I've managed to set up the VLANs for but have left off doing anything to my main subnet (64) just in case I mess something up.
I have put the VLANs under a single Bridge (hopefully that is best practice).
I would be very grateful if someone has the time to help me answer a few questions:
- I can ping from 66 to 68 - I assumed VLANs would stop be doing that. How do I stop being able to ping between these VLANs? Is this anything to do with turning on "VLAN-Filtering"?
- Will I lock myself out of my router if I move my main subnet (64) to a VLAN? How do I avoid that?
- How do I move my main subnet (64) to a VLAN? What do I have to be careful of?
I have put my config here - I think it is getting quite complex - I hope to move my French VPN to Wireguard soon (after upgrading to v7). My Android phone doesn't like L2TP/IPSec anymore.
If you spot any howlers in my config, please let me know!!
Thank you in advance,
Charlie
Code: Select all
# mar/28/2022 18:40:02 by RouterOS 6.48.6
# software id = YCNI-BQ6N
#
# model = RB4011iGS+5HacQ2HnD
# serial number = B8E30B14AB4C
/interface bridge add admin-mac=C4:AD:34:60:79:47 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(24dBm)+5210/80/P(17dBm), SSID: athome, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-channel=auto ssid=MikroTik-607951 station-roaming=enabled wireless-protocol=802.11
/interface wireless
# managed by CAPsMAN
# channel: 2437/20-eC/gn(17dBm), SSID: athome, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-C64D6C station-roaming=enabled wireless-protocol=802.11
/interface ethernet set [ find default-name=ether1 ] comment="To Internet 1" name="ether1 Internet" rx-flow-control=auto speed=100Mbps tx-flow-control=auto
/interface ethernet set [ find default-name=ether2 ] comment="To Internet 2"
/interface ethernet set [ find default-name=ether3 ] name="ether3 RPi4"
/interface ethernet set [ find default-name=ether4 ] name="ether4 Cat"
/interface ethernet set [ find default-name=ether6 ] comment="To LondonPi" name="ether6 - LondonPi"
/interface ethernet set [ find default-name=ether7 ] auto-negotiation=no comment="To Synology" name="ether7 - Synology"
/interface ethernet set [ find default-name=ether8 ] comment="To Kitchen"
/interface ethernet set [ find default-name=ether9 ] auto-negotiation=no comment="To UpUp Router" name="ether9 - UpUp"
/interface ethernet set [ find default-name=ether10 ] comment="To Up Router" name="ether10 - Up"
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan add interface=bridge name=vlan_guest_66 vlan-id=66
/interface vlan add disabled=yes interface=bridge name=vlan_main_64 vlan-id=64
/interface vlan add interface=bridge name=vlan_seperate_68 vlan-id=68
/caps-man rates add basic=12Mbps name=rate1 supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security add authentication-types=wpa2-psk name=default_security
/caps-man security add authentication-types=wpa2-psk name=guest_security
/caps-man security add authentication-types=wpa2-psk name=seperate_security
/interface ethernet switch port set 0 default-vlan-id=0
/interface ethernet switch port set 1 default-vlan-id=0
/interface ethernet switch port set 2 default-vlan-id=0
/interface ethernet switch port set 3 default-vlan-id=0
/interface ethernet switch port set 4 default-vlan-id=0
/interface ethernet switch port set 5 default-vlan-id=0
/interface ethernet switch port set 6 default-vlan-id=0
/interface ethernet switch port set 7 default-vlan-id=0
/interface ethernet switch port set 8 default-vlan-id=0
/interface ethernet switch port set 9 default-vlan-id=0
/interface ethernet switch port set 10 default-vlan-id=0
/interface ethernet switch port set 11 default-vlan-id=0
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=2GHz
/interface list add name=5GHz
/caps-man datapath add bridge=bridge client-to-client-forwarding=yes interface-list=LAN local-forwarding=no name=default_datapath
/caps-man datapath add bridge=bridge client-to-client-forwarding=no interface-list=LAN local-forwarding=no name=guest_datapath vlan-id=66 vlan-mode=use-tag
/caps-man datapath add bridge=bridge client-to-client-forwarding=no interface-list=LAN local-forwarding=no name=seperate_datapath vlan-id=68 vlan-mode=use-tag
