Any major gotchas I should watch out for? Any recommendation for ZeroTier vs WireGuard?
Since I know someone will ask to see my config, here is a somewhat sanitized extract. Some stuff I pulled out simply to shorten it (I doubt you really need to see 250 static DHCP leases for example).
Code: Select all
# oct/24/2022 22:31:01 by RouterOS 6.49.6
# software id = <redacted>
#
# model = RB4011iGS+
# serial number = <redacted>
/interface ethernet
set [ find default-name=ether1 ] comment="Spectrum cable internet" name=\
E01-pB2_Cable_Internet speed=100Mbps
set [ find default-name=ether2 ] comment="Cable Main home LAN" name=\
E02-pB4_101 speed=100Mbps
set [ find default-name=ether3 ] comment="Cable Private WiFi LAN" name=\
E03-pB6_103 speed=100Mbps
set [ find default-name=ether4 ] comment="CSS326 2B 802.1Q trunk" name=\
E04-pB8_802.1Q speed=100Mbps
set [ find default-name=ether5 ] comment="CSS326 2A 802.1Q trunk" name=\
E05-pA10_802.1Q speed=100Mbps
set [ find default-name=ether6 ] comment="Fiber Main home LAN" name=\
E06-pA2_201
set [ find default-name=ether7 ] comment="Fiber Private WiFi LAN" name=\
E07-pA4_203
set [ find default-name=ether8 ] comment="Fiber Internet of Things LAN" name=\
E08-pA6_206
set [ find default-name=ether9 ] comment="Fiber LOREX Video LAN" name=\
E09-pA8_207
set [ find default-name=ether10 ] comment="Frontier fiber internet" name=\
E10_Fiber_Internet poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add comment="AREDN hAP-at-Home LAN" interface=E05-pA10_802.1Q name=VLAN_005 \
vlan-id=5
add comment="AREDN hAP-Portable LAN" interface=E04-pB8_802.1Q name=VLAN_006 \
vlan-id=6
add comment="AREDN 3GHz at Johnstone to Pleasants Peak LAN interface" \
interface=E04-pB8_802.1Q name=VLAN_011 vlan-id=11
add comment="AREDN 5GHz at Johnstone SW sector LAN interface" interface=\
E04-pB8_802.1Q name=VLAN_012 vlan-id=12
add comment="AREDN 5GHz at Johnstone SE sector LAN interface" interface=\
E04-pB8_802.1Q name=VLAN_013 vlan-id=13
add comment="AREDN Temp LHG in garage" interface=E04-pB8_802.1Q name=VLAN_014 \
vlan-id=14
add comment="Cable Public WiFi LAN" interface=E04-pB8_802.1Q name=VLAN_102 \
vlan-id=102
add comment="Cable Cactus/Red Cross LAN" interface=E04-pB8_802.1Q name=\
VLAN_104 vlan-id=104
add comment="Cable VOIP phones LAN" interface=E04-pB8_802.1Q name=VLAN_105 \
vlan-id=105
add comment="Cable Internet of Things LAN" interface=E04-pB8_802.1Q name=\
VLAN_106 vlan-id=106
add comment="NTP server LAN" interface=E05-pA10_802.1Q name=VLAN_123 vlan-id=\
123
add comment="E1.31 LAN" interface=E04-pB8_802.1Q name=VLAN_131 vlan-id=131
add comment="Fiber / Cable protected LAN" interface=E04-pB8_802.1Q name=\
VLAN_151 vlan-id=151
add comment="Fiber Public WiFi LAN" interface=E05-pA10_802.1Q name=VLAN_202 \
vlan-id=202
add comment="Fiber .204 Cactus LAN" interface=E05-pA10_802.1Q name=VLAN_204 \
vlan-id=204
add comment="Fiber VOIP phones LAN" interface=E05-pA10_802.1Q name=VLAN_205 \
vlan-id=205
add comment=".209 HARPUSA LAN" interface=E04-pB8_802.1Q name=VLAN_209 \
vlan-id=209
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=LAN
add name=Router-access
add name=WAN
add name=LAN-to-Cable
add name=LAN-to-Fiber
add name="AREDN LAN"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=42 name=NTP value="'192.168.123.123'"
/ip firewall layer7-protocol
add name=local.mesh regexp=local.mesh
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=".101 DHCP pool" ranges=192.168.101.201-192.168.101.219
add name=".102 DHCP pool" ranges=192.168.102.201-192.168.102.219
add name=".103 DHCP pool" ranges=192.168.103.201-192.168.103.219
add name=".104 DHCP pool" ranges=192.168.104.201-192.168.104.209
add name=".106 DHCP pool" ranges=192.168.106.201-192.168.106.209
add name=".105 DHCP pool" ranges=192.168.105.201-192.168.105.209
add name=".151 DHCP pool" ranges=192.168.151.201-192.168.151.219
add name=".131 DHCP pool" ranges=192.168.131.201-192.168.131.209
add name=".201 DHCP pool" ranges=192.168.201.201-192.168.201.219
add name=".202 DHCP pool" ranges=192.168.202.201-192.168.202.219
add name=".203 DHCP pool" ranges=192.168.203.201-192.168.203.219
add name=".204 DHCP pool" ranges=192.168.204.201-192.168.204.209
add name=".209 DHCP pool" ranges=192.168.209.201-192.168.209.209
add name=".206 DHCP pool" ranges=192.168.206.201-192.168.206.219
add name=".205 DHCP pool" ranges=192.168.205.201-192.168.205.209
add name=".123 DHCP pool" ranges=192.168.123.124-192.168.123.126
add name=".207 DHCP pool" ranges=192.168.207.201-192.168.207.219
/ip dhcp-server
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E02-pB4_101 lease-time=3h name=".101 DHCP server"
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_102 lease-time=3h name=".102 DHCP server"
add address-pool=".103 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E03-pB6_103 lease-time=3h name=".103 DHCP server"
add address-pool=".104 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_104 lease-time=3h name=".104 DHCP server"
add address-pool=".106 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_106 lease-time=3h name=".106 DHCP server"
add address-pool=".105 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_105 lease-time=3h name=".105 DHCP server"
add address-pool=".151 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_151 lease-time=3h name=".151 DHCP server"
add address-pool=".131 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_131 lease-time=3h name=".131 DHCP server"
add address-pool=".201 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E06-pA2_201 lease-time=3h name=".201 DHCP server"
add address-pool=".202 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_202 lease-time=3h name=".202 DHCP server"
add address-pool=".205 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_205 lease-time=3h name=".205 DHCP server"
add address-pool=".203 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E07-pA4_203 lease-time=3h name=".203 DHCP server"
add address-pool=".209 DHCP pool" disabled=no interface=VLAN_209 lease-time=\
3h name=".209 DHCP server"
add address-pool=".206 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E08-pA6_206 lease-time=3h name=".206 DHCP server"
add address-pool=".204 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_204 lease-time=3h name=".204 DHCP server"
add address-pool=".123 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_123 lease-time=6h name=".123 DHCP server"
add address-pool=".207 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E09-pA8_207 lease-time=3h name=".207 DHCP server"
/ipv6 dhcp-server
add address-pool=pool1 interface=E02-pB4_101 name=server1
/ipv6 pool
add name=pool1 prefix-length=56
/queue simple
add burst-limit=256k/512k burst-time=10s/10s limit-at=128k/256k max-limit=\
128k/256k name="Test queue" target=192.168.103.182/32
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 remote=192.168.101.11 src-address=192.168.101.251
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
#error exporting /interface bridge calea
/ip firewall connection tracking
set loose-tcp-tracking=no tcp-established-timeout=1h
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set allow-fast-path=no
/interface list member
add interface=E02-pB4_101 list=mactel
add interface=E06-pA2_201 list=mac-winbox
add interface=E06-pA2_201 list=LAN
add interface=VLAN_202 list=LAN
add interface=E07-pA4_203 list=LAN
add interface=VLAN_204 list=LAN
add interface=E02-pB4_101 list=LAN
add interface=E03-pB6_103 list=LAN
add interface=VLAN_102 list=LAN
add interface=VLAN_104 list=LAN
add interface=VLAN_105 list=LAN
add interface=VLAN_106 list=LAN
add interface=VLAN_131 list=LAN
add interface=VLAN_151 list=LAN
add interface=E02-pB4_101 list=Router-access
add interface=E06-pA2_201 list=Router-access
add interface=E01-pB2_Cable_Internet list=WAN
add interface=E10_Fiber_Internet list=WAN
add interface=VLAN_205 list=LAN
add interface=E08-pA6_206 list=LAN
add interface=E02-pB4_101 list=LAN-to-Cable
add interface=E03-pB6_103 list=LAN-to-Cable
add interface=VLAN_102 list=LAN-to-Cable
add interface=VLAN_104 list=LAN-to-Cable
add interface=VLAN_105 list=LAN-to-Cable
add interface=VLAN_106 list=LAN-to-Cable
add interface=E06-pA2_201 list=LAN-to-Fiber
add interface=E07-pA4_203 list=LAN-to-Fiber
add interface=E08-pA6_206 list=LAN-to-Fiber
add interface=VLAN_202 list=LAN-to-Fiber
add interface=VLAN_204 list=LAN-to-Fiber
add interface=VLAN_205 list=LAN-to-Fiber
add interface=VLAN_151 list=LAN-to-Fiber
add interface=VLAN_151 list=LAN-to-Cable
add interface=VLAN_131 list=LAN-to-Cable
add interface=VLAN_209 list=LAN-to-Cable
add interface=VLAN_209 list=LAN
add interface=VLAN_005 list="AREDN LAN"
add interface=VLAN_006 list="AREDN LAN"
add interface=VLAN_011 list="AREDN LAN"
add interface=VLAN_012 list="AREDN LAN"
add interface=VLAN_013 list="AREDN LAN"
add interface=VLAN_014 list="AREDN LAN"
add interface=VLAN_123 list=LAN-to-Fiber
add interface=E02-pB4_101 list=mac-winbox
add interface=E06-pA2_201 list=mactel
add interface=E09-pA8_207 list=LAN-to-Fiber
add interface=E09-pA8_207 list=LAN
/ip accounting
set account-local-traffic=yes enabled=yes
/ip accounting web-access
set accessible-via-web=yes address=192.168.101.0/26
/ip address
add address=192.168.101.251/24 interface=E02-pB4_101 network=192.168.101.0
add address=192.168.102.251/24 interface=VLAN_102 network=192.168.102.0
add address=192.168.103.251/24 interface=E03-pB6_103 network=192.168.103.0
add address=192.168.104.251/24 interface=VLAN_104 network=192.168.104.0
add address=192.168.105.251/24 interface=VLAN_105 network=192.168.105.0
add address=192.168.106.251/24 interface=VLAN_106 network=192.168.106.0
add address=192.168.151.251/24 interface=VLAN_151 network=192.168.151.0
add address=192.168.204.251/24 interface=VLAN_204 network=192.168.204.0
add address=192.168.201.251/24 interface=E06-pA2_201 network=192.168.201.0
add address=192.168.202.251/24 interface=VLAN_202 network=192.168.202.0
add address=192.168.203.251/24 interface=E07-pA4_203 network=192.168.203.0
add address=192.168.209.251/24 interface=VLAN_209 network=192.168.209.0
add address=192.168.131.251/24 interface=VLAN_131 network=192.168.131.0
add address=192.168.206.251/24 interface=E08-pA6_206 network=192.168.206.0
