# may/01/2022 18:15:37 by RouterOS 7.2
# software id = H7WM-PZPA
#
# model = RBD52G-5HacD2HnD
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=channel1
add band=2ghz-g/n control-channel-width=20mhz frequency=2442 name=channel2
add band=2ghz-g/n control-channel-width=20mhz frequency=2472 name=channel3
/interface bridge
add admin-mac=TOPSECRET auto-mac=no comment=defconf disabled=yes \
name=bridge
add admin-mac=TOPSECRET auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway-internet
set [ find default-name=ether2 ] comment=NEO name=ether2-master-local
set [ find default-name=ether3 ] comment=SWITCH name=ether3-slave-local
set [ find default-name=ether4 ] comment=TOPSECRET name=ether4-slave-local
set [ find default-name=ether5 ] comment=AP_0
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-g/n channel-width=20/40mhz-XX country="TOPSECRET" \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=TOPSECRET wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="TOPSECRET" disabled=no distance=indoors \
frequency=auto hide-ssid=yes installation=indoor mode=ap-bridge ssid=\
TOPSECRET wireless-protocol=802.11
/interface ipip
add allow-fast-path=no local-address=TOPSECRET name=IPsec_TOPSECRET \
remote-address=TOPSECRET
add allow-fast-path=no local-address=TOPSECRET mtu=1480 name=IPsec_TOPSECRET \
remote-address=TOPSECRET
/interface wireguard
add listen-port=TOPSECRET mtu=1420 name=wireguard1
/interface vlan
add interface=ether1-gateway-internet name=vlan1 vlan-id=848
/caps-man datapath
add bridge=bridge-local name=datapath1
/caps-man configuration
add channel=channel1 channel.band=2ghz-g/n country="TOPSECRET" datapath=\
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no \
distance=indoors hide-ssid=no mode=ap name=Config \
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=\
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
add channel=channel2 channel.band=2ghz-g/n country="TOPSECRET" datapath=\
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no \
distance=indoors hide-ssid=no mode=ap name=cfg1 \
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=\
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
add channel=channel3 channel.band=2ghz-g/n country="TOPSECRET" datapath=\
datapath1 datapath.client-to-client-forwarding=no .local-forwarding=no \
distance=indoors hide-ssid=no mode=ap name=cfg2 \
security.authentication-types=wpa2-psk .disable-pmkid=yes .encryption=\
aes-ccm .group-encryption=aes-ccm ssid=TOPSECRET
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 user=\
TOPSECRET
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
eap-methods="" group-key-update=1h mode=dynamic-keys supplicant-identity=\
MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
profile1 supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=TOPSECRET master-interface=\
wlan1 multicast-buffering=disabled name=wlan3 security-profile=profile1 \
ssid=killme wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-192,aes-128 name=profile_1 \
nat-traversal=no
/ip ipsec peer
add address=TOPSECRET/32 disabled=yes name=peer1 profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.6.101-192.168.6.230
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay interface=\
bridge-local lease-script=":local recipient \"TOPSECRET\"\r\
\n/ip dhcp-server lease\r\
\n:if (\$leaseBound = 1 && [ get [ find where mac-address=\$leaseActMAC ] \
dynamic ] = true) do={\r\
\n\t:do {\r\
\n\t\t:tool e-mail send to=\$recipient subject=\"DHCP Address Alert [MAC: \
\$leaseActMAC]\" body=\"TOPSECRET - The following MAC address [\$leaseActMAC]\
\_received an IP address [\$leaseActIP] with hostname [\$host-name]\"\r\
\n\t\t:log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r\
\n\t} on-error={:log error \"Failed to send alert email to \$recipient\"}\
\r\
\n}" lease-time=6h name=default
/ppp profile
add local-address=default-dhcp name=pptpprofile remote-address=default-dhcp
add bridge=bridge-local name=OpenVPN_TOPSECRET remote-address=default-dhcp
/queue simple
add disabled=yes max-limit=100M/100M name=queue1 target=192.168.6.0/24
add dst=IPsec_TOPSECRET max-limit=3M/50M name=skynet-backup target=192.168.6.7/32
add dst=TOPSECRET/32 max-limit=8M/40M name=TOPSECRET target=\
192.168.6.66/32
add dst=192.168.5.0/24 max-limit=15M/50M name=TOPSECRET<>TOPSECRET target=\
192.168.6.66/32