/caps-man configuration add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.frequency=2412 country="united kingdom" datapath=default_datapath datapath.interface-list=2GHz installation=indoor mode=ap name="Up2 - Channel 1 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.frequency=2437 country="united kingdom" datapath=default_datapath datapath.interface-list=2GHz installation=indoor mode=ap name="Down2 - Channel 6 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=2ghz-g/n channel.control-channel-width=20mhz channel.frequency=2462 country="united kingdom" datapath=default_datapath datapath.interface-list=2GHz installation=indoor mode=ap name="UpUp2 - Channel 11 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=5ghz-onlyac channel.reselect-interval=1d channel.save-selected=yes country="united kingdom" datapath=default_datapath datapath.interface-list=5GHz installation=indoor name="Down5 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=5ghz-onlyac channel.reselect-interval=1d channel.save-selected=yes country="united kingdom" datapath=default_datapath datapath.interface-list=5GHz installation=indoor name="Up5 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=5ghz-onlyac channel.reselect-interval=1d channel.save-selected=yes country="united kingdom" datapath=default_datapath datapath.interface-list=5GHz installation=indoor name="UpUp5 - athome" rates=rate1 security=default_security ssid=athome
/caps-man configuration add channel.band=5ghz-onlyac channel.reselect-interval=1d channel.save-selected=yes country="united kingdom" datapath=default_datapath datapath.interface-list=5GHz installation=indoor mode=ap name=General_5Gz rates=rate1 security=default_security ssid=athome5
/caps-man configuration add datapath=default_datapath datapath.interface-list=5GHz hide-ssid=yes name=athome5 rates=rate1 security=default_security ssid=athome5
/caps-man configuration add datapath=default_datapath datapath.interface-list=2GHz name=athome2 rates=rate1 security=default_security ssid=athome2
/caps-man configuration add datapath=guest_datapath name=guest_network security=guest_security ssid=athome_guest
/caps-man configuration add datapath=seperate_datapath name=seperate_network security=seperate_security ssid=athome_seperate
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile add dh-group=modp4096 enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha512 name="profile_France VPN"
/ip ipsec peer add address=xxxxx comment=FranceLondon exchange-mode=ike2 name=peerFrance profile="profile_France VPN"
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool add name=dhcp_pool_home_64 ranges=192.168.64.70-192.168.64.150
/ip pool add name=vpn-pool ranges=192.168.64.201-192.168.64.250
/ip pool add name=dhcp_pool_guest_66 ranges=192.168.66.151-192.168.66.250
/ip pool add name=dhcp_pool_seperate_68 ranges=192.168.68.2-192.168.68.254
/ip dhcp-server add address-pool=dhcp_pool_home_64 disabled=no interface=bridge
/ip dhcp-server add address-pool=dhcp_pool_guest_66 disabled=no interface=vlan_guest_66 lease-time=1h name=guest_dhcp_66
/ip dhcp-server add address-pool=dhcp_pool_home_64 interface=vlan_main_64 lease-time=1h name=home_vlan_dhcp_64
/ip dhcp-server add address-pool=dhcp_pool_seperate_68 disabled=no interface=vlan_seperate_68 name=seperate_dhcp_68
/ppp profile set *0 local-address=192.168.64.1 remote-address=vpn-pool
/ppp profile set *FFFFFFFE local-address=192.168.64.1 remote-address=vpn-pool
/queue simple add disabled=yes dst="ether1 Internet" max-limit=16M/200M name="All Bandwidth" target=""
/queue simple add disabled=yes max-limit=10M/10M name="Charlie L13" parent="All Bandwidth" target=192.168.64.5/32
/queue simple add disabled=yes max-limit=1M/1M name=Pixel4 parent="All Bandwidth" target=192.168.64.68/32
/system logging action set 1 disk-lines-per-file=10000
/system logging action set 3 bsd-syslog=yes remote=192.168.64.6
/system logging action add disk-file-count=20 disk-file-name=InterfaceInfo disk-lines-per-file=60000 disk-stop-on-full=yes name=InfoDebug target=disk
/system logging action add disk-file-count=10 disk-file-name=Testlog disk-lines-per-file=10000 name=Test target=disk
/system logging action add disk-file-count=1 disk-file-name=Interface name=Interface target=disk
/user group add name=simple policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=simple