add address=192.168.203.252/24 interface=E07-pA4_203 network=192.168.203.0
add address=192.168.205.251/24 interface=VLAN_205 network=192.168.205.0
add address=192.168.99.251/24 interface=VLAN_099 network=192.168.99.0
add address=192.168.0.251/24 interface=VLAN_131 network=192.168.0.0
add address=192.168.203.250/24 disabled=yes interface=E07-pA4_203 network=\
192.168.203.0
add address=192.168.123.121/29 interface=VLAN_123 network=192.168.123.120
add address=192.168.207.251/24 interface=E09-pA8_207 network=192.168.207.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=E01-pB2_Cable_Internet
add add-default-route=no disabled=no interface=VLAN_005 use-peer-ntp=no
add add-default-route=no disabled=no interface=VLAN_011 use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no disabled=no interface=VLAN_012 use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no disabled=no interface=VLAN_013 use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no disabled=no interface=E10_Fiber_Internet
add add-default-route=no disabled=no interface=VLAN_014 use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no disabled=no interface=VLAN_006 use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=E02-pB4_101 on-alert="DHCP Alert" valid-server=\
6C:3B:6B:7E:99:86
add disabled=no interface=E03-pB6_103 on-alert="DHCP Alert" valid-server=\
6C:3B:6B:7E:99:87
add disabled=no interface=VLAN_104 on-alert="DHCP Alert" valid-server=\
6C:3B:6B:7E:99:88
add disabled=no interface=VLAN_105 on-alert="DHCP Alert" valid-server=\
6C:3B:6B:7E:99:88
add disabled=no interface=VLAN_106 on-alert="DHCP Alert" valid-server=\
6C:3B:6B:7E:99:88
/ip dhcp-server lease
add address=192.168.106.181 client-id=1:a:bb:cc:dd:ee:ff comment=\
"Jim's Moto Edge plus" mac-address=AA:BB:CC:DD:EE:FF server=\
".106 DHCP server"
<A few hundred more DHCP leases eliminated in this extract>
/ip dhcp-server network
add address=192.168.101.0/24 comment=".101 network" dns-server=\
192.168.101.11,192.168.101.251 gateway=192.168.101.251 netmask=24
add address=192.168.102.0/24 comment=".102 network" dns-server=\
192.168.102.251,8.8.8.8,4.2.2.2 gateway=192.168.102.251 netmask=24
add address=192.168.103.0/24 comment=".103 network" dns-server=\
192.168.103.251,8.8.8.8,4.2.2.3 gateway=192.168.103.251 netmask=24
add address=192.168.104.0/24 comment=".104 network" dns-server=\
192.168.104.251,8.8.8.8,4.2.2.4 gateway=192.168.104.251 netmask=24
add address=192.168.105.0/24 comment=".105 network" dns-server=\
192.168.105.251,8.8.8.8,4.2.2.2 gateway=192.168.105.251 netmask=24
add address=192.168.106.0/24 comment=".106 network" dns-server=\
192.168.106.251,8.8.8.8,4.2.2.4 gateway=192.168.106.251 netmask=24
add address=192.168.123.120/29 comment=".123 network" dns-server=\
192.168.123.121,8.8.8.8,4.2.2.1 gateway=192.168.123.121 netmask=29
add address=192.168.131.0/24 comment=".131 network" dns-server=\
192.168.131.251,8.8.8.8,4.2.2.1 gateway=192.168.131.251 netmask=24
add address=192.168.151.0/24 comment=".151 network" dns-server=\
192.168.151.251,8.8.8.8,4.2.2.1 gateway=192.168.151.251 netmask=24
add address=192.168.201.0/24 comment=".201 network" dns-server=\
192.168.201.11,192.168.201.251 gateway=192.168.201.251 netmask=24
add address=192.168.202.0/24 comment=".202 network" dns-server=\
192.168.202.251,8.8.8.8,4.2.2.2 gateway=192.168.202.251 netmask=24
add address=192.168.203.0/24 comment=".203 network" dns-server=\
192.168.203.251,8.8.8.8,4.2.2.3 gateway=192.168.203.251 netmask=24
add address=192.168.204.0/24 comment=".204 network" dns-server=\
192.168.204.251,8.8.8.8,4.2.2.4 gateway=192.168.204.251 netmask=24
add address=192.168.205.0/24 comment=".205 network" dns-server=\
192.168.205.251,8.8.8.8,4.2.2.4 gateway=192.168.205.251 netmask=24
add address=192.168.206.0/24 comment=".206 network" dns-server=\
192.168.206.251,8.8.8.8,4.2.2.4 gateway=192.168.206.251 netmask=24
add address=192.168.207.0/24 comment=".207 network" dns-server=\
192.168.207.251,8.8.8.8,4.2.2.4 gateway=192.168.207.251 netmask=24
add address=192.168.209.0/24 comment=".209 network" dns-server=\
192.168.209.251,8.8.8.8,4.2.2.5 gateway=192.168.209.251 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.201.251 name=router
add address=10.9.60.81 name=local.mesh
/ip firewall address-list
add address=131.107.13.100 list="NTP servers"
add address=64.62.190.177 list="NTP servers"
add address=50.22.155.163 list="NTP servers"
add address=8.8.8.8 comment="Google #2" list="DNS servers"
add address=8.8.4.4 comment="Google #1" list="DNS servers"
add address=192.168.201.120-192.168.201.129 list="Open Mesh"
add address=192.168.201.140 list="Open Mesh"
add address=192.168.201.150-192.168.201.159 list="Open Mesh"
add address=10.9.60.81 comment="Mikrotik hAP-at-Home for AREDN" list=\
hAP-at-Home
add address=192.73.242.152 list="NTP servers"
add address=132.163.97.4 list="NTP servers"
add address=5.188.210.4 comment="Regularly trying to hack web server" list=\
"Manual Blacklist"
add address=192.168.103.71 comment="AREDN Raspberry Pi-3b on .103" list=RasPi
add address=192.168.103.79 comment="Spare Raspberry Pi-4 on .103" list=RasPi
add address=192.168.203.79 comment="Spare Raspberry Pi-4 on .101" list=RasPi
add address=192.168.203.72 comment="AREDN Raspberry Pi-4 on .203" list=RasPi
add address=192.168.101.42 comment="Old Family room PC on .101" list=\
add address=192.168.203.75 comment="Streaming Raspberry Pi-3b on .203" list=\
RasPi
add address=192.168.206.75 comment="Streaming Raspberry Pi-3b on .206" list=\
RasPi
add address=192.168.201.231 comment="AC Web Power Switch #1" list=\
WebPowerSwitch
add address=192.168.201.232 comment="AC Web Power Switch #2" list=\
WebPowerSwitch
add address=192.168.201.233 comment="DC Web Power Switch #1" list=\
WebPowerSwitch
#error exporting /ip firewall calea
/ip firewall filter
add action=drop chain=input comment="Drop invalid packets on input chain" \
connection-state=invalid
add action=jump chain=input comment="Jump to Attack chain to prevent Port scan\
\_and DoS attacks from WAN interfaces" in-interface-list=WAN jump-target=\
Attack
add action=jump chain=input comment=\
"Jump to ICMP chain to prevent being ping flooded from WAN interfaces" \
in-interface-list=WAN jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Allow PING on all LAN interfaces." \
in-interface-list=LAN protocol=icmp
add action=accept chain=input comment=\
"Allow PING on all AREDN LAN interfaces." in-interface-list="AREDN LAN" \
protocol=icmp
add action=accept chain=input comment="Allow DNS on all LAN interfaces." \
dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop Black list IP addresses." \
src-address-list=Black_list
add action=jump chain=input comment="Packets on the relocated ports for FTP, H\
TTP, SSH, Telnet, and WinBox jump to Management chain" dst-port=\
<redacted> jump-target=Management protocol=tcp
add action=jump chain=input comment="Packets on the \"normal\" ports for FTP, \
SSH, Telnet, and WinBox jump to Drop-Normal chain" dst-port=21,22,23,8291 \
in-interface-list=WAN jump-target=Drop-Normal protocol=tcp
add action=drop chain=input comment="IP identification log blocker" dst-port=\
64999 protocol=tcp src-address-list="Port identification"
add action=add-src-to-address-list address-list="Port identification" \
address-list-timeout=1m chain=input comment=\
"IP identification port - packet is dropped, but IP is logged." dst-port=\
64999 log=yes log-prefix="IP identification port" protocol=tcp
add action=accept chain=input comment=\
"Allow established and related connections to router" connection-state=\
established,related
add action=drop chain=input comment=\
"Drop any other input packets that get this far" log-prefix=\
"Dropped connection"
add action=drop chain=forward comment="Drop invalid packets on forward chain" \
connection-state=invalid
add action=drop chain=forward comment=\
"Drop all packets from IPs on the Manual Blacklist" log=yes log-prefix=\
"Manual Blacklist" src-address-list="Manual Blacklist"
add action=drop chain=forward comment=\
"Drop all packets from IPs on the Blacklist" log=yes log-prefix=\
"Manual Blacklist" src-address-list=Black_list
add action=passthrough chain=forward comment="---- >> For all packet counters\
\_- Inbound refers to from Internet towards device - Outbound refers to fr\
om device towards internet <<---" connection-state="" disabled=yes \
in-interface=E02-pB4_101 src-address=1.2.3.4
add action=passthrough chain=forward comment=\
"Counter for inbound packets from Glendale" connection-state="" disabled=\
yes in-interface=E10_Fiber_Internet src-address=<redacted>
add action=accept chain=forward comment=\
"Accept for outbound UDP packets from NTP server to VLAN 5 (AREDN)" \
connection-state="" disabled=yes in-interface=VLAN_123 log-prefix=\
"NTP out" out-interface=VLAN_005 protocol=udp
add action=jump chain=forward comment=\
"WAN packets to Web Power Switches jump to Ext-Safe chain" \
dst-address-list=WebPowerSwitch dst-port=80 in-interface-list=WAN \
jump-target=Ext-Safe protocol=tcp
add action=jump chain=forward comment=\
"WAN SSH port packets to RasPis list jump to Ext-Safe chain" \
dst-address-list=RasPi dst-port=22 in-interface-list=WAN jump-target=\
Ext-Safe protocol=tcp
add action=jump chain=forward comment=\
"Special ports to Jupiter jump to Ext-Safe chain" dst-address=\
192.168.201.11 dst-port=<redacted> in-interface=E10_Fiber_Internet \
jump-target=Ext-Safe protocol=tcp
add action=jump chain=forward comment=\
"Special ports to NTP server jump to Ext-Safe chain" dst-address=\
192.168.123.123 dst-port=22 in-interface=E10_Fiber_Internet jump-target=\
Ext-Safe protocol=tcp
add action=accept chain=forward comment=\
"Allow all packts to ubee modem from devices on Ubee access list" \
dst-address=192.168.100.1 src-address-list="Ubee access"
add action=drop chain=forward comment="Drop all packts to ubee modem" \
dst-address=192.168.100.1
add action=drop chain=forward comment=\
"Drop all packts to Jupiter web server from E1.31 LAN" dst-address=\
192.168.201.11 dst-port=80 in-interface=VLAN_131 protocol=tcp
add action=jump chain=forward comment="VNC traffic jumps to VNC chain" \
dst-port=<redacted> in-interface-list=WAN \
jump-target=VNC protocol=tcp