add disabled=yes dst=pppoe-out1 max-limit=3M/20M name=TOPSECRET target=\
192.168.6.66/32
add dst=pppoe-out1 max-limit=5M/40M name=TOPSECRET target=192.168.6.74/32
add max-limit=50M/50M name=TOPSECRET target=192.168.7.49/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=pppoe-out1 \
max-limit=4M/60M name=hoax_linux_cp_8-0 target=192.168.6.35/32 time=\
8h-23h59m,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=6M/70M name=hoax_linux_cp_alltime target=\
192.168.6.35/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=pppoe-out1 \
max-limit=7M/60M name=vulcan_cp_8-0 target=192.168.6.45/32 time=\
8h-23h59m,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=8M/70M name=vulcan_cp_alltime target=\
192.168.6.45/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s disabled=yes dst=\
IPsec_TOPSECRET max-limit=2M/8M name=ARES target=192.168.6.72/32 time=\
7h-23h,sun,mon,tue,wed,thu,fri,sat
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET \
max-limit=5M/5M name="ARES alltime" target=192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s disabled=yes dst=\
TOPSECRET/32 max-limit=5M/12M name="ARES alltime 2 TOPSECRET" target=\
192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET \
max-limit=4M/4M name="ARES alltime temperary" target=192.168.6.72/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET \
max-limit=5M/8M name=TOPSECRET target=192.168.6.65/32
add dst=IPsec_TOPSECRET max-limit=7M/50M name=muj_PC_2_ua target=192.168.6.65/32
add burst-limit=7M/0 burst-threshold=3M/0 burst-time=30m/0s dst=IPsec_TOPSECRET \
max-limit=5M/12M name=neo_2_TOPSECRET target=192.168.6.44/32
add max-limit=20M/2M name=TOPSECRET target=192.168.6.121/32
add max-limit=20M/2M name=TOPSECRET target=192.168.6.122/32
add max-limit=20M/3M name=TOPSECRET target=192.168.6.120/32
add dst=pppoe-out1 max-limit=4M/70M name=TOPSECRET target=192.168.6.2/32
add dst=IPsec_TOPSECRET max-limit=8M/0 name=queue2 target=192.168.6.2/32
add dst=pppoe-out1 max-limit=4M/0 name=TOPSECRET target=192.168.6.79/32
add dst=pppoe-out1 max-limit=3M/0 name=TOPSECRET target=192.168.6.89/32 time=\
0s-1d,sun,mon,tue,wed,thu,fri,sat
add dst=pppoe-out1 max-limit=8M/0 name=TOPSECRET target=192.168.6.65/32
add dst=pppoe-out1 max-limit=3M/50M name=workpcvm target=192.168.6.65/32
add dst=pppoe-out1 max-limit=2M/10M name="new dvr" target=192.168.6.46/32 \
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add disabled=yes dst=pppoe-out1 max-limit=7M/0 name=TOPSECRET target=\
192.168.6.69/32
add disabled=yes dst=pppoe-out1 max-limit=1M/50M name=TOPSECRET target=\
192.168.6.20/32
add disabled=yes dst=pppoe-out1 max-limit=3M/20M name=tel_ox target=\
192.168.6.28/32
add dst=pppoe-out1 max-limit=5M/35M name=tel_tanja target=192.168.6.28/32
add burst-limit=15M/0 burst-threshold=7M/0 burst-time=10m/0s dst=pppoe-out1 \
max-limit=9M/50M name="TOPSECRET TOPSECRET nout" target=192.168.6.196/32
add disabled=yes dst=pppoe-out1 max-limit=1M/60M name=TOPSECRET target=\
192.168.6.58/32
add dst=pppoe-out1 max-limit=1M/15M name="ox TOPSECRET" target=192.168.6.21/32
add dst=pppoe-out1 max-limit=3M/30M name=TOPSECRET target=192.168.6.39/32
add dst=pppoe-out1 max-limit=2M/5M name=queue4 target=192.168.6.45/32
add dst=pppoe-out1 max-limit=1M/8M name=TOPSECRET target=192.168.6.151/32
add dst=pppoe-out1 max-limit=1M/10M name="TOPSECRET main" target=192.168.6.200/32
add disabled=yes max-limit=0/20M name=TOPSECRET target=192.168.6.81/32 time=\
7h-1d,sun,mon,tue,wed,thu,fri,sat
add disabled=yes dst=pppoe-out1 max-limit=0/128k name=queue3 target=wlan1
add disabled=yes dst=pppoe-out1 max-limit=1500k/0 name=wlanque target=wlan1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action
add email-start-tls=yes email-to=
TOPSECRET@TOPSECRET.TOPSECRET name=TOPSECRET target=email
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!rest-api"
add name=group1 policy="local,ftp,read,!telnet,!ssh,!reboot,!write,!policy,!te\
st,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!rest-api"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-local
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config
add action=create-dynamic-enabled disabled=yes master-configuration=cfg1
add action=create-dynamic-enabled disabled=yes master-configuration=cfg2
/interface bridge port
add bridge=bridge-local comment=defconf ingress-filtering=no interface=\
ether2-master-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=\