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning add action=create-dynamic-enabled comment=Down2G master-configuration="Down2 - Channel 6 - athome" name-format=prefix-identity name-prefix=Down2G radio-mac=74:4D:28:C6:4D:6C slave-configurations=guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=Up2G master-configuration="Up2 - Channel 1 - athome" name-format=prefix-identity name-prefix=Up2G radio-mac=64:D1:54:04:7E:1B slave-configurations=guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=UpUp2G master-configuration="UpUp2 - Channel 11 - athome" name-format=prefix-identity name-prefix=UpUp2GRed radio-mac=4C:5E:0C:B8:9D:9B slave-configurations=guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=Down5G master-configuration="Down5 - athome" name-format=prefix-identity name-prefix=Down5G radio-mac=C4:AD:34:60:79:51 slave-configurations=athome5,guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=UpUp5G disabled=yes master-configuration="UpUp5 - athome" name-format=prefix-identity name-prefix=UpUp5G radio-mac=CC:2D:E0:EB:1D:7F slave-configurations=guest_network
/caps-man provisioning add action=create-dynamic-enabled comment=Up5G master-configuration="Up5 - athome" name-format=prefix-identity name-prefix=Up5G radio-mac=64:D1:54:04:7E:1A slave-configurations=guest_network,seperate_network
/caps-man provisioning add action=create-dynamic-enabled disabled=yes hw-supported-modes=ac master-configuration=General_5Gz name-format=prefix-identity name-prefix=Caps_5G
/caps-man provisioning add disabled=yes hw-supported-modes=b,g,gn master-configuration="Down2 - Channel 6 - athome" name-format=prefix-identity
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface="ether3 RPi4"
/interface bridge port add bridge=bridge comment=defconf interface="ether4 Cat"
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface="ether6 - LondonPi"
/interface bridge port add bridge=bridge comment=defconf interface="ether7 - Synology"
/interface bridge port add bridge=bridge comment=defconf interface=ether8
/interface bridge port add bridge=bridge comment=defconf interface="ether9 - UpUp"
/interface bridge port add bridge=bridge comment=defconf interface="ether10 - Up"
/interface bridge port add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge comment=defconf interface=wlan2
/interface bridge port add bridge=bridge interface=vlan_guest_66 pvid=66
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface detect-internet set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=LAN
/interface l2tp-server server set authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface="ether1 Internet" list=WAN
/interface list member add interface=l2tp-in-CharlieW10 list=LAN
/interface list member add interface=l2tp-in-Nexus list=LAN
/interface list member add disabled=yes interface=ether2 list=WAN
/interface list member add disabled=yes list=LAN
/interface list member add disabled=yes list=LAN
/interface list member add interface=bridge_guest list=LAN
/interface list member add interface=vlan_guest_66 list=LAN
/interface ovpn-server server set auth=sha1 certificate=server cipher=aes256 default-profile=default-encryption require-client-certificate=yes
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge enabled=yes interfaces=wlan1,wlan2
/ip address add address=192.168.64.1/24 comment=defconf interface=bridge network=192.168.64.0
/ip address add address=192.168.66.1/24 interface=vlan_guest_66 network=192.168.66.0
/ip address add address=192.168.68.1/24 interface=vlan_seperate_68 network=192.168.68.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add disabled=no interface="ether1 Internet"
/ip dns set servers=8.8.8.8,8.8.4.4
/ip firewall filter add action=accept chain=forward disabled=yes dst-address=192.168.64.6 dst-port=23 log=yes log-prefix="Allow Telnet to Synology" protocol=tcp
/ip firewall filter add action=drop chain=forward comment="Drop Facebook" disabled=yes dst-port=443 log=yes log-prefix="Drop Facebook" protocol=tcp tls-host=*facebook.com
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="CH_Track invalid"
/ip firewall filter add action=log chain=forward comment="Drop from Blacklist sites" disabled=yes log-prefix="CH_Track fwd from Blacklist" src-address=192.168.64.5
/ip firewall filter add action=drop chain=forward disabled=yes log=yes log-prefix=BADorNOT: src-address=192.168.64.144
/ip firewall filter add action=drop chain=input disabled=yes log=yes log-prefix=BADorNOT: src-address=192.168.64.144
/ip firewall filter add action=drop chain=forward comment="Drop to Blacklist sites" disabled=yes dst-address-list=myblacklist log=yes log-prefix="CH_Track fwd to Blacklist"