add action=jump chain=forward comment=\
"Port 22 & 80 traffic to E1.31 devices jumps to E1.31 chain" dst-address=\
192.168.131.0/24 dst-port=22,80 in-interface=E01-pB2_Cable_Internet \
jump-target=E1.31 protocol=tcp
add action=accept chain=forward comment="Accept all that is DST NATed" \
connection-nat-state=dstnat connection-state=new
add action=accept chain=forward comment="Accept all that is Source NATed" \
connection-nat-state=srcnat connection-state=new
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"Accept established and related packets" connection-state=\
established,related
add action=accept chain=forward comment=\
"Allow outbound traffic from LAN-to-fiber list members to fiber internet" \
in-interface-list=LAN-to-Fiber out-interface=E10_Fiber_Internet
add action=accept chain=forward comment=\
"Allow outbound traffic from LAN-to-cable list members to Cable internet" \
in-interface-list=LAN-to-Cable out-interface=E01-pB2_Cable_Internet
add action=accept chain=forward comment=\
"Allow privileged PCs access to all other LANs" in-interface-list=LAN \
out-interface-list=LAN src-address-list=Privileged
add action=accept chain=forward comment=\
"Allow privileged PCs access to AREDN mesh LANs" in-interface-list=LAN \
out-interface-list="AREDN LAN" src-address-list=Privileged
add action=accept chain=forward comment=\
"Allow all LANs access to NTP server UDP port 123." dst-address=\
192.168.123.123 dst-port=123 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment=\
"Allow all AREDN LANs access to NTP server UDP port 123." dst-address=\
192.168.123.123 dst-port=123 in-interface-list="AREDN LAN" protocol=udp
add action=accept chain=forward comment=\
"Allow privileged IPs access to NTP server TCP ports 22 and 80." \
dst-address=192.168.123.123 dst-port=22,80 protocol=tcp src-address-list=\
Privileged
add action=accept chain=forward comment=\
"Allow privileged IPs ping access to NTP server." dst-address=\
192.168.123.123 protocol=icmp src-address-list=Privileged
add action=accept chain=forward comment=\
"Allow Management IPs TCP access to VLAN <redacted>." out-interface=VLAN_<redacted> \
protocol=tcp src-address-list=Management
add action=drop chain=forward comment=\
"Drop any forward packets that get this far"
add action=drop chain=Attack comment="Drop all invalid packets." \
connection-state=invalid
add action=return chain=Attack comment=\
"Return from Attach chain for safe list IPs" src-address-list=Safe
add action=drop chain=Attack comment=\
"Drop all packets from IPs on the Manual Blacklist" log=yes log-prefix=\
"Manual Blacklist" src-address-list="Manual Blacklist"
add action=drop chain=Attack comment=\
"Detect and drop TCP port scan connections" protocol=tcp psd=21,3s,3,1
add action=drop chain=Attack comment=\
"Detect and drop UDP port scan connections" protocol=udp psd=21,3s,3,1
add action=tarpit chain=Attack comment="Suppress DoS attack by tarpitting" \
connection-limit=3,32 protocol=tcp src-address-list=DoS
add action=add-src-to-address-list address-list=DoS address-list-timeout=1d \
chain=Attack comment="Detect DoS attack" connection-limit=10,32 log=yes \
log-prefix=DoS protocol=tcp
add action=return chain=Attack comment="Return from Attack chain"
add action=accept chain=ICMP comment=\
"Accept ICMP type 0:0 (Echo reply) and limit to 5 packets / sec" \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP type 3:3 (Destination host u\
nreachable) and limit to 5 packets / sec" icmp-options=3:3 limit=5,5 \
protocol=icmp
add action=accept chain=ICMP comment="Accept ICMP type 3:4 (Fragmentation requ\
ired) and limit to 5 packets / sec" icmp-options=3:4 limit=5,5 protocol=\
icmp
add action=accept chain=ICMP comment=\
"Accept ICMP type 8:0 (Echo request) and limit to 5 packets / sec" \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
"Accept ICMP type 11:0 (Time exceeded) and limit to 5 packets / sec" \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop all other ICMP packets" protocol=\
icmp
add action=return chain=ICMP comment="Return from ICMP chain"
add action=accept chain=Management comment=\
"Allow WinBox access to router from IPs on the Management list." \
connection-state=established,related,new dst-port=<redacted> in-interface-list=\
!WAN protocol=tcp src-address-list=Management
add action=accept chain=Management comment=\
"Allow HTTP access to router from IPs on the Management list." \
connection-state=established,related,new dst-port=<redacted> in-interface-list=\
!WAN protocol=tcp src-address-list=Management
add action=accept chain=Management comment=\
"Allow HTTPS access to router from IPs on the Management list." \
connection-state=established,related,new dst-port=<redacted> in-interface-list=\
!WAN protocol=tcp src-address-list=Management
add action=accept chain=Management comment=\
"Allow SSH access to router from IPs on the Management list." \
connection-state=established,related,new dst-port=<redacted> in-interface-list=\
!WAN protocol=tcp src-address-list=Management
add action=accept chain=Management comment=\
"Allow FTP access to router from IPs on the Management list." \
connection-state=established,related,new dst-port=<redacted> in-interface-list=\
!WAN protocol=tcp src-address-list=Management
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
chain=Management comment=\
"Safe list time reset via router WinBox port via WAN interfaces." \
dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=Management comment=\
"Allow Safe list WinBox access to router via WAN interfaces." dst-port=\
<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
chain=Management comment=\
"Safe list time reset via router HTTP port via WAN interfaces." dst-port=\
<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=Management comment=\
"Allow Safe list HTTP access to router via WAN interfaces." dst-port=<redacted> \
in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
chain=Management comment=\
"Safe list time reset via router HTTPS port via WAN interfaces." \
dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=Management comment=\
"Allow Safe list HTTPS access to router via WAN interfaces." dst-port=\
<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
chain=Management comment=\
"Safe list time reset via router SSH port via WAN interfaces." dst-port=\
<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=Management comment=\
"Allow Safe list SSH access to router via WAN interfaces." dst-port=<redacted> \
in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
chain=Management comment=\
"Safe list time reset via router FTP ports via WAN interfaces." disabled=\
yes dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=\
Safe
add action=accept chain=Management comment=\
"Allow Safe list FTP access to router via WAN interfaces." disabled=yes \
dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=drop chain=Management comment=\
"Drop any Management chain packets that get this far."
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
chain=Ext-Safe comment="Safe list time reset via Open Manage." \
dst-address=192.168.201.11 dst-port=<redacted> in-interface=E10_Fiber_Internet \
protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
chain=Ext-Safe comment="Safe list time reset via SSH to RasPis." \
dst-address-list=RasPi dst-port=22 in-interface-list=WAN protocol=tcp \
src-address-list=Safe
add action=accept chain=Ext-Safe comment=\
"Allow Safe list SSH access to RasPis" dst-address-list=RasPi dst-port=22 \
in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=5m \
chain=Ext-Safe comment="Safe list time reset via NTP server ports." \
dst-address=192.168.123.123 dst-port=22,80 in-interface=\
E10_Fiber_Internet protocol=tcp src-address-list=Safe
add action=accept chain=Ext-Safe comment=\
"Allow Safe list access to NTP server." dst-address=192.168.123.123 \
dst-port=22,80 in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Safe
add action=drop chain=Ext-Safe comment=\
"Drop any Ext-Safe chain packets that get this far."
add action=accept chain=Uptime-Echo comment=\
"Allow Uptime list access to Echo Dot #1." dst-address=192.168.206.11 \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime
add action=accept chain=Uptime-Echo comment=\
"Allow Uptime list access to Echo Dot #2." dst-address=192.168.206.12 \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime
add action=accept chain=Uptime-Echo comment=\
"Allow Uptime list access to Echo Dot #3." dst-address=192.168.206.13 \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime
add action=accept chain=Uptime-Echo comment=\
"Allow Uptime list access to Echo Dot #4." dst-address=192.168.206.14 \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime
add action=accept chain=Uptime-Echo comment=\
"Allow Uptime list access to Steven's Echo Dot." dst-address=\
192.168.206.19 dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime
add action=drop chain=Uptime-Echo comment=\
"Drop any Uptime-Echo chain packets that get this far."
add action=add-src-to-address-list address-list=Black_list \
address-list-timeout=1d chain=Drop-Normal comment="Add FTP attempts to rou\
ter from internet via normal port 21 to Black-list for 24 hours." \
dst-port=21 in-interface-list=WAN log-prefix="Invalid FTP p21" protocol=\
tcp
add action=add-src-to-address-list address-list=Black_list \
address-list-timeout=1d chain=Drop-Normal comment="Add SSH attempts to rou\
ter from internet via normal port 22 to Black-list for 24 hours." \
dst-port=22 in-interface-list=WAN log-prefix="Invalid SSH p22" protocol=\
tcp
add action=add-src-to-address-list address-list=Black_list \
address-list-timeout=1d chain=Drop-Normal comment="Add Telnet attempts to \
router from internet via normal port 23 to Black-list for 24 hours." \
dst-port=23 in-interface-list=WAN log-prefix="Invalid Telnet p23" \
protocol=tcp
add action=add-src-to-address-list address-list=Black_list \
address-list-timeout=1d chain=Drop-Normal comment="Add Winbox attempts to \
router from internet via normal port 8921 to Black-list for 24 hours." \
dst-port=8291 in-interface-list=WAN log-prefix="Invalid WinBox p8291" \
protocol=tcp
add action=drop chain=Drop-Normal comment=\
"Drop all Drop-Normal chain packets.."