ether3-slave-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=\
ether4-slave-local
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge-local comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge-local comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge-local disabled=yes ingress-filtering=no interface=\
ether1-gateway-internet
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1-gateway-internet list=WAN
add interface=ether2-master-local list=LAN
add interface=ether3-slave-local list=LAN
add interface=ether4-slave-local list=LAN
add interface=ether5 list=LAN
add disabled=yes interface=wlan1 list=discover
add disabled=yes interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=wlan1 list=LAN
add interface=ether5 list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
add interface=wlan2 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server2021 cipher=aes256 default-profile=\
TOPSECRET enabled=yes mode=ethernet port=TOPSECRET \
require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set default-profile=pptpprofile
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=TOPSECRET endpoint-port=\
TOPSECRET interface=wireguard1 public-key=\
"TOPSECRET"
/interface wireless access-list
add signal-range=-85..120
add authentication=no forwarding=no signal-range=-120..-86 vlan-mode=no-tag
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
network=192.168.88.0
add address=192.168.6.1/24 interface=bridge-local network=192.168.6.0
add address=192.168.7.1/24 disabled=yes interface=bridge-local network=\
192.168.7.0
add address=10.20.31.1/30 interface=IPsec_TOPSECRET network=10.20.31.0
add address=192.168.6.49 disabled=yes interface=ether4-slave-local network=\
192.168.6.0
add address=192.168.66.1/24 disabled=yes interface=bridge-local network=\
192.168.66.0
add address=192.168.66.49/24 disabled=yes interface=ether5 network=\
192.168.66.0
add address=192.168.66.9/24 disabled=yes interface=ether5 network=\
192.168.66.0
add address=192.168.66.2/24 disabled=yes interface=ether5 network=\
192.168.66.0
add address=192.168.66.65/24 disabled=yes interface=ether5 network=\
192.168.66.0
add address=10.20.32.1/30 interface=TOPSECRET network=10.20.32.0
add address=172.16.2.1/30 interface=wireguard1 network=172.16.2.0
/ip dhcp-client
add comment=defconf interface=ether1-gateway-internet
/ip dhcp-server config
set store-leases-disk=3m
/ip dhcp-server lease
TOPSECRET
/ip dhcp-server network
add address=192.168.6.0/24 comment="default configuration" dns-server=\
192.168.6.1 gateway=192.168.6.1
add address=192.168.7.0/24 gateway=192.168.7.1
/ip dns
set allow-remote-requests=yes servers=84.19.64.3,84.19.64.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.6.1 name=router
add address=10.10.10.10 disabled=yes name=TOPSECRET
add address=10.10.10.1 disabled=yes name=TOPSECRET
/ip firewall address-list
add address=54.76.99.212 list=blacklist
add address=52.51.84.21 list=blacklist
add address=92.53.96.0.24 list=blacklist
add address=192.168.6.0/24 disabled=yes list=TOPSECRET
add address=TOPSECRET disabled=yes list=save_ips
add address=TOPSECRET list=save_ips
add address=TOPSECRET list=save_ips
add address=192.168.5.0/24 list=save_ips
add address=TOPSECRET list=save_ips
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=!192.168.6.0/24 \
src-address=192.168.6.64
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=80 protocol=tcp src-address-list=\
save_ips
add action=accept chain=input dst-port=8291 in-interface=pppoe-out1 protocol=\
tcp src-address-list=save_ips
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
TOPSECRET
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
save_ips
add action=accept chain=input dst-port=48624 protocol=udp
add action=accept chain=input comment=ovpn_srv dst-port=TOPSECRET in-interface=\
pppoe-out1 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input disabled=yes protocol=icmp src-address=\
192.168.6.45
add action=drop chain=input src-address-list=blacklist
add action=drop chain=forward src-address-list=blacklist
add action=accept chain=forward disabled=yes dst-address=192.168.7.49
add action=accept chain=forward disabled=yes src-address=192.168.7.49
add action=accept chain=input disabled=yes src-address=192.168.6.49 \
src-address-type=""
add action=drop chain=forward in-interface=pppoe-out1 src-address=10.0.0.0/8