/ip firewall filter add action=accept chain=forward comment="Wireguard Port" dst-port=47111 protocol=udp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix="CH_Track invalid"
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related dst-address=!192.168.65.192/28 src-address=!192.168.65.192/28
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="Camera Out" log=yes log-prefix="Block Camera out:" out-interface-list=WAN src-address-list=Camera
/ip firewall filter add action=add-dst-to-address-list address-list=OtherIPAddresses address-list-timeout=none-static chain=forward comment=70-150 disabled=yes log-prefix="CH_Track: Other IP Addresses" src-address=192.168.64.70-192.168.64.150
/ip firewall filter add action=add-dst-to-address-list address-list=Catdoor_going_to address-list-timeout=none-static chain=forward comment="Cat Door" log-prefix=Cat src-address-list=CatDoor
/ip firewall filter add action=accept chain=forward comment="Access from LAN to DNS Server .10" dst-address=192.168.64.10 in-interface-list=LAN
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN ipsec-policy=in,none
/ip firewall filter add action=add-src-to-address-list address-list=TryingToGetToSynology address-list-timeout=none-static chain=forward comment="Stop access to Synology except from 64 65 AllowAccesstoBlackSyno" disabled=yes dst-address=192.168.64.6 log=yes log-prefix="CH_Track Blocked access to Black Synology" src-address-list=!AllowedAccessToBlackSynology
/ip firewall filter add action=drop chain=forward comment="Stop access to Synology except from 64 65 AllowAccesstoBlackSyno" disabled=yes dst-address=192.168.64.6 log=yes log-prefix="CH_Track Blocked access to Black Synology" src-address-list=!AllowedAccessToBlackSynology
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN ipsec-policy=in,none log=yes log-prefix="CH_Track !public" src-address-list=not_in_internet
/ip firewall filter add action=drop chain=input comment="Drop input from blacklist" disabled=yes log-prefix="CH_Track input from myblacklist" src-address-list=myblacklist
/ip firewall filter add action=accept chain=input comment="accept input established,related,untracked" connection-state=established,related,untracked log-prefix="accept input established,related,untracked"
/ip firewall filter add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
/ip firewall filter add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
/ip firewall filter add action=drop chain=forward protocol=tcp src-port=0
/ip firewall filter add action=drop chain=forward comment="Block from Guest Network to Main Network" disabled=yes dst-address=192.168.64.0/24 log=yes src-address=192.168.66.0/24
/ip firewall filter add action=drop chain=forward comment="Block from Guest Network to Main Network" disabled=yes log=yes log-prefix="CH_Track FWD ip not known" src-address-list=!MainNetwork
/ip firewall filter add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
/ip firewall filter add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=none-static chain=input comment="Add SRC to maybeblacklist" log=yes log-prefix="CH_Track add SRC to maybeBlacklist" port=1701,500,4500 protocol=udp src-address-list=!whitelist
/ip firewall filter add action=accept chain=input comment=VPN1 log-prefix="CH_Track VPN1" port=1701,500,4500 protocol=udp
/ip firewall filter add action=accept chain=input comment=VPN2 log=yes log-prefix="CH_Track VPN2" protocol=ipsec-esp
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1w3d chain=input in-interface-list=WAN log-prefix="[BadIP Ladder] to maybeBlacklist" src-address-list=mygreylist3
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist3 address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=mygreylist2
/ip firewall filter add action=add-src-to-address-list address-list=mygreylist2 address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=mygreylist
/ip firewall filter add action=add-src-to-address-list address-list=maybeBlacklist address-list-timeout=1h30m chain=input in-interface-list=WAN src-address-list=!whitelist
/ip firewall filter add action=drop chain=input comment="Drop everything else that has got through" in-interface-list=WAN ipsec-policy=in,none log-prefix="CH_Track Last rule: Input"