add action=drop chain=PC-Boot comment="PC boot Port Knock step 1 log blocker" \
dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=\
"PCB Knock-1"
add action=add-src-to-address-list address-list="PCB Knock-1" \
address-list-timeout=15s chain=PC-Boot comment=\
"PC boot Port Knock step 1" dst-port=<redacted> in-interface-list=WAN log=yes \
log-prefix="PC boot Port Knock step 1" protocol=tcp
add action=drop chain=PC-Boot comment="PC boot Port Knock step 2 log blocker" \
dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=\
"PCB Knock-2"
add action=add-src-to-address-list address-list="PCB Knock-2" \
address-list-timeout=15s chain=PC-Boot comment=\
"PC boot Port Knock step 2" dst-port=<redacted> in-interface-list=WAN log=yes \
log-prefix="PC boot Port Knock step 2" protocol=tcp src-address-list=\
"PCB Knock-1"
add action=drop chain=PC-Boot comment="PC boot Port Knock step 3 log blocker" \
dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=\
"PCB Knock-3"
add action=add-src-to-address-list address-list="PCB Knock-3" \
address-list-timeout=15s chain=PC-Boot comment=\
"PC boot Port Knock step 3" dst-port=<redacted> in-interface-list=WAN log=yes \
log-prefix="PC boot Port Knock step 3" protocol=tcp src-address-list=\
"PCB Knock-2"
add action=drop chain=PC-Boot comment=\
"PC boot Port Knock Family room log blocker" dst-port=<redacted> \
in-interface-list=WAN protocol=tcp src-address-list="PCB Knock-4"
add action=add-src-to-address-list address-list="PCB Knock-4" \
address-list-timeout=15s chain=PC-Boot comment=\
"PC boot Port Knock Family room" dst-port=<redacted> in-interface-list=WAN \
log=yes log-prefix="PC boot Port Knock Family room" protocol=tcp \
src-address-list="PCB Knock-3"
add action=drop chain=PC-Boot comment=\
"PC boot Port Knock Light show log blocker" dst-port=<redacted> \
in-interface-list=WAN protocol=tcp src-address-list="PCB Knock-4"
add action=add-src-to-address-list address-list="PCB Knock-4" \
address-list-timeout=15s chain=PC-Boot comment=\
"PC boot Port Knock Light show" dst-port=<redacted> in-interface-list=WAN log=\
yes log-prefix="PC boot Port Knock Light show" protocol=tcp \
src-address-list="PCB Knock-3"
add action=drop chain=PC-Boot comment=\
"Drop any PC-Boot chain packets that get this far."
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
chain=VNC comment="Safe time reset via Family Room 2018 VNC port" \
dst-address=192.168.201.43 dst-port=<redacted> in-interface-list=WAN protocol=\
tcp src-address-list=Safe
add action=accept chain=VNC comment=\
"Allow Safe list VNC to Family Room 2018." dst-address=192.168.201.43 \
dst-port=<redacted> in-interface-list=WAN protocol=tcp src-address-list=Safe
add action=accept chain=VNC comment=\
"Allow Privileged list VNC to Family Room 2018." dst-address=\
192.168.201.43 dst-port=<redacted> protocol=tcp src-address-list=Privileged
add action=accept chain=VNC comment=\
"Allow Uptime list access to LOR Show 2017 VNC port" dst-address=\
192.168.201.22 dst-port=<redacted> in-interface-list=WAN protocol=tcp \
src-address-list=Uptime
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
chain=VNC comment="Safe time reset via LOR-Show 2017 VNC port" \
dst-address=192.168.201.22 dst-port=<redacted> in-interface-list=WAN protocol=\
tcp src-address-list=Safe
add action=accept chain=VNC comment="Allow Safe list VNC to LOR-Show 2017." \
dst-address=192.168.201.22 dst-port=<redacted> in-interface-list=WAN protocol=\
tcp src-address-list=Safe
add action=accept chain=VNC comment=\
"Allow Privileged list VNC to LOR Show 2017." dst-address=192.168.201.22 \
dst-port=<redacted> protocol=tcp src-address-list=Privileged
add action=drop chain=VNC comment=\
"Drop any VNC chain packets that get this far"
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
chain=E1.31 comment="Safe time reset via F16v3 #1 GUI port" dst-address=\
192.168.131.91 dst-port=80 in-interface-list=WAN protocol=tcp \
src-address-list=Safe
add action=accept chain=E1.31 comment=\
"Allow Safe list access to F16v3 #1 GUI port" dst-address=192.168.131.91 \
dst-port=80 protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
chain=E1.31 comment="Safe time reset via F16v3 #2 GUI port" dst-address=\
192.168.131.92 dst-port=80 in-interface-list=WAN protocol=tcp \
src-address-list=Safe
add action=accept chain=E1.31 comment=\
"Allow Safe list access to F16v3 #2 GUI port" dst-address=192.168.131.92 \
dst-port=80 protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
chain=E1.31 comment="Safe time reset via F16v3 #3 GUI port" dst-address=\
192.168.131.93 dst-port=80 in-interface-list=WAN protocol=tcp \
src-address-list=Safe
add action=accept chain=E1.31 comment=\
"Allow Safe list access to F16v3 #3 GUI port" dst-address=192.168.131.93 \
dst-port=80 protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
chain=E1.31 comment="Safe time reset via E6804 #2 GUI port" dst-address=\
192.168.131.98 dst-port=80 in-interface-list=WAN protocol=tcp \
src-address-list=Safe
add action=accept chain=E1.31 comment=\
"Allow Safe list access to E6804 #2 GUI port" dst-address=192.168.131.98 \
dst-port=80 protocol=tcp src-address-list=Safe
add action=add-src-to-address-list address-list=Safe address-list-timeout=15m \
chain=E1.31 comment="Safe time reset via F4v3 #1 GUI port" dst-address=\
192.168.131.99 dst-port=80 in-interface-list=WAN protocol=tcp \
src-address-list=Safe
add action=accept chain=E1.31 comment=\
"Allow Safe list access to F4v3 #1 GUI port" dst-address=192.168.131.99 \
dst-port=80 protocol=tcp src-address-list=Safe
add action=drop chain=E1.31 comment=\
"Drop any E1.31 chain packets that get this far" log=yes log-prefix=\
"E1.31 drop"
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=192.168.101.251 \
dst-port=53 layer7-protocol=local.mesh new-connection-mark=\
local.mesh-forward passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-address=192.168.101.251 \
dst-port=53 layer7-protocol=local.mesh new-connection-mark=\
local.mesh-forward passthrough=yes protocol=udp
add action=mark-connection chain=prerouting dst-address=192.168.201.251 \
dst-port=53 layer7-protocol=local.mesh new-connection-mark=\
local.mesh-forward passthrough=yes protocol=udp
add action=mark-packet chain=prerouting disabled=yes dst-address=\
192.168.100.1 new-packet-mark=Cable-CPE passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade for Fiber" \
out-interface=E10_Fiber_Internet
add action=masquerade chain=srcnat comment="Masquerade for cable" \
out-interface=E01-pB2_Cable_Internet
add action=masquerade chain=srcnat comment=\
"Outbound masquerade for traffic to VLAN 11" dst-address=10.113.6.64/29
add action=masquerade chain=srcnat comment=\
"Outbound masquerade for traffic to VLAN 12" dst-address=10.115.242.96/29
add action=masquerade chain=srcnat comment=\
"Outbound masquerade for traffic to VLAN 13" dst-address=10.115.244.80/29
add action=masquerade chain=srcnat comment=\
"Outbound masquerade for traffic to VLAN 14" dst-address=10.165.92.248/29
add action=masquerade chain=srcnat comment="Masquerade for AREDN LAN" \
out-interface=VLAN_005
add action=masquerade chain=srcnat comment="Harpin NAT for HTTP on Jupiter" \
dst-address=192.168.201.11 dst-port=80 protocol=tcp src-address=\
192.168.201.0/24
add action=dst-nat chain=dstnat comment="VNC to Jupiter" dst-port=<redacted> \
in-interface=E10_Fiber_Internet protocol=tcp src-address-list=Safe \
to-addresses=192.168.201.11 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="VNC to LOR Show 2017" dst-port=<redacted> \
in-interface=E10_Fiber_Internet protocol=tcp to-addresses=192.168.201.22 \
to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Maintenance web Server on RasPi-4." \
disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.203.72 to-ports=80
add action=dst-nat chain=dstnat comment="Web Server on Jupiter." \
dst-address-type=local dst-port=80 in-interface=!VLAN_005 protocol=tcp \
to-addresses=192.168.201.11 to-ports=80
add action=dst-nat chain=dstnat comment="Web Server on Jupiter." disabled=yes \
dst-address-type=local dst-port=443 in-interface=!VLAN_005 protocol=tcp \
to-addresses=192.168.201.11 to-ports=443
add action=dst-nat chain=dstnat comment="Web Server on Jupiter from AREDN." \
dst-address-type=local dst-port=80 in-interface=VLAN_005 protocol=tcp \
to-addresses=192.168.201.11 to-ports=80
add action=dst-nat chain=dstnat comment="Johnstone SuperGoose HTTP" dst-port=\
<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
192.168.203.240 to-ports=80
add action=dst-nat chain=dstnat comment="Johnstone SuperGoose HTTPS" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
192.168.203.240 to-ports=443
add action=dst-nat chain=dstnat comment="Garage IT Watchdog 1200 HTTP" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
192.168.201.20 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Garage IT Watchdog 1200 HTTPS" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
192.168.201.20 to-ports=<redacted>
add action=dst-nat chain=dstnat connection-mark=local.mesh-forward \
to-addresses=10.9.60.81
add action=masquerade chain=srcnat connection-mark=local.mesh-forward
add action=dst-nat chain=dstnat comment="F16v3 #1 - Pixel tree" dst-port=\
<redacted> in-interface=E01-pB2_Cable_Internet protocol=tcp to-addresses=\
192.168.131.91 to-ports=80