add action=drop chain=forward in-interface=ether1-gateway-internet \
src-address=10.0.0.0/8
add action=log chain=forward connection-state=new disabled=yes dst-limit=\
70/1m,0,src-and-dst-addresses/1m dst-port=10000 in-interface=pppoe-out1 \
log-prefix=TOPSECRET protocol=tcp
add action=drop chain=output dst-address=0.0.0.0 src-address=192.168.6.130
add action=accept chain=forward disabled=yes dst-address=192.168.6.99 \
dst-port=TOPSECRET in-interface=bridge-local protocol=tcp
add action=accept chain=input dst-port=8291 in-interface=IPsec_TOPSECRET protocol=\
tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=TOPSECRET disabled=yes dst-port=8000 \
in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=\
pppoe-out1 protocol=tcp
add action=drop chain=input comment="dropping port scanners" in-interface=\
pppoe-out1 src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="Port scanners to list " \
in-interface=pppoe-out1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP FIN Stealth scan" \
in-interface=pppoe-out1 protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/FIN scan" in-interface=\
pppoe-out1 protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/RST scan" in-interface=\
pppoe-out1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="FIN/PSH/URG scan" \
in-interface=pppoe-out1 protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="ALL/ALL scan" in-interface=\
pppoe-out1 protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP NULL scan" \
in-interface=pppoe-out1 protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="dropping port scanners" in-interface=\
pppoe-out1 src-address-list="port scanners"
add action=accept chain=forward comment="TOPSECRET" \
dst-limit=200/1m,200,dst-address/1m dst-port=TOPSECRET in-interface=\
pppoe-out1 log=yes log-prefix=PRDX protocol=tcp src-address-list=\
TOPSECRET
add action=drop chain=forward comment="TOPSECRET" \
dst-limit=200/1m,200,dst-address/1m dst-port=TOPSECRET in-interface=\
pppoe-out1 log=yes log-prefix=PRDX protocol=tcp src-address-list=\
TOPSECRET
add action=add-src-to-address-list address-list=TOPSECRET \
address-list-timeout=5s chain=input comment=TOPSECRET dst-port=TOPSECRET \
log-prefix=TOPSECRET protocol=tcp
add action=add-src-to-address-list address-list=TOPSECRET \
address-list-timeout=2m chain=input comment=TOPSECRET dst-port=\
44556 log-prefix=PRDX protocol=tcp src-address-list=PRDX_secured_IP
add action=drop chain=forward comment="drop 6.68 WIN TOPSECRET" \
disabled=yes src-address=192.168.6.68
add action=drop chain=input disabled=yes dst-port=53 protocol=udp \
src-address=!192.168.6.0/24
add action=accept chain=forward disabled=yes protocol=tcp src-address=\
192.168.6.190
add action=drop chain=input disabled=yes dst-port=80 in-interface=pppoe-out1 \
protocol=tcp
add action=accept chain=forward comment=\
"---------------------------TOPSECRET" disabled=yes \
dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=udp
add action=accept chain=forward disabled=yes dst-port=TOPSECRET protocol=tcp
add action=drop chain=input comment=--------------------------------TOPSECRET \
dst-port=80 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input dst-port=80 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 protocol=tcp
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment="default configuration" disabled=yes \
dst-address=192.168.6.0/24 src-address=192.168.5.0/24
add action=accept chain=forward comment="default configuration" dst-address=\
192.168.1.0/24 dst-port=TOPSECRET protocol=tcp src-address=192.168.6.0/24
add action=accept chain=input comment=ping in-interface=IPsec_TOPSECRET protocol=\
icmp
add action=accept chain=forward comment="TOPSECRET -> TOPSECRET TOPSECRET " disabled=yes \
dst-address=192.168.6.66 src-address=192.168.1.0/24
add action=accept chain=forward comment="smb TOPSECRET->TOPSECRET" dst-address=\
192.168.6.66 dst-port=445 in-interface=IPsec_TOPSECRET protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET->TOPSECRET" disabled=yes \
dst-address=192.168.6.0/24 dst-port=445 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET->TOPSECRET" disabled=yes \
dst-address=192.168.6.0/24 dst-port=21 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET" disabled=yes \
dst-address=192.168.6.74 dst-port=30303 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET" disabled=yes \