/ip firewall filter add action=log chain=input comment="Drop everything else that has got through" disabled=yes ipsec-policy=in,none log-prefix="CH_Track Last rule: Input" src-address-list=!MainNetwork
/ip firewall filter add action=drop chain=input comment="Drop everything else that has got through" ipsec-policy=in,none log=yes log-prefix="CH_Track Last rule: Input"
/ip firewall filter add action=drop chain=forward comment="Drop everything else that has got through" in-interface-list=WAN ipsec-policy=in,none log-prefix="CH_Track Last Rule: Forward: Drop"
/ip firewall filter add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="Drop FW Output"
/ip firewall nat add action=dst-nat chain=dstnat comment="Send RDP packets to 64.11" disabled=yes dst-port=15092 log=yes log-prefix="CH_Track NAT RDP" protocol=tcp to-addresses=192.168.64.11 to-ports=3389
/ip firewall nat add action=dst-nat chain=dstnat comment="Send telnet packets to Synology on 64.6" disabled=yes dst-port=23 log=yes log-prefix=Telnet protocol=tcp to-addresses=192.168.64.6 to-ports=23
/ip firewall nat add action=dst-nat chain=dstnat comment="Send packets to wireguard server 64.7" dst-port=47111 protocol=udp src-port="" to-addresses=192.168.64.7 to-ports=47111
/ip firewall nat add action=accept chain=srcnat comment="Wireguard VPN" dst-address=10.100.0.0/24 src-address=192.168.64.0/24
/ip firewall nat add action=accept chain=srcnat comment=FranceLondon dst-address=192.168.65.0/24 src-address=192.168.64.0/24
/ip firewall nat add action=accept chain=dstnat comment=FranceLondon dst-address=192.168.64.0/24 src-address=192.168.65.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=0.0.0.0/0
/ip firewall nat add action=accept chain=srcnat disabled=yes src-address=192.168.64.21
/ip firewall raw add action=drop chain=prerouting log-prefix="Drop Raw" src-address-list=myblacklist
/ip firewall raw add action=drop chain=prerouting dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop PreOut Raw"
/ip firewall raw add action=drop chain=output dst-address-list=myblacklist log=yes log-prefix="CH_Track Drop Output Raw"
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.64.0/24 src-address=192.168.65.0/24
/ip firewall raw add action=notrack chain=prerouting dst-address=192.168.65.0/24 src-address=192.168.64.0/24
/ip ipsec identity add peer=peerFrance
/ip ipsec policy add disabled=yes dst-address=192.168.70.0/24 src-address=0.0.0.0/0 template=yes
/ip ipsec policy add comment=FranceLondon-Laptop dst-address=192.168.65.192/28 peer=peerFrance src-address=0.0.0.0/0 tunnel=yes
/ip ipsec policy add comment=FranceLondon dst-address=192.168.65.0/24 peer=peerFrance src-address=192.168.64.0/24 tunnel=yes
/ip route add distance=2 dst-address=10.100.0.0/24 gateway=192.168.64.7 pref-src=192.168.64.1
/ip route add comment=FranceLondon distance=1 dst-address=192.168.65.0/24 gateway="ether1 Internet" pref-src=192.168.64.1
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www-ssl certificate=LocalCA disabled=no
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip traffic-flow set active-flow-timeout=1m enabled=yes
/ip traffic-flow target add dst-address=192.168.64.18 port=1234
/system clock set time-zone-name=Europe/London
/system identity set name=RB4011
/system leds add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
/system leds add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
/system leds add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging set 0 topics=info,!caps,!dhcp,!system
/system logging set 3 action=memory
/system logging add disabled=yes topics=ipsec,account,info
/system logging add disabled=yes topics=ppp,!debug
/system logging add topics=account
/system logging add disabled=yes topics=wireless,debug
/system logging add disabled=yes topics=caps,debug
/system logging add disabled=yes topics=caps,info
/system logging add disabled=yes topics=l2tp,info
/system logging add disabled=yes topics=ipsec,!packet,!debug
/system logging add topics=health
/system logging add disabled=yes topics=system
/system logging add disabled=yes topics=info,!caps,!interface,!system,!dhcp,!ipsec
/system logging add disabled=yes
/system logging add topics=ovpn
/system logging add disabled=yes topics=info
/system logging add disabled=yes topics=ssh,!packet
/system logging add disabled=yes topics=ipsec
/system logging add disabled=yes topics=caps
/system ntp client set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=178.79.160.57