add action=dst-nat chain=dstnat comment="F16v3 #2 - Roof & Eves" dst-port=\
<redacted> in-interface=E01-pB2_Cable_Internet protocol=tcp to-addresses=\
192.168.131.92 to-ports=80
add action=dst-nat chain=dstnat comment="F16v3 #3 - Perimeter & Candy canes" \
dst-port=<redacted> in-interface=E01-pB2_Cable_Internet protocol=tcp \
to-addresses=192.168.131.93 to-ports=80
add action=dst-nat chain=dstnat comment=\
"E682 #4 - Temp Perimeter & Candy canes" dst-port=<redacted> in-interface=\
E01-pB2_Cable_Internet protocol=tcp to-addresses=192.168.131.98 to-ports=\
80
add action=dst-nat chain=dstnat comment="F4v3 #1 - Planter, Walkway, & Roses" \
dst-port=<redacted> in-interface=E01-pB2_Cable_Internet protocol=tcp \
to-addresses=192.168.131.99 to-ports=80
add action=dst-nat chain=dstnat comment="Echo Dot #1 for Uptime Robot" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime to-addresses=192.168.206.11 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Echo Dot #2 for Uptime Robot" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime to-addresses=192.168.206.12 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Echo Dot #3 for Uptime Robot " \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime to-addresses=192.168.206.13 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Echo Dot #4 for Uptime Robot" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime to-addresses=192.168.206.14 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="Echo Dot (Steven) for Uptime Robot" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp \
src-address-list=Uptime to-addresses=192.168.206.19 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="IceCast on Streaming RasPi-3b" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=tcp to-addresses=\
192.168.103.75 to-ports=<redacted>
add action=dst-nat chain=dstnat comment="IceCast on Streaming RasPi-3b" \
dst-port=<redacted> in-interface=E10_Fiber_Internet protocol=udp to-addresses=\
192.168.103.75 to-ports=<redacted>
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add comment="Frontier fiber optic" distance=1 gateway=<redacted> \
routing-mark=via-FO
add comment="AREDN hAP-at-Home" distance=1 dst-address=10.0.0.0/8 gateway=\
10.9.60.81
add distance=1 dst-address=172.16.0.0/12 gateway=10.9.60.81
add distance=1 dst-address=192.168.100.1/32 gateway=E01-pB2_Cable_Internet
/ip route rule
add action=lookup-only-in-table src-address=<redacted>/32 table=via-FO
add action=lookup-only-in-table dst-address=10.0.0.0/8 interface=E02-pB4_101 \
table=main
add action=lookup-only-in-table dst-address=10.0.0.0/8 interface=E06-pA2_201 \
table=main
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=\
E06-pA2_201 table=main
add action=lookup-only-in-table interface=E06-pA2_201 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=VLAN_202 \
table=main
add action=lookup-only-in-table interface=VLAN_202 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=\
E07-pA4_203 table=main
add action=lookup-only-in-table interface=E07-pA4_203 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=VLAN_204 \
table=main
add action=lookup-only-in-table interface=VLAN_204 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=VLAN_205 \
table=main
add action=lookup-only-in-table interface=VLAN_205 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=\
E08-pA6_206 table=main
add action=lookup-only-in-table interface=E08-pA6_206 table=via-FO
add action=lookup-only-in-table dst-address=192.168.0.0/16 interface=\
E09-pA8_207 table=main
add action=lookup-only-in-table interface=E09-pA8_207 table=via-FO
add action=lookup-only-in-table disabled=yes dst-address=192.168.0.0/16 \
interface=E05-pA10_802.1Q table=main
add action=lookup-only-in-table disabled=yes interface=E05-pA10_802.1Q table=\
via-FO
add action=lookup-only-in-table disabled=yes interface=VLAN_151 table=\
Either-WAN
add dst-address=192.168.0.0/16 interface=VLAN_123 table=main
add dst-address=10.0.0.0/8 interface=VLAN_123 table=main
add dst-address=172.16.0.0/12 interface=VLAN_123 table=main
add interface=VLAN_123 table=via-FO
/ip service
set telnet disabled=yes
set ftp port=<redacted>
set www port=<redacted>
set ssh port=<redacted>
set www-ssl disabled=no port=<redacted>
set api disabled=yes
set winbox port=<redacted>
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ipv6 dhcp-client
add interface=E01-pB2_Cable_Internet pool-name="IPv6 pool 1" \
pool-prefix-length=56 request=address,prefix
add add-default-route=yes interface=E10_Fiber_Internet pool-name=\
"IPv6 pool 2" request=address,prefix
/ipv6 firewall filter
add action=accept chain=input comment=\
"Accept Established and Related packets" connection-state=\
established,related
add action=accept chain=input comment=\
"Accept all ICMPv6 packets from WAN interfaces." in-interface-list=WAN \
protocol=icmpv6
add action=accept chain=input comment=\
"Accept all ICMPv6 packets from LAN interface list." in-interface-list=\
LAN protocol=icmpv6
add action=drop chain=input comment="Drop all IPV6 packets from fiber" \
disabled=yes in-interface=E10_Fiber_Internet log-prefix=IPV6
add action=drop chain=input comment="Drop all IPV6 packets from cable" \
disabled=yes in-interface=E01-pB2_Cable_Internet log-prefix=IPV6
add action=drop chain=input comment="Drop all input IPV6 packets"
add action=accept chain=forward comment=\
"Accept Established and Related packets" connection-state=\
established,related
add action=accept chain=forward comment=\
"Accept outbound IPv6 packets from .101 LAN" in-interface=E02-pB4_101
add action=accept chain=forward comment=\
"Accept outbound IPv6 packets from .201 LAN" in-interface=E06-pA2_201
add action=drop chain=forward comment="Drop all forwarded IPV6 packets"
/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=RB4011iGS+
/system logging
set 1 disabled=yes
set 2 disabled=yes
add action=remote topics=info
add action=remote topics=error
add action=remote topics=critical
add action=disk topics=critical
add action=disk topics=error
add action=remote topics=warning
add action=disk topics=warning
add disabled=yes topics=critical
/system ntp client
set enabled=yes primary-ntp=192.168.123.123 secondary-ntp=132.163.97.4
/system package update
set channel=long-term
/system resource irq rps
set E01-pB2_Cable_Internet disabled=no
set E02-pB4_101 disabled=no
set E03-pB6_103 disabled=no
set E04-pB8_802.1Q disabled=no
set E05-pA10_802.1Q disabled=no
/system scheduler
add interval=1d name="Daily backup" on-event="Daily Backup" policy=\
ftp,read,write,policy,test,password,sniff,sensitive start-date=\
jul/12/2016 start-time=22:31:00
add name=Startup on-event="System startup" policy=read,test start-time=\
startup
add comment="oct/24/2022 22:19:35" interval=1m name="Send Login alert" \
on-event="Send login alert" policy=\
ftp,read,write,policy,test,password,sniff,sensitive start-date=\
jul/15/2016 start-time=00:00:50
add comment="may/19/2017 21:37:39" interval=1m name="Check Spectrum IP" \
on-event="Check Spectrum IP" policy=read,write,policy,test start-date=\
may/19/2017 start-time=00:00:30
add interval=10m name="Ping test" on-event="Ping test" policy=read,test \
start-date=jun/12/2017 start-time=00:05:20
add interval=5m name="AREDN Ping test" on-event="AREDN ping test" policy=\
read,write,test start-date=apr/16/2020 start-time=00:04:15
add interval=1h name="Wyze Ping" on-event="Wyze Ping" policy=read,test \
start-date=jun/08/2020 start-time=00:02:15
add comment="may/19/2017 21:37:39" interval=1m name="Check Frontier IP" \
on-event="Check Frontier IP" policy=read,write,policy,test start-date=\
may/19/2017 start-time=00:00:40
add comment="sep/20/2022 10:38:17" interval=1m name=\
"Family Rm PCB from Port Knock" on-event="Port knock FamRm boot" policy=\
ftp,read,write,policy,test,password,sniff,sensitive start-date=\
jul/15/2016 start-time=00:00:10
add comment="jul/17/2022 21:29:36" interval=1m name=\
"Light Show PCB from Port Knock" on-event="Port knock LightShow boot" \
policy=ftp,read,write,policy,test,password,sniff,sensitive start-date=\
jul/15/2016 start-time=00:00:20
add comment="Temp script to export aredn ping results to a file." disabled=\
yes interval=5m name=Meshoween on-event="File write test" policy=\
ftp,read,write,policy,test,password,sniff,sensitive,romon start-date=\
apr/16/2020 start-time=00:03:45
add interval=3m name="Dynu DDNS update" on-event="Dynu update" \
policy=read,write,test start-date=nov/05/2021 start-time=00:01:30
add interval=4h name="Mail AREDN Pings" on-event="Mail AREDN Pings" policy=\
read,write,test start-date=sep/21/2022 start-time=02:34:50
/system script
add dont-require-permissions=no name="Daily Backup" owner=<redacted> policy=\
ftp,read,write,policy,test,password,sensitive source="# Policies needed: \
ftp, read, policy, sensitive, test, write\r\
\n# Policies NOT needed: password, reboot, sniff, romon\r\
\n:log info \"Starting daily backup\";\r\
\n/system backup save name=RB4011_Daily\r\
\n/export file=RB4011_Daily\r\
\n/system package print file=RB4011_Version.txt\r\
\n:delay 00:00:01\r\
\n/tool e-mail send file=RB4011_Daily.backup to=\"<redacted>\" body=\"4\
011 Router daily backup file attached.\" \\\r\
\n subject=\"RB4011 \$[/system clock get date] at \$[/system clock get \
time] Backup\"\r\
\n:delay 00:00:10\r\
\n/tool e-mail send file=RB4011_Daily.rsc,RB4011_Version.txt,log.0.txt to=\