dst-port=TOPSECRET protocol=tcp src-address=TOPSECRET
add action=accept chain=forward comment="TOPSECRETS" disabled=yes \
dst-port=TOPSECRET protocol=tcp src-address=TOPSECRET
add action=accept chain=forward dst-port=22334 protocol=udp
add action=accept chain=forward comment="UA > skynet base2" dst-address=\
192.168.6.9 dst-port=1600 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="UA > HOAX ARES DB" dst-address=\
192.168.6.72 dst-port=1600 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="UA > HOAX VULCAN TOPSECRET" \
dst-address=192.168.6.45 dst-port=8081 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET > HOAX ftp" dst-address=\
192.168.6.66 protocol=icmp src-address=192.168.1.0/24
add action=accept chain=forward comment="TOPSECRET > HOAX socket TOPSECRET" dst-port=\
TOPSECRET protocol=tcp
add action=accept chain=forward comment="established,related reverse" \
connection-state=established,related dst-address=192.168.6.0/24 \
src-address=192.168.1.0/24
add action=accept chain=forward comment="established,related reverse" \
connection-state=established,related dst-address=192.168.1.0/24 \
src-address=192.168.6.0/24
add action=drop chain=forward comment="default configuration" dst-address=\
192.168.6.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="default configuration" disabled=yes \
dst-address=192.168.6.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="TOPSECRET" disabled=yes protocol=\
udp src-address=192.168.6.190
add action=drop chain=forward comment="TOPSECRET" disabled=yes protocol=\
udp src-address=192.168.6.192
add action=drop chain=forward comment="TOPSECRET" disabled=yes \
protocol=udp src-address=192.168.6.191
add action=drop chain=input comment="drop TOPSECRET brute force" dst-port=TOPSECRET,TOPSECRET \
in-interface=pppoe-out1 protocol=tcp src-address-list=blacklist
add action=drop chain=forward comment="drop TOPSECRET brute force" dst-port=\
TOPSECRET,TOPSECRET in-interface=pppoe-out1 protocol=tcp src-address-list=blacklist
add action=accept chain=output content="Incorrect user name or password." \
dst-limit=1/1m,5,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=blacklist \
address-list-timeout=1d chain=output content=\
"Incorrect user name or password."
add action=accept chain=input disabled=yes in-interface=IPsec_TOPSECRET protocol=\
icmp
add action=accept chain=input comment="TOPSECRET default configuration" \
connection-state=established
add action=accept chain=input comment="toto default configuration" \
connection-state=related
add action=accept chain=forward dst-port=TOPSECRET protocol=tcp
add action=accept chain=forward dst-port=TOPSECRET protocol=udp
add action=accept chain=input dst-port=8291 protocol=udp
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp \
src-address=192.168.5.0/24
add action=accept chain=forward comment="toto default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=accept chain=forward comment="default configuration" in-interface=\
bridge-local
add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp \
src-address=192.168.5.0
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="default configuration" \
disabled=yes in-interface=pppoe-out1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=forward comment="default configuration" \
disabled=yes in-interface=pppoe-out1
add action=drop chain=input comment="default configuration" in-interface=\
pppoe-out1
add action=drop chain=forward comment="default configuration" \
connection-state="" in-interface=pppoe-out1
/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=\
truenas passthrough=yes src-address=192.168.6.49
add action=mark-connection chain=postrouting disabled=yes dst-address=\
192.168.6.0/24 dst-address-type=local new-connection-mark=truenas \
passthrough=yes src-address=192.168.6.49
add action=mark-packet chain=prerouting disabled=yes in-interface=\
bridge-local new-packet-mark=TOPSECRET passthrough=yes
add action=mark-packet chain=prerouting disabled=yes in-interface=\
ether4-slave-local new-packet-mark=TOPSECRET passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=pppoe-out1
add action=accept chain=srcnat disabled=yes dst-address=192.168.6.0/24 \
src-address=192.168.5.0/24
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.6.0/24 src-address=\
172.16.2.0/30
add action=accept chain=srcnat dst-address=10.20.30.0/30 src-address=\
10.20.31.0/30
