiuser/pcq-download-wifiuser \
target=192.168.100.0/24
add comment="Limit for each wifi user max. 10U and 15D " name=\
"Wifi Guest Users" parent="Bandwitdh total WifiGuest" queue=\
pcq-upload-wifiuser/pcq-download-wifiuser target=192.168.101.0/24
/system logging action
add name=RemoteLog remote=10.1.1.250 target=remote
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,w\
eb,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether11
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge1 tagged=Wifi vlan-ids=101
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=openvpn-profile \
enabled=yes require-client-certificate=yes
/ip address
add address=10.1.1.1/24 comment="LAN bridge" interface=bridge1 network=10.1.1.0
add address=192.168.100.1/24 comment="Gateway Wifi" interface=Wifi network=\
192.168.100.0
add address=192.168.101.1/24 comment="Gateway Wifi Guest" interface=\
Vlan101-WifiGuest network=192.168.101.0
add address=10.1.10.1/24 comment="VLAN 10 - Network" interface=vlan10 network=\
10.1.10.0
add address=10.1.20.1/24 comment="VLAN 20 - Network" interface=vlan20 network=\
10.1.20.0
add address=10.1.30.1/24 comment="VLAN 30 - Network" interface=vlan30 network=\
10.1.30.0
add address=10.1.40.1/24 comment="VLAN 40 - Network" interface=vlan40 network=\
10.1.40.0
add address=10.1.50.1/24 comment="VLAN 50 - Network" interface=vlan50 network=\
10.1.50.0
add address=10.1.60.1/24 comment="VLAN 60 - Network" interface=vlan60 network=\
10.1.60.0
add address=10.1.70.1/24 comment="VLAN 70 - Network" interface=vlan70 network=\
10.1.70.0
add address=10.1.80.1/24 comment="VLAN 80 - Network" interface=vlan80 network=\
10.1.80.0
add address=10.1.90.1/24 comment="VLAN 90 - Network" interface=vlan90 network=\
10.1.90.0
add address=10.1.100.1/24 comment="VLAN 100 - Network" interface=vlan100 network=\
10.1.100.0
add address=10.1.110.1/24 comment="VLAN 110 - Network" interface=vlan110 network=\
10.1.110.0
add address=10.1.120.1/24 comment="VLAN 120 - Network" interface=vlan120 network=\
10.1.120.0
add address=10.1.130.1/24 comment="VLAN 130 - Network" interface=vlan130 network=\
10.1.130.0
add address=10.1.140.1/24 comment="VLAN 140 - Network" interface=vlan140 network=\
10.1.140.0
add address=10.1.150.1/24 comment="VLAN 150 - Network" interface=vlan150 network=\
10.1.150.0
add address=10.1.160.1/24 comment="VLAN 160 - Network" interface=vlan160 network=\
10.1.160.0
add address=10.1.170.1/24 comment="VLAN 170 - Network" interface=vlan170 network=\
10.1.170.0
/ip dhcp-client
add add-default-route=no disabled=no interface=" Ether2"
add interface=" WAN - Ether4"
/ip dhcp-server lease
add address=10.1.1.5 client-id=1:68:5:ca:1a:bb:b9 comment="HyperV Server Host" \
mac-address=68:05:CA:1A:BB:B9 server="LAN dhcp"
add address=10.1.1.10 comment="Domain Controller" mac-address=00:15:5D:01:F3:00
add address=10.1.1.19 client-id=1:74:46:a0:91:5b:75 comment="File Server" \
mac-address=74:46:A0:91:5B:75 server="LAN dhcp"
add address=10.1.170.102 client-id=1:94:99:1:8:6a:f comment=" Device" \
mac-address=94:99:01:08:6A:0F server=vlan170-dhcp
/ip dhcp-server network
add gateway=0.0.0.1
add address=10.1.1.0/24 dns-server=10.1.1.10,8.8.8.8 gateway=10.1.1.1
add address=10.1.10.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.10.1
add address=10.1.20.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.20.1
add address=10.1.30.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.30.1
add address=10.1.40.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.40.1
add address=10.1.50.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.50.1
add address=10.1.60.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.60.1
add address=10.1.70.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.70.1