/system ntp server set enabled=yes
/system package update set channel=long-term
/system scheduler add disabled=yes interval=1h name="Update Time" on-event="/ip cloud set update-time=yes" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=aug/22/2017 start-time=23:38:00
/system scheduler add disabled=yes interval=1d name="Update Blacklists" on-event=RunAddDeleteBlacklists policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/09/2017 start-time=03:30:00
/system scheduler add disabled=yes interval=1d name=UsageReport on-event=Usage2 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/10/2017 start-time=03:00:00
/system scheduler add comment="sep/29/2018 10:52:34" disabled=yes interval=30m name=VPN_Connections on-event=VPN_Connections policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/17/2017 start-time=16:36:00
/system scheduler add disabled=yes interval=1m name=ipsec-peer-update-FranceLondon on-event="/system script run ipsec-peer-update-FranceLondon" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=aug/06/2018 start-time=22:06:53
/system scheduler add disabled=yes interval=10m name=ip-cloud-forceupdate on-event="/ip cloud force-update" policy=read,write start-date=aug/06/2018 start-time=22:06:59
/system scheduler add comment=20220328182326 interval=30m name=LogMonitor on-event=LogMonitor policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/17/2018 start-time=22:23:25
/system scheduler add disabled=yes interval=15m name=MittensPing on-event=MittensPing policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/17/2018 start-time=15:44:14
/system scheduler add interval=1d name="Update Software" on-event=UpdateSoftwareScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/09/2019 start-time=01:00:00
/system scheduler add interval=1d name="Update Firmware" on-event=UpdateFirmwareScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/09/2019 start-time=01:15:00
/system scheduler add comment="Runs every 30 seconds" disabled=yes interval=30s name=Channels on-event=Channels policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/07/2020 start-time=09:35:22
/system scheduler add disabled=yes interval=1d name="Update Hosts" on-event=updateHosts policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/23/2021 start-time=04:00:00
/system scheduler add disabled=yes name=ip_Blacklist_StartUp on-event=ip_Blacklist_StartUp policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system scheduler add disabled=yes interval=1h name=CheckIPAddr on-event=CheckIPAddr policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/03/2021 start-time=16:01:02
/system scheduler add interval=1m name=AbuseIPDB on-event="######################################################################\
\n# Only run if another version is not running\
\n######################################################################\
\n:if ([ /system script job find where script=\"AbuseIPDB\" ]=\"\") do={\
\n# /log info \"[AbuseIPDB] going to running\"\
\n /system script run AbuseIPDB\
\n} else={\
\n /log info \"[AbuseIPDB] another currently running\"\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=dec/06/2021 start-time=19:00:00
/system scheduler add interval=1d name=DailyJob on-event=DailyJob policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/02/2021 start-time=01:00:00
/system scheduler add interval=1d name=PrintLogFileAroundMidnight on-event="/log print terse file=LogFileAroundMidnight" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/09/2021 start-time=00:30:00
/system scheduler add interval=1d name=PrintLogFileAfterOne on-event="/log print terse file=LogFileAfterOne" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/09/2021 start-time=01:30:00
/tool bandwidth-server set enabled=no
/tool graphing interface add interface="ether1 Internet"
/tool graphing interface add interface=bridge
/tool graphing resource add
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool netwatch add comment=ipsec-peer-update-FranceLondon disabled=yes down-script="/system scheduler enable ipsec-peer-update-FranceLondon\
\n/system scheduler enable ip-cloud-forceupdate" host=192.168.65.100 up-script="/system scheduler disable ip-cloud-forceupdate\
\n/system scheduler disable ipsec-peer-update-FranceLondon"
/tool netwatch add comment="France Router" down-script=Netwatch host=192.168.65.1 interval=10s up-script=Netwatch