add action=accept chain=srcnat dst-address=10.20.31.0/30 src-address=\
10.20.30.0/30
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.6.0/24
add action=accept chain=srcnat dst-address=172.16.2.0/30 src-address=\
192.168.6.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=5000 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=netmap chain=dstnat disabled=yes dst-port=80 in-interface=\
pppoe-out1 protocol=udp to-addresses=192.168.6.100 to-ports=80
add action=netmap chain=dstnat disabled=yes dst-port=5000 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.100 to-ports=80
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=pppoe-out1
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway-internet
add action=masquerade chain=srcnat src-address=192.168.6.0/24 to-addresses=\
0.0.0.0
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.20.31.0/30
add action=masquerade chain=srcnat disabled=yes src-address=10.20.30.0/30
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=IPsec_TOPSECRET
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=wireguard1
add action=masquerade chain=srcnat comment="default configuration" disabled=\
yes dst-port=20-21 out-interface=bridge-local protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=dstnat comment="default configuration" disabled=yes \
dst-address=192.168.6.66 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET \
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66 \
to-ports=20-21
add action=dst-nat chain=dstnat comment="default configuration" disabled=yes \
dst-address=192.168.6.1 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET \
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66
add action=netmap chain=dstnat comment="default configuration" disabled=yes \
dst-address=192.168.6.1 dst-port=20-21,1024-1025 in-interface=IPsec_TOPSECRET \
protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.6.66
add action=dst-nat chain=dstnat comment="default configuration" disabled=yes \
dst-address=192.168.6.1 dst-port=20-21 protocol=tcp src-address=\
192.168.1.0/24 to-addresses=192.168.6.66
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.6.66 \
dst-port=20-21 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=dstnat disabled=yes dst-address=192.168.6.66 \
dst-port=20-21 protocol=tcp to-addresses=192.168.6.66 to-ports=20-21
add action=netmap chain=dstnat disabled=yes dst-port=20-21 in-interface=\
IPsec_TOPSECRET protocol=tcp to-addresses=192.168.6.66 to-ports=20-21
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=8000 \
in-interface=pppoe-out1 protocol=tcp src-address=91.228.45.226 \
to-addresses=192.168.6.46 to-ports=8000
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=8800 \
in-interface=pppoe-out1 protocol=tcp src-address=91.228.45.226 \
to-addresses=192.168.6.46 to-ports=80
add action=netmap chain=dstnat comment=TOPSECRET dst-port=10000 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.139
add action=netmap chain=dstnat comment=TOPSECRET disabled=yes dst-port=10000 \
in-interface=pppoe-out1 protocol=udp to-addresses=192.168.6.139 to-ports=\
10000
add action=netmap chain=dstnat disabled=yes dst-port=554 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.6.152 to-ports=554
add action=netmap chain=dstnat dst-port=30303 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.6.74
add action=netmap chain=dstnat comment=TOPSECRET-TOPSECRET-SOCKET disabled=yes \
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=\
192.168.6.74
add action=netmap chain=dstnat comment=TOPSECRET-TOPSECRET dst-address=TOPSECRET \
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=\
192.168.6.74
add action=netmap chain=dstnat comment=ZEUS-WG dst-address=TOPSECRET \
dst-port=TOPSECRET in-interface=bridge-local protocol=udp to-addresses=\
192.168.6.74
add action=netmap chain=dstnat comment="APOLLO TOPSECRET\? old" disabled=yes \
dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp to-addresses=\
192.168.6.74
add action=netmap chain=dstnat comment=TEST_TOPSECRET_PYTHON \
disabled=yes dst-port=TOPSECRET in-interface=pppoe-out1 protocol=udp \
to-addresses=192.168.6.74
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer1
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=yes dst-address=192.168.0.0/24 gateway=bridge-local pref-src=\
192.168.6.64
add disabled=no dst-address=192.168.1.0/24 gateway=10.20.31.2