add address=10.1.80.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.80.1
add address=10.1.90.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.90.1
add address=10.1.100.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.100.1
add address=10.1.110.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.110.1
add address=10.1.120.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.120.1
add address=10.1.130.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.130.1
add address=10.1.140.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.140.1
add address=10.1.150.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.150.1
add address=10.1.160.0/24 dns-server=10.1.1.10,8.8.8.8,8.8.4.4 gateway=10.1.160.1
add address=10.1.170.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.170.1
add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
add address=192.168.101.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.101.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.1.10.0/24 list=Vlan10-List
add address=10.1.20.0/24 list=Vlan20-List
add address=10.1.30.0/24 list=Vlan30-List
add address=10.1.0.0/16 list="All VLANs"
add address=10.1.1.0/24 list="IT Devices"
/ip firewall filter
add action=drop chain=forward comment="Block an IP to access internet." disabled=yes \
src-address=10.1.1.75
add action=drop chain=forward comment="Block an IP to access internet." disabled=yes \
src-address=10.1.1.79
add action=drop chain=forward comment="Block an IP to access internet." disabled=yes \
src-address=10.1.20.108
add action=drop chain=forward comment="Block an IP to access internet." disabled=yes \
src-address=10.1.1.63
add action=drop chain=forward comment="Block an IP to access internet." disabled=yes \
src-address=10.1.10.105
add action=drop chain=forward comment=\
"Blocking DS-VPN users from access internal resources. IN" disabled=yes \
dst-address=10.1.1.0/24 src-address=192.168.150.0/24
add action=drop chain=forward comment=\
"Blocking DS-VPN users from access internal resources.OUT" disabled=yes \
dst-address=192.168.150.0/24 src-address=10.1.1.0/24
add action=drop chain=forward disabled=yes dst-address-list="All VLANs" \
in-interface=all-vlan
/ip firewall mangle
add action=accept chain=prerouting comment="No rules apply for - 192.168.100.95" \
src-address=192.168.100.95
add action=mark-routing chain=prerouting comment="Wifi to ISP2 Rule" \
new-routing-mark="Wifi to ISP2" passthrough=yes src-address=192.168.100.0/24
add action=mark-routing chain=prerouting comment="Wifi to ISP2 Rule" \
new-routing-mark="Wifi to ISP2" passthrough=yes src-address=192.168.101.0/24
add action=mark-routing chain=prerouting comment="PC te rrjeti i Telkosit" disabled=\
yes new-routing-mark="Wifi to ISP2" passthrough=yes src-address-list=Vlan20-List
/ip firewall nat
add action=masquerade chain=srcnat comment="Default Route to Telkos" out-interface=\
"Telkos Ether2"
add action=masquerade chain=srcnat comment="Default Route to Kujtesa" out-interface=\
"Kujtesa WAN - Ether4"
/ip route
add comment="Route using by Wifi " distance=2 gateway=192.168.1.1 routing-mark=\
"Wifi to ISP2"
add comment=Main distance=1 gateway=178.132.223.1
add comment=Backup distance=2 gateway=192.168.1.1
add check-gateway=ping comment="Netwatch Main" disabled=yes distance=2 dst-address=\
8.8.4.4/32 gateway=178.132.223.1
add check-gateway=ping comment="Netwatch Backup" disabled=yes distance=1 \
dst-address=8.8.8.8/32 gateway=192.168.1.1
add comment="Static route for Wifi - 1" disabled=yes distance=1 dst-address=\
192.168.100.0/24 gateway=10.10.10.2
add comment="Static route for Wifi - 2" disabled=yes distance=1 dst-address=\
192.168.200.0/24 gateway=10.10.10.2