\"<redacted>\" body=\"Router #1 daily script and version files attached\
.\" \\\r\
\n subject=\"RB4011 \$[/system clock get date] at \$[/system clock get \
time] Script\"\r\
\n:log info \"Daily backup script completed\"\r\
\n"
add dont-require-permissions=no name="System startup" owner=<redacted> policy=\
read,test source=":log info \"Starting System Startup script\"\r\
\n:delay 00:00:20\r\
\n:log info \"Sending System startup E-Mail to <redacted>\"\r\
\n/tool e-mail send to=\"<redacted>\" body=\"\$[/system clock get date]\
\_at \$[/system clock get time] MikroTik RB4011 router has started 20 sec\
onds ago.\" \\\r\
\n subject=\"RB4011 router startup\"\r\
\n:delay 00:00:10\r\
\n:log info \"Sending System startup E-Mail to <redacted>\"\r\
\n/tool e-mail send to=\"<redacted>\" body=\"\$[/system clock get\
\_date] at \$[/system clock get time] MikroTik RB4011 router has started \
30 seconds ago.\" \\\r\
\n subject=\"RB4011 startup\"\r\
\n:log info \"System Startup script completed\"\r\
\n"
add dont-require-permissions=no name="Send login alert" owner=<redacted> \
policy=ftp,read,write,policy,test,password,sensitive source="# BEGIN SETUP\
\r\
\n:local scheduleName \"Send Login alert\"\r\
\n:local emailAddress1 \"<redacted>\"\r\
\n:local emailAddress2 \"<redacted>\"\r\
\n:local startBuf [:toarray [/log find message~\"logged in\" || message~\"\
login failure\" || message~\"logged out\"]]\r\
\n:local removeThese {\"zippo\";\"whatever string you want\"}\r\
\n# END SETUP\r\
\n\r\
\n# warn if schedule does not exist\r\
\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
\n /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
e and edit script to match name\"\r\
\n}\r\
\n\r\
\n# get last time\r\
\n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
mment]\r\
\n# for checking time of each log entry\r\
\n:local currentTime\r\
\n# log message\r\
\n:local message\r\
\n \r\
\n\r\
\n# final output\r\
\n:local output\r\
\n\r\
\n:local keepOutput false\r\
\n# if lastTime is empty, set keepOutput to true\r\
\n:if ([:len \$lastTime] = 0) do={\r\
\n :set keepOutput true\r\
\n}\r\
\n\r\
\n\r\
\n:local counter 0\r\
\n# loop through all log entries that have been found\r\
\n:foreach i in=\$startBuf do={\r\
\n \r\
\n\r\
\n# loop through all removeThese array items\r\
\n :local keepLog true\r\
\n :foreach j in=\$removeThese do={\r\
\n# if this log entry contains any of them, it will be ignored\r\
\n :if ([/log get \$i message] ~ \"\$j\") do={\r\
\n :set keepLog false\r\
\n }\r\
\n }\r\
\n :if (\$keepLog = true) do={\r\
\n \r\
\n :set message [/log get \$i message]\r\
\n\r\
\n# LOG DATE\r\
\n# depending on log date/time, the format may be different. 3 known for\
mats\r\
\n# format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
Using as default\r\
\n :set currentTime [ /log get \$i time ]\r\
\n# format of 00:00:00 which shows up on current day's logs\r\
\n :if ([:len \$currentTime] = 8 ) do={\r\
\n :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
rentTime)\r\
\n } else={\r\
\n# format of jan/01 00:00:00 which shows up on previous day's logs\r\
\n :if ([:len \$currentTime] = 15 ) do={\r\
\n :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
\n }\r\
\n }\r\
\n \r\
\n\r\
\n# if keepOutput is true, add this log entry to output\r\
\n :if (\$keepOutput = true) do={\r\
\n :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\\n\")\
\r\
\n }\r\
\n# if currentTime = lastTime, set keepOutput so any further logs found \
will be added to output\r\
\n# reset output in the case we have multiple identical date/time entrie\
s in a row as the last matching logs\r\
\n# otherwise, it would stop at the first found matching log, thus all f\
ollowing logs would be output\r\
\n :if (\$currentTime = \$lastTime) do={\r\
\n :set keepOutput true\r\
\n :set output \"\"\r\
\n }\r\
\n }\r\
\n\r\
\n# if this is last log entry\r\
\n :if (\$counter = ([:len \$startBuf]-1)) do={\r\
\n# If keepOutput is still false after loop, this means lastTime has a v\
alue, but a matching currentTime was never found.\r\
\n# This can happen if 1) The router was rebooted and matching logs stor\
ed in memory were wiped, or 2) An item is added\r\
\n# to the removeThese array that then ignores the last log that determi\
ned the lastTime variable.\r\
\n# This resets the comment to nothing. The next run will be like the fi\
rst time, and you will get all matching logs\r\
\n :if (\$keepOutput = false) do={\r\
\n# if previous log was found, this will be our new lastTime entry \
\_ \r\
\n :if ([:len \$message] > 0) do={\r\
\n :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\")\
\r\
\n }\r\
\n }\r\
\n }\r\
\n :set counter (\$counter + 1)\r\
\n}\r\
\n\r\
\n\r\
\n# If we have output, save new date/time, and send email\r\
\nif ([:len \$output] > 0) do={\r\
\n /log err \"[LOGMON] New login or logout logs found, sending E-Mail.\"\
\r\
\n /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
Time\r\
\n /tool e-mail send to=\"\$emailAddress1\" subject=\"MikroTik RB4011 rou\
ter Log in or out alert \$currentTime\" body=\"Sent from Microtik RB4011 r\
outer \\n \\n \$output\"\r\
\n /tool e-mail send to=\"\$emailAddress2\" subject=\"MikroTik RB4011 rou\
ter Log in or out alert \$currentTime\" body=\"Sent from Microtik RB4011 r\
outer \\n \\n \$output\"\r\
\n /log info \"Login / Logout update E-Mail sent.\"\r\
\n}\r\
\n"
add dont-require-permissions=no name="Boot scanner feed PC" owner=<redacted> \
policy=test source="# Policy needed: Test\r\
\n:log info \"Sending WoL Magic Packet to Scanner Feed PC\"\r\
\n# Need to edit next line to reflect actual MAC\r\
\n/tool wol interface=VLAN_205 mac=12:23:34:45:56:67\r\
\n:log info \"WoL script completed\"\r\
\n\r\
\n"
add dont-require-permissions=no name="Check Spectrum IP" owner=<redacted> \
policy=read,write,policy,test source=":global CurrentCabIP;\r\
\n:local NewIP [/ip address get [find interface=\"E01-pB2_Cable_Internet\"\
] address];\r\
\n:local OldIP;\r\
\n:local CurrentTime\r\
\n:local CurrentDate\r\
\n:set CurrentDate ([:pick [/system clock get date] 0 11]);\r\
\n:set CurrentTime ([:pick [/system clock get time] 0 8]);\r\
\n:if (\$NewIP != \$CurrentCabIP) do={\r\
\n :set OldIP \$CurrentCabIP;\r\
\n :set CurrentCabIP \$NewIP;\r\
\n :log info \"IP address of \$OldIP changed to new IP of \$NewIP\";\r\
\n /tool e-mail send to=\"<redacted>\" subject=\"Spectrum IP add\
ress change\" body=\"\$CurrentDate at \$CurrentTime - Spectrum internet IP\
\_address change.\\n \\n Old IP address was: \$OldIP \\n New IP address i\
s: \$NewIP \\n If Old IP is blank, most likely a router startup. \\n\";\r\
\n /tool e-mail send to=\"<redacted>\" subject=\"Spectrum IP address c\
hange\" body=\"\$CurrentDate at \$CurrentTime - Spectrum internet IP addre\
ss change.\\n \\n Old IP address was: \$OldIP \\n New IP address is: \$N\
ewIP \\n If Old IP is blank, most likely a router startup. \\n\";\r\
\n\r\
\n}\r\
\n"
add dont-require-permissions=no name="Ping test" owner=<redacted> policy=\
read,test source="# Ping address and send E-Mail if average RTT exceeds th\
reshold.\r\
\n# :log info \"Start ping test script\"\r\
\n:local Themes \"Excessive ping time from Router #1.\"\r\
\n# Set the monitored IP address\r\
\n:local TestIP 8.8.4.4;\r\
\n# Set the delay time in mSec\r\
\n:local ErrorLevel 100\r\
\n:local avgRtt;\r\
\n/tool flood-ping \$TestIP count=10 do={\r\
\n:if (\$sent = 10) do={\r\
\n:set avgRtt \$\"avg-rtt\"\r\
\n}}\r\
\n:log info \"Average RTT to \$TestIP is: \$avgRtt Alarm threshold is: \
\$ErrorLevel\"\r\
\n:if (\$avgRtt >= \$ErrorLevel) do={\r\
\n# Send mail\r\
\n/tool e-mail send to <redacted> subject=\$Themes body=(\"4011 router \
\\nTest to IP: \$TestIP \\nAverage ping RTT: \$avgRtt ms \\nThreshold: \
\$ErrorLevel\")\r\
\n/tool e-mail send to <redacted> subject=\$Themes body=(\"4011 R\
outer1 \\nTest to IP: \$TestIP \\nAverage ping RTT: \$avgRtt ms \\nThres\
hold \$ErrorLevel\")\r\
\n:log err \"Excessive ping time E-Mail has been sent\";\r\
\n}\r\
\n:if (\$avgRtt = 0) do={\r\
\n# Send mail\r\
\n/tool e-mail send to <redacted> subject=\"Ping failure for 4011 route\
r\" body=(\"4011 router \\nTest to IP: \$TestIP \\nAverage ping RTT: \$a\
vgRtt ms\")\r\
\n/tool e-mail send to <redacted> subject=\"Ping failure for 4011\
\_router\" body=(\"4011 router \\nTest to IP: \$TestIP \\nAverage ping RT\
T: \$avgRtt ms\")\r\
\n:log err \"Ping failure E-Mail has been sent\";\r\
\n}\r\
\n# :log info \"End of script\"\r\
\n"
add dont-require-permissions=no name="DHCP Alert" owner=<redacted> policy=\
read,test source=":log info \"Starting Rogue DHCP server script\"\r\
\n/tool e-mail send to=\"<redacted>\" body=\"\$[/system clock get date]\
\_at \$[/system clock get time] MikroTik RB4011 router has detected a rog\
ue DHCP server. See event log.\" \\\r\
\n subject=\"RB4011 router found rogue DHCP server\"\r\
\n:delay 00:00:10\r\
\n/tool e-mail send to=\"<redacted>\" body=\"\$[/system clock get\
\_date] at \$[/system clock get time] MikroTik RB4011 router has detected\
\_a rogue DHCP server. See event log.\" \\\r\
\n subject=\"RB4011 router found rogue DHCP server\"\r\
\n:log info \"DHCP alert script completed\"\r\
\n"
add dont-require-permissions=no name="Boot LOR Show 2017 via .201" owner=\
<redacted> policy=test source="# Policy needed: Test\r\
