# nov/03/2021 11:55:24 by RouterOS 6.47.8
# software id = NBVD-4KFD
#
# model = RB4011iGS+
# serial number = B8F60A4BBEC5
/interface bridge
add admin-mac=74:4D:28:86:1F:96 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] mtu=1504
/interface vlan
add comment="NX MGMT" disabled=yes interface=ether5 name=vlan32 vlan-id=32
add comment=GUEST interface=ether5 mtu=1504 name=vlan35 vlan-id=35
add comment=CCTV interface=ether5 name=vlan40 vlan-id=40
add comment="TREART MGMT" interface=ether5 name=vlan50 vlan-id=50
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=norba
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=norba
/ip ipsec peer
add exchange-mode=ike2 local-address=5.99.163.50 name=gianpaolo passive=yes \
profile=norba
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=norba pfs-group=modp2048
/ip pool
add comment="DHCP di servizio" name=service ranges=\
192.168.88.201-192.168.88.250
add comment="NX MGMT" name=vlan32-pool ranges=192.168.32.30-192.168.33.230
add comment=GUEST name=vlan35-pool ranges=192.168.35.50-192.168.36.250
add comment="TREART MGMT" name=vlan50-pool ranges=\
192.168.50.10-192.168.50.250
add name=ovpn_pool ranges=192.168.3.10-192.168.3.100
/ip dhcp-server
add address-pool=service bootp-support=none disabled=no interface=ether9 \
lease-time=1d name=service
add address-pool=vlan32-pool bootp-support=none interface=vlan32 lease-time=\
1d name=vlan32-dhcp
add address-pool=vlan35-pool bootp-support=none disabled=no interface=vlan35 \
lease-time=1d name=vlan35-dhcp
add address-pool=vlan50-pool bootp-support=none disabled=no interface=vlan50 \
lease-time=1d name=vlan50-dhcp
add address-pool=vlan32-pool bootp-support=none disabled=no interface=ether3 \
lease-time=1d name=NX-MGMT
/ip ipsec mode-config
add address-pool=ovpn_pool address-prefix-length=32 name=norba split-include=\
0.0.0.0/0 system-dns=no
/ppp profile
set *0 interface-list=all
add local-address=192.168.3.1 name=norba remote-address=ovpn_pool
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether6
add bridge=bridge comment=defconf disabled=yes interface=ether7
add bridge=bridge comment=defconf disabled=yes interface=ether8
add bridge=bridge comment=defconf disabled=yes interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=chap,mschap2 default-profile=norba use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Server-Norba cipher=aes256 default-profile=norba \
enabled=yes
/interface sstp-server server
set default-profile=norba
/ip address
add address=192.168.33.1/23 comment="NX MGMT" interface=ether3 network=\
192.168.32.0
add address=192.168.33.1/23 disabled=yes interface=vlan32 network=\
192.168.32.0
add address=192.168.35.1/23 comment=GUEST interface=vlan35 network=\
192.168.34.0
add address=192.168.40.1/24 comment=TVCC interface=vlan40 network=\
192.168.40.0
add address=192.168.50.1/24 comment="TREART MGMT" interface=vlan50 network=\
192.168.50.0
add address=5.99.163.50/29 comment=Telecom interface=ether1 network=\
5.99.163.48
add address=192.168.88.1/24 comment=service interface=ether9 network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.33.29 comment=Denon-Living mac-address=00:05:CD:DF:93:AC \
server=NX-MGMT
add address=192.168.33.30 comment=Denon-Terrace mac-address=00:06:78:5B:D8:B8 \
server=NX-MGMT
add address=192.168.33.31 comment=Projector-Terrace mac-address=\
00:0D:0A:01:B1:E3 server=NX-MGMT
add address=192.168.33.181 comment=LedWall mac-address=A8:AA:62:00:0D:55 \
server=NX-MGMT
add address=192.168.33.182 comment=PC-Touch1 mac-address=00:D8:61:34:77:C1 \
server=NX-MGMT
add address=192.168.33.183 comment=PC-Touch2 mac-address=00:D8:61:AA:6D:FE \
server=NX-MGMT
add address=192.168.33.184 comment=WinSupport mac-address=94:C6:91:19:D8:B6 \
server=NX-MGMT
add address=192.168.33.34 comment="Terrace AV client" lease-time=1d \
mac-address=94:C6:91:A1:FF:97 server=NX-MGMT
add address=192.168.33.38 comment="Party Audio client" lease-time=1d \
mac-address=94:C6:91:1A:47:4A server=NX-MGMT
add address=192.168.33.36 comment="Master bedroom audio client" lease-time=1d \
mac-address=94:C6:91:1A:44:74 server=NX-MGMT
add address=192.168.33.35 comment=Jukebox lease-time=1d mac-address=\
94:C6:91:19:CF:30 server=NX-MGMT
add address=192.168.33.39 comment="Living AV client" lease-time=1d \
mac-address=94:C6:91:1A:48:3B server=NX-MGMT
/ip dhcp-server network
add address=192.168.3.0/24 comment=OpenVPN
add address=192.168.32.0/23 comment="NX MGMT" dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.33.1
add address=192.168.34.0/23 comment=GUEST dns-server=8.8.8.8,8.8.4.4 gateway=\
192.168.35.1
add address=192.168.50.0/24 comment="TREART MGMT" dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.50.1
add address=192.168.88.0/24 comment=service dns-server=8.8.8.8,8.8.4.4 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=\
ether1 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN to-addresses=5.99.163.50
add action=dst-nat chain=dstnat comment=Allarme1 dst-port=3062 in-interface=\
ether1 protocol=tcp to-addresses=192.168.33.141 to-ports=3062
add action=dst-nat chain=dstnat comment=Allarme2 dst-port=3062 in-interface=\
ether1 protocol=udp to-addresses=192.168.33.141 to-ports=3062
/ip ipsec identity
add auth-method=digital-signature certificate=Server-Norba generate-policy=\
port-strict match-by=certificate mode-config=norba peer=gianpaolo \
policy-template-group=norba remote-certificate=gianpaolo1
/ip ipsec policy
add dst-address=192.168.3.0/24 group=norba proposal=norba src-address=\
0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=5.99.163.49
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=nextworks profile=norba service=ovpn
add name=gianpaolo profile=norba service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MASTER
/system logging
set 0 action=disk disabled=yes
set 1 action=disk
set 2 action=disk
set 3 action=disk
/tool e-mail
set address=authsmtp.treart-evolution.com from=
backup@treart-evolution.com \
user=
backup@treart-evolution.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add down-script=":log info \"Ping to 8.8.8.8 FAILED\"" host=8.8.8.8 interval=\
2m up-script=":log info \"Ping to 8.8.8.8 successful\""