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=10.20.32.2 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=bridge-local \
pref-src=192.168.5.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=172.16.2.2 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=192.168.6.0/24,192.168.5.0/24,TOPSECRET/32
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET \
remote-address=192.168.6.120 service=ovpn
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET \
remote-address=192.168.6.121 service=ovpn
add local-address=192.168.6.1 name=TOPSECRET profile=TOPSECRET \
remote-address=192.168.6.122 service=ovpn
/system clock
set time-zone-name=Europe/Prague
/system logging
add disabled=yes prefix=TOPSECRET topics=ipsec
add action=TOPSECRET prefix=TOPSECRET topics=firewall,info
add disabled=yes topics=ovpn,debug
/system ntp client
set enabled=yes
/system ntp client servers
add address=TOPSECRET
add address=TOPSECRET
/system package update
set channel=long-term
/system scheduler
add name=schedule1 on-event=":delay 30\r\
\n/system script run script1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add disabled=yes interval=5m name=schedule2_wifi_bad_pw_check on-event=\
"/system script run wifi_bad_password_ban" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=apr/12/2022 start-time=18:12:26
/system script
add dont-require-permissions=no name=dhcpleasescript owner=admin policy=\
read,write,policy,test,sniff,sensitive,romon source=""
add dont-require-permissions=no name=script1 owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
delay 1\r\
\n\r\
\n:local reportBody \"\"\r\
\n\r\
\n:local deviceName [/system identity get name]\r\
\n:local deviceDate [/system clock get date]\r\
\n:local deviceTime [/system clock get time]\r\
\n:local hwModel [/system routerboard get model]\r\
\n:local rosVersion [/system package get system version]\r\
\n:local currentFirmware [/system routerboard get current-firmware]\r\
\n:local upgradeFirmware [/system routerboard get upgrade-firmware]\r\
\n\r\
\n\r\
\n:set reportBody (\$reportBody . \"Router Reboot Report for \$deviceName\
\\n\")\r\
\n:set reportBody (\$reportBody . \"Report generated on \$deviceDate at \$\
deviceTime\\n\\n\")\r\
\n\r\
\n:set reportBody (\$reportBody . \"Hardware Model: \$hwModel\\n\")\r\
\n:set reportBody (\$reportBody . \"RouterOS Version: \$rosVersion\\n\")\r\
\n:set reportBody (\$reportBody . \"Current Firmware: \$currentFirmware\\n\
\")\r\
\n:set reportBody (\$reportBody . \"Upgrade Firmware: \$upgradeFirmware\")\
\r\
\nif ( \$currentFirmware < \$upgradeFirmware) do={\r\
\n:set reportBody (\$reportBody . \"NOTE: You should upgrade the RouterBOA\
RD firmware!\\n\")\r\
\n}\r\
\n\r\
\n:set reportBody (\$reportBody . \"\\n\\n=== Critical Log Events ===\\n\"\
\_)\r\
\n\r\
\n:local x\r\
\n:local ts\r\
\n:local msg\r\
\nforeach i in=([/log find where topics~\"critical\"]) do={\r\
\n:set \$ts [/log get \$i time]\r\
\n:set \$msg [/log get \$i message]\r\
\n:set \$reportBody (\$reportBody . \$ts . \" \" . \$msg . \"\\n\" )\r\
\n}\r\
\n\r\
\n:set reportBody (\$reportBody . \"\\n=== end of report ===\\n\")\r\
\n\r\
\n/tool e-mail send subject=\"[\$deviceName] Router Reboot Report\" to=\"a\
lert@biotal.cz\" body=\$reportBody"
add dont-require-permissions=no name=wifi_bad_password_ban owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":local pop 4\r\
\n:local mac\r\
\n:local wifi [/log find message~\"disconnected, unicast key exchange time\
out\"]\r\
\n\r\
\nforeach i in=\$wifi do={\r\
\n:set mac [:pick [/log get \$i message ] 0 ([:len [/log get \$i message ]\
]-71)]\r\
\n:log warning \$mac\r\
\nif ([:len [/log find message~(\$mac . \"@wlan1: disconnected, unicast ke\
y exchange timeout\")] ] >= \$pop) do={\r\
\nif ([/interface wireless access-list find mac-address=\$mac] = \"\" ) do\
={\r\
\n/interface wireless access-list add mac-address=\$mac authentication=no \
interface=all\r\
\n}\r\
\n}\r\
\n}\r\
\n:log warning \"FINISH\""
/system watchdog
set automatic-supout=no ping-start-after-boot=2h ping-timeout=2m \
watch-address=1.1.1.1 watchdog-timer=no
/tool e-mail
set address=TOPSECRET from=TOPSECRET port=TOPSECRET tls=starttls user=\
TOPSECRET
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=pppoe-out1
/tool traffic-monitor
add disabled=yes interface=ether2-master-local name=tmon1 on-event=\
"log info \"ETH2 A LOT TX\"" threshold=5000000