\n:log info \"Sending WoL Magic Packet to LOR Show 2017 on .201\"\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:delay 00:00:10\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:delay 00:00:10\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:log info \"WoL script completed\"\r\
\n\r\
\n\r\
\n"
add dont-require-permissions=no name="Wyze Ping" owner=<redacted> policy=\
read,test source="# Recent revisions (newest at top):\r\
\n# 2021-05-05 0745 Corrected name on camera 4 (removed a space).\r\
\n# 2021-08-06 1445 Added normal work hours exemption.\r\
\n\r\
\n# Ping address and send E-Mail if average RTT exceeds threshold.\r\
\n:log info \"Starting Wyze Ping test script\";\r\
\n\r\
\n# First is calculate the day of the week (to be used in work hours exemp\
tion).\r\
\n\r\
\n:local date [/system clock get date]\r\
\n\r\
\n# Math Calculation here\r\
\n:local months [:toarray \"jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,de\
c\"]\r\
\n:local monthtbl [:toarray \"0,3,3,6,1,4,6,2,5,0,3,5\"]\r\
\n:local daytbl [:toarray \"sun,mon,tue,wed,thu,fri,sat\"]\r\
\n\r\
\n:local month [:pick \$date 0 3]\r\
\n:local day [:pick \$date 4 6]\r\
\n:local dayc [:pick \$date 5 6]\r\
\n:local century [:pick \$date 7 9]\r\
\n:local year [:pick \$date 9 11]\r\
\n:local yearc [:pick \$date 10 11]\r\
\n\r\
\n# if the first char is a 0 (zero) only read last char, else script fails\
\r\
\n:if ([:pick \$date 4 5] = 0) do={ :set day (\$dayc)}\r\
\n:if ([:pick \$date 9 10] = 0) do=[:set year (\$yearc)]\r\
\n\r\
\n:local sum 0\r\
\n:local DoW 0\r\
\n:set sum (\$sum + (2 * (3 - (\$century - ((\$century / 4) * 4)))))\r\
\n:set sum (\$sum + (\$year / 4))\r\
\n:set sum (\$sum + \$year + \$day)\r\
\n:for mindex from=0 to=[:len \$months] do={\r\
\n :if ([:pick \$months \$mindex] = \$month) do={:set sum (\$sum + [:pick\
\_\$monthtbl \$mindex]) }\r\
\n}\r\
\n:set DoW (\$sum - ((\$sum / 7) * 7))\r\
\n# DoW is Day of Week where 0 = Sunday and 6 = Saturday\r\
\n\r\
\n# END Math Calculation\r\
\n\r\
\n# :log info \"Day of week = \$DoW\";\r\
\n\r\
\n# Set DoW to 1 for working day range\r\
\n:if ((\$DoW > 0) and (\$DoW < 6)) do={:set DoW 1}\r\
\n\r\
\n# ------ End of DoW calculation -----\r\
\n\r\
\n# Then calculate the hour of the day (to be used in work hours exemption\
).\r\
\n\r\
\n:local time [/system clock get time]\r\
\n:local ToD\r\
\n\r\
\n# Set ToD to hours\r\
\n:set ToD [:pick \$time 0 2]\r\
\n\r\
\n# :log info \"Hour is \$ToD\";\r\
\n\r\
\n# Set ToD to 1 for working hours\r\
\n:if ((\$ToD > 5) and (\$ToD < 19)) do={:set ToD 1}\r\
\n\r\
\n# Lastly if DoW and ToD are both = 1 then set Working to 1\r\
\n\r\
\n:global Working 0\r\
\n:if ((\$DoW = 1) and (\$ToD = 1)) do={:set Working 1}\r\
\n# :log info \"Converted Hour = \$ToD Converted Day of week = \$DoW W\
orking = \$Working\";\r\
\n\r\
\n\r\
\n\r\
\n# For each device set global variables for IP, name, and test enable\r\
\n# For each device, set that device TestEn variable as follows:\r\
\n# 0 = Disable testing\r\
\n# 1 = Normal testing\r\
\n# 2 = Normal testing EXCEPT during work hours\r\
\n\r\
\n:global TestIP 192.168.234.321;\r\
\n:global TestIPname Wyze_camera-01_Matrix;\r\
\n:global TestEn 1;\r\
\n/system script run \"PingFunc\"\r\
\n\r\
<lots of other devices deleted from this extract>
\n:log info \"Wyze Ping script completed.\"\r\
\n"
add dont-require-permissions=no name=PingFunc owner=<redacted> policy=read,test \
source="# Start the Ping test function\r\
\n# Setup global variables that will be imput from calling script\r\
\n:global TestIP;\r\
\n:global TestIPname;\r\
\n:global TestEn;\r\
\n:global Working;\r\
\n\r\
\n# Set up local variables\r\
\n:local AvgRtt;\r\
\n:local Sub1 \"Ping failure to\"\r\
\n:local Sub2 \"from Router #1.\"\r\
\n:local Bo1 \"Test to IP: \"\r\
\n:local Bo2 \"Average ping RTT: \"\r\
\n\r\
\n# :log info \"TestIP = \$TestIP TestEn = \$TestEn Working = \$Working\
\";\r\
\n\r\
\n:if ((\$TestEn = 1) or ((\$TestEn = 2) and (\$Working = 0))) do={\r\
\n/tool flood-ping \$TestIP count=10 do={\r\
\n:if (\$sent = 10) do={\r\
\n:set AvgRtt \$\"avg-rtt\"\r\
\n}}\r\
\n:log info \"Average RTT to \$TestIP is: \$AvgRtt mSec\";\r\
\n:if (\$AvgRtt = 0) do={\r\
\n:log err \"Ping failure to \$TestIP E-Mail is being sent\";\r\
\n# Send mail\r\
\n/tool e-mail send to <redacted> subject=(\"\$Sub1 \$TestIPname \$Sub2\
\") body=(\"\$Bo1 \$TestIP \$TestIPname \\n \$Bo2 \$AvgRtt mSec.\")\r\
\n}} else={:log info \"\$TestIPname skipped.\"}\r\
\n"
add dont-require-permissions=no name="Day of week" owner=<redacted> policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Calculates day of the week for a givien date\r\
\n# Month: jan,feb ... nov,dec (must be lower-case)\r\
\n# Day: 1 - 31\r\
\n# Year: 1900 - 2999\r\
\n# mmm/dd/yyyy same format as [/system clock get date]\r\
\n# (ex. jul/22/2009)\r\
\n\r\
\n:local date [/system clock get date]\r\
\n\r\
\n\r\
\n# Math Calculation here\r\
\n:local result \"\"\r\
\n:local months [:toarray \"jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,de\
c\"]\r\
\n:local monthtbl [:toarray \"0,3,3,6,1,4,6,2,5,0,3,5\"]\r\
\n:local daytbl [:toarray \"sun,mon,tue,wed,thu,fri,sat\"]\r\
\n\r\
\n:local month [:pick \$date 0 3]\r\
\n:local day [:pick \$date 4 6]\r\
\n:local dayc [:pick \$date 5 6]\r\
\n:local century [:pick \$date 7 9]\r\
\n:local year [:pick \$date 9 11]\r\
\n:local yearc [:pick \$date 10 11]\r\
\n\r\
\n# if the first char is a 0 (zero) only read last char, else script fails\
\r\
\n:if ([:pick \$date 4 5] = 0) do={ :set day (\$dayc)}\r\
\n:if ([:pick \$date 9 10] = 0) do=[:set year (\$yearc)]\r\
\n\r\
\n:local sum 0\r\
\n:set sum (\$sum + (2 * (3 - (\$century - ((\$century / 4) * 4)))))\r\
\n:set sum (\$sum + (\$year / 4))\r\
\n:set sum (\$sum + \$year + \$day)\r\
\n:for mindex from=0 to=[:len \$months] do={\r\
\n :if ([:pick \$months \$mindex] = \$month) do={:set sum (\$sum + [:pick\
\_\$monthtbl \$mindex]) }\r\
\n}\r\
\n:set sum (\$sum - ((\$sum / 7) * 7))\r\
\n:set result [:pick \$daytbl \$sum]\r\
\n\r\
\n# END Math Calculation\r\
\n\r\
\n:put ([:pick \$date 0 3] . \"/\" . [:pick \$date 4 6] . \"/\" . [:pick \
\$date 7 9] . [:pick \$date 9 11] . \" is on a \" . \$result)\r\
\n:put {\$sum}\r\
\n\r\
\n\r\
\n"
add dont-require-permissions=no name="Check Frontier IP" owner=<redacted> \
policy=read,write,policy,test source=":global CurrentFOIP;\r\
\n:local NewIP [/ip address get [find interface=\"E10_Fiber_Internet\"] ad\
dress];\r\
\n:local OldIP;\r\
\n:local CurrentTime\r\
\n:local CurrentDate\r\
\n:set CurrentDate ([:pick [/system clock get date] 0 11]);\r\
\n:set CurrentTime ([:pick [/system clock get time] 0 8]);\r\
\n:if (\$NewIP != \$CurrentFOIP) do={\r\
\n :set OldIP \$CurrentFOIP;\r\
\n :set CurrentFOIP \$NewIP;\r\
\n :log info \"Fiber IP address of \$OldIP changed to new IP of \$NewIP\
\";\r\
\n /tool e-mail send to=\"<redacted>\" subject=\"Frontier IP add\
ress change\" body=\"\$CurrentDate at \$CurrentTime - Frontier internet IP\
\_address change.\\n \\n Old IP address was: \$OldIP \\n New IP address i\
s: \$NewIP \\n If Old IP is blank, most likely a router startup. \\n\";\r\
\n /tool e-mail send to=\"<redacted>\" subject=\"Frontier IP address c\
hange\" body=\"\$CurrentDate at \$CurrentTime - Frontier internet IP addre\
ss change.\\n \\n Old IP address was: \$OldIP \\n New IP address is: \$N\
ewIP \\n If Old IP is blank, most likely a router startup. \\n\";\r\
\n\r\
\n}\r\
\n"
add dont-require-permissions=no name="Boot Family room 2018 PC on .201" \
owner=<redacted> policy=test source="# Policy needed: Test\r\
\n:log info \"Sending WoL Magic Packet to Family room 2018 PC\"\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:delay 00:00:10\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:delay 00:00:10\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:log info \"WoL script completed\"\r\
\n\r\
\n"
add dont-require-permissions=no name="Port knock FamRm boot" owner=<redacted> \
policy=ftp,read,write,policy,test,password,sensitive source="# BEGIN SETUP\
\r\
\n:local scheduleName \"Family Rm PCB from Port Knock\"\r\
\n:local emailAddress1 \"<redacted>\"\r\
\n:local emailAddress2 \"<redacted>\"\r\
\n:local startBuf [:toarray [/log find message~\"PC boot Port Knock Family\
\_room\"]]\r\
\n:local removeThese {\"zippo\";\"whatever string you want\"}\r\
\n# END SETUP\r\
\n\r\
\n# warn if schedule does not exist\r\
\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
\n /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
e and edit script to match name\"\r\
\n}\r\
\n\r\
\n# get last time\r\
\n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
mment]\r\
\n# for checking time of each log entry\r\
\n:local currentTime\r\
\n# log message\r\
\n:local message\r\
\n \r\
\n\r\
\n# final output\r\
\n:local output\r\
\n\r\
\n:local keepOutput false\r\
\n# if lastTime is empty, set keepOutput to true\r\
\n:if ([:len \$lastTime] = 0) do={\r\
\n :set keepOutput true\r\
\n}\r\
\n\r\
\n\r\
\n:local counter 0\r\
\n# loop through all log entries that have been found\r\
\n:foreach i in=\$startBuf do={\r\
\n \r\
\n\r\
\n# loop through all removeThese array items\r\
\n :local keepLog true\r\
\n :foreach j in=\$removeThese do={\r\
\n# if this log entry contains any of them, it will be ignored\r\
\n :if ([/log get \$i message] ~ \"\$j\") do={\r\
\n :set keepLog false\r\
\n }\r\
\n }\r\
\n :if (\$keepLog = true) do={\r\
\n \r\
\n :set message [/log get \$i message]\r\
\n\r\
\n# LOG DATE\r\
\n# depending on log date/time, the format may be different. 3 known for\
mats\r\
\n# format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
Using as default\r\
\n :set currentTime [ /log get \$i time ]\r\
\n# format of 00:00:00 which shows up on current day's logs\r\
\n :if ([:len \$currentTime] = 8 ) do={\r\
\n :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
rentTime)\r\
\n } else={\r\
\n# format of jan/01 00:00:00 which shows up on previous day's logs\r\
\n :if ([:len \$currentTime] = 15 ) do={\r\
\n :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
\n }\r\
\n }\r\
\n \r\
\n\r\
\n# if keepOutput is true, add this log entry to output\r\
\n :if (\$keepOutput = true) do={\r\
\n :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\\n\")\
\r\
\n }\r\
\n# if currentTime = lastTime, set keepOutput so any further logs found \
will be added to output\r\
\n# reset output in the case we have multiple identical date/time entrie\
s in a row as the last matching logs\r\
\n# otherwise, it would stop at the first found matching log, thus all f\
ollowing logs would be output\r\
\n :if (\$currentTime = \$lastTime) do={\r\
\n :set keepOutput true\r\
\n :set output \"\"\r\
\n }\r\
\n }\r\
\n\r\
\n# if this is last log entry\r\
\n :if (\$counter = ([:len \$startBuf]-1)) do={\r\
\n# If keepOutput is still false after loop, this means lastTime has a v\
alue, but a matching currentTime was never found.\r\
\n# This can happen if 1) The router was rebooted and matching logs stor\
ed in memory were wiped, or 2) An item is added\r\
\n# to the removeThese array that then ignores the last log that determi\
ned the lastTime variable.\r\
\n# This resets the comment to nothing. The next run will be like the fi\
rst time, and you will get all matching logs\r\
\n :if (\$keepOutput = false) do={\r\
\n# if previous log was found, this will be our new lastTime entry \
\_ \r\
\n :if ([:len \$message] > 0) do={\r\
\n :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\")\
\r\
\n }\r\
\n }\r\
\n }\r\
\n :set counter (\$counter + 1)\r\
\n}\r\
\n\r\
\n\r\
\n# If we have output, save new date/time, and send email\r\
\nif ([:len \$output] > 0) do={\r\
\n /log err \"[LOGMON] Family room PC WoL from Port Knock.\"\r\
\n /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
Time\r\
\n :log info \"Sending WoL Magic Packet to Family room 2018 PC\"\r\
\n /tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n :delay 00:00:10\r\
\n /tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n :delay 00:00:10\r\
\n /tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n :log info \"WoL script completed\"\r\
\n}\r\
\n"
add dont-require-permissions=no name="Port knock LightShow boot" owner=\
<redacted> policy=ftp,read,write,policy,test,password,sensitive source="# BE\
GIN SETUP\r\
\n:local scheduleName \"Light Show PCB from Port Knock\"\r\
\n:local emailAddress1 \"<redacted>\"\r\
\n:local emailAddress2 \"<redacted>\"\r\
\n:local startBuf [:toarray [/log find message~\"PC boot Port Knock Light \
show\"]]\r\
\n:local removeThese {\"zippo\";\"whatever string you want\"}\r\
\n# END SETUP\r\
\n\r\
\n# warn if schedule does not exist\r\
\n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\r\
\n /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedul\
e and edit script to match name\"\r\
\n}\r\
\n\r\
\n# get last time\r\
\n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] co\
mment]\r\
\n# for checking time of each log entry\r\
\n:local currentTime\r\
\n# log message\r\
\n:local message\r\
\n \r\
\n\r\
\n# final output\r\
\n:local output\r\
\n\r\
\n:local keepOutput false\r\
\n# if lastTime is empty, set keepOutput to true\r\
\n:if ([:len \$lastTime] = 0) do={\r\
\n :set keepOutput true\r\
\n}\r\
\n\r\
\n\r\
\n:local counter 0\r\
\n# loop through all log entries that have been found\r\
\n:foreach i in=\$startBuf do={\r\
\n \r\
\n\r\
\n# loop through all removeThese array items\r\
\n :local keepLog true\r\
\n :foreach j in=\$removeThese do={\r\
\n# if this log entry contains any of them, it will be ignored\r\
\n :if ([/log get \$i message] ~ \"\$j\") do={\r\
\n :set keepLog false\r\
\n }\r\
\n }\r\
\n :if (\$keepLog = true) do={\r\
\n \r\
\n :set message [/log get \$i message]\r\
\n\r\
\n# LOG DATE\r\
\n# depending on log date/time, the format may be different. 3 known for\
mats\r\
\n# format of jan/01/2002 00:00:00 which shows up at unknown date/time. \
Using as default\r\
\n :set currentTime [ /log get \$i time ]\r\
\n# format of 00:00:00 which shows up on current day's logs\r\
\n :if ([:len \$currentTime] = 8 ) do={\r\
\n :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$cur\
rentTime)\r\
\n } else={\r\
\n# format of jan/01 00:00:00 which shows up on previous day's logs\r\
\n :if ([:len \$currentTime] = 15 ) do={\r\
\n :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/syste\
m clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\r\
\n }\r\
\n }\r\
\n \r\
\n\r\
\n# if keepOutput is true, add this log entry to output\r\
\n :if (\$keepOutput = true) do={\r\
\n :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\\n\")\
\r\
\n }\r\
\n# if currentTime = lastTime, set keepOutput so any further logs found \
will be added to output\r\
\n# reset output in the case we have multiple identical date/time entrie\
s in a row as the last matching logs\r\
\n# otherwise, it would stop at the first found matching log, thus all f\
ollowing logs would be output\r\
\n :if (\$currentTime = \$lastTime) do={\r\
\n :set keepOutput true\r\
\n :set output \"\"\r\
\n }\r\
\n }\r\
\n\r\
\n# if this is last log entry\r\
\n :if (\$counter = ([:len \$startBuf]-1)) do={\r\
\n# If keepOutput is still false after loop, this means lastTime has a v\
alue, but a matching currentTime was never found.\r\
\n# This can happen if 1) The router was rebooted and matching logs stor\
ed in memory were wiped, or 2) An item is added\r\
\n# to the removeThese array that then ignores the last log that determi\
ned the lastTime variable.\r\
\n# This resets the comment to nothing. The next run will be like the fi\
rst time, and you will get all matching logs\r\
\n :if (\$keepOutput = false) do={\r\
\n# if previous log was found, this will be our new lastTime entry \
\_ \r\
\n :if ([:len \$message] > 0) do={\r\
\n :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\")\
\r\
\n }\r\
\n }\r\
\n }\r\
\n :set counter (\$counter + 1)\r\
\n}\r\
\n\r\
\n\r\
\n# If we have output, save new date/time, and send email\r\
\nif ([:len \$output] > 0) do={\r\
\n /log err \"[LOGMON] Light Show PC WoL from Port Knock.\"\r\
\n /system scheduler set [find name=\"\$scheduleName\"] comment=\$current\
Time\r\
\n:log info \"Sending WoL Magic Packet to LOR Show 2017 on .201\"\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:delay 00:00:10\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:delay 00:00:10\r\
\n/tool wol interface=E06-pA2_201 mac=12:23:34:45:56:67\r\
\n:log info \"WoL script completed\"\r\
\n}\r\
\n"
add dont-require-permissions=no name="Dynu update" owner=<redacted> \
policy=read,write,test source=":global CabDDNSuser \"<redacted>\"\r\
\n:global CabDDNSpass \"<redacted>\"\r\
\n:global Cabinterface \"E01-pB2_Cable_Internet\"\r\
\n:global CabDDNShost \"<redacted>\"\r\
\n:global CabIPddns [:resolve \$CabDDNShost];\r\
\n:global CabIPfresh [ /ip address get [/ip address find interface=\$Cabin\
terface ] address ]\r\
\n:if ([ :typeof \$CabIPfresh ] = nil ) do={\r\
\n:log info (\"CabDynuDDNS: No IP address on \$CabIPinterface .\")\r\
\n} else={\r\
\n:for i from=( [:len \$CabIPfresh] - 1) to=0 do={\r\
\n:if ( [:pick \$CabIPfresh \$i] = \"/\") do={\r\
\n:set CabIPfresh [:pick \$CabIPfresh 0 \$i];\r\
\n}\r\
\n}\r\
\n:if (\$CabIPddns != \$CabIPfresh) do={\r\
\n:log info (\"CabDynuDDNS: Host = \$CabDDNShost\")\r\
\n:log info (\"CabDynuDDNS: IP-Dynu = \$CabIPddns\")\r\
\n:log info (\"CabDynuDDNS: IP-Fresh = \$CabIPfresh\")\r\
\n:log info \"CabDynuDDNS: Update IP needed, Sending UPDATE...!\"\r\
\n:global Cabstr \"/nic/update\?hostname=\$CabDDNShost&myip=\$CabIPfresh\"\
\r\
\n/tool fetch address=api.dynu.com src-path=\$Cabstr mode=http user=\$CabD\
DNSuser password=\$CabDDNSpass dst-path=(\"/Dynu.\".\$CabDDNShost)\r\
\n:delay 1\r\
\n:global Cabstr [/file find name=\"Dynu.\$CabDDNShost\"];\r\
\n/file remove \$Cabstr\r\
\n:global CabIPddns \$CabIPfresh\r\
\n:log info \"CabDynuDDNS: IP updated to \$CabIPfresh !\"\r\
\n} else={\r\
\n# :log info \"CabDynuDDNS: No changes needed. IP = \$CabIPfresh\";\r\
\n}\r\
\n}\r\
\n"
/tool e-mail
set address=<redacted> from="RB4011iGS+ Router" password=<redacted> \
port=<redacted> start-tls=yes user=<redacted>
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.101.11/32
add allow-address=192.168.101.43/32
add allow-address=192.168.201.11/32
add allow-address=192.168.201.43/32
/tool graphing resource
add allow-address=192.168.101.11/32
add allow-address=192.168.101.43/32
add allow-address=192.168.201.11/32
add allow-address=192.168.201.43/32
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set file-name=<redacted> filter-interface=E09-pA8_207 filter-ip-address=\
<redacted>