# aug/13/2022 08:57:16 by RouterOS 7.4.1
# software id = M2VH-09C3
#
# model = RB750Gr3
# serial number = [redacted]
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-port-Drosk-ISP-Modem
set [ find default-name=ether2 ] comment=LAN-Drosk-Switch
set [ find default-name=ether3 ] comment=LAN-Droskv-MR60-AP
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d \
wed=0s-1d
/ip pool
add name=dhcp ranges=10.0.0.90-10.0.0.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script=":local DHCPtag\r\
\n:set DHCPtag \"#DHCP\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n :local ttl\r\
\n :local domain\r\
\n :local hostname\r\
\n :local fqdn\r\
\n :local leaseId\r\
\n :local comment\r\
\n\r\
\n /ip dhcp-server\r\
\n :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network \r\
\n :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n \r\
\n .. lease\r\
\n :set leaseId [ find address=\$leaseActIP ]\r\
\n\r\
\n# Check for multiple active leases for the same IP address. It's weird a\
nd it shouldn't be, but just in case.\r\
\n\r\
\n :if ( [ :len \$leaseId ] != 1) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: not registering domain name for address \$lease\
ActIP because of multiple active leases for \$leaseActIP\"\r\
\n :error \"multiple active leases for \$leaseActIP\"\r\
\n } \r\
\n\r\
\n :set hostname [ get \$leaseId host-name ]\r\
\n :set comment [ get \$leaseId comment ]\r\
\n /\r\
\n\r\
\n :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
\n\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name for address \$lea\
seActIP because of empty lease host-name or comment\"\r\
\n :error \"empty lease host-name or comment\"\r\
\n }\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name for address \$lea\
seActIP because of empty network domain name\"\r\
\n :error \"empty network domain name\"\r\
\n }\r\
\n\r\
\n :set fqdn \"\$hostname.\$domain\"\r\
\n \r\
\n /ip dns static\r\
\n :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
no ] ] = 0 ) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
ess \$leaseActIP with ttl \$ttl\"\r\
\n add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
abled=no\r\
\n } else=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
s \$leaseActIP because of existing active static DNS entry with this name \
or address\" \r\
\n }\r\
\n /\r\
\n} \\\r\
\nelse=\\\r\
\n{\r\
\n /ip dns static\r\
\n :local dnsDhcpId \r\
\n :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
\n\r\
\n :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
easeActIP\"\r\
\n remove \$dnsDhcpId\r\
\n }\r\
\n /\r\
\n}" lease-time=6m name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!rest\
-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.0.10.10/32 comment="P30 Andreas first try" \
endpoint-address=10.0.0.1 endpoint-port=13231 interface=wireguard1 \
public-key="[redacted]"
add allowed-address=10.0.10.3/32 interface=wireguard1 public-key=\
"[redacted]"
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=10.0.10.1/24 interface=wireguard1 network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.0.0.43 address-lists=Blocked, comment="[redacted] Ledlight" mac=[redacted] server=defconf
add address=10.0.0.42 address-lists=Blocked comment="[redacted] Ledlight" mac=[redacted] server=defconf
add address=10.0.0.40 address-lists=Blocked comment="[redacted] ledlight" mac=[redacted] server=defconf
add address=10.0.0.45 address-lists=Blocked comment="[redacted] nere" mac=[redacted] server=defconf
add address=10.0.0.41 address-lists=Blocked comment="[redacted] ledlight" mac=[redacted] server=defconf
add address=10.0.0.38 client-id=[redacted] comment="Eufycam [redacted]" mac=[redacted] server=defconf
add address=10.0.0.3 client-id=[redacted] comment=MR60 mac-address=\
[redacted] server=defconf
add address=10.0.0.55 client-id=[redacted]mment="Nvidia Shield TV" \
mac=[redacted] server=defconf
add address=10.0.0.15 client-id=[redacted]"surfplatta, stor\?" \
mac=[redacted] server=defconf
add address=10.0.0.12 client-id=[redacted]comment=Ebba mac-address=\
[redacted] server=defconf
add address=10.0.0.13 client-id=[redacted] comment=\
"[redacted] telefon" mac=[redacted] server=defconf
add address=10.0.0.53 client-id=[redacted]omment="Sonos Vardagsrum" \
mac=[redacted] server=defconf
add address=10.0.0.52 client-id=[redacted] comment="Sonos TV-rum" \
mac=[redacted] server=defconf
add address=10.0.0.14 client-id=[redacted] comment="[redacted] telefon" \
mac=[redacted] server=defconf
add address=10.0.0.51 comment="Sonos Kok" mac=[redacted] \
server=defconf
add address=10.0.0.37 client-id=[redacted] comment=HomeBase2 \
mac=[redacted] server=defconf
add address=10.0.0.11 client-id=[redacted]comment=Sofie mac-address=\
[redacted] server=defconf
add address=10.0.0.10 client-id=[redacted] comment=Andreas \
mac=[redacted] server=defconf
add address=10.0.0.16 mac=[redacted] server=defconf
add address=10.0.0.56 client-id=[redacted] mac-address=\
[redacted] server=defconf
add address=10.0.0.17 mac=[redacted] server=defconf
add address=10.0.0.60 client-id=[redacted] comment=\
"[redacted] laptop wifi" mac=[redacted] server=defconf
add address=10.0.0.18 client-id=[redacted] comment="[redacted] iPhone" \
mac=[redacted] server=defconf
add address=10.0.0.61 client-id=[redacted] comment=\
"[redacted] laptop wi-fi" mac=[redacted] server=defconf
add address=10.0.0.19 client-id=[redacted] mac-address=\
[redacted] server=defconf
add address=10.0.0.20 client-id=[redacted] comment="[redacted] iPad3" \
mac=[redacted] server=defconf
add address=10.0.0.21 client-id=[redacted] comment="[redacted] iPad4" \
mac=[redacted] server=defconf
add address=10.0.0.62 client-id=[redacted] comment=\
"[redacted]Skoldator" mac=[redacted] server=defconf
add address=10.0.0.57 client-id=[redacted]mac-address=\
[redacted] server=defconf
add address=10.0.0.6 comment="hp wifi printer" mac=[redacted] \
server=defconf
add address=10.0.0.35 comment=Tellstick mac=[redacted] server=\
defconf
add address=10.0.0.4 client-id=[redacted]comment="MS60 WiFi AP" \
mac=[redacted] server=defconf
add address=10.0.0.9 client-id=[redacted] comment=\
"[redacted]" mac=[redacted] server=defconf
add address=10.0.0.36 client-id=[redacted]comment=\
"[redacted]VM - Home Assistant" mac=[redacted] server=defconf
add address=10.0.0.5 comment="Tibber Pulse" mac=[redacted] \
server=defconf
add address=10.0.0.22 client-id=[redacted] comment="iPhone Elsa" \
mac=[redacted] server=defconf
add address=10.0.0.23 client-id=[redacted]comment="ipad Elsa" \
mac=[redacted] server=defconf
add address=10.0.0.7 comment="Easee EV Charger Uppfart" mac-address=\
[redacted] server=defconf
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.31 domain=drosk \
gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
add address=10.0.0.33 comment=#DHCP name=homeassistant.drosk ttl=6m
add address=10.0.0.4 comment=#DHCP name=MS60.drosk ttl=6m
add address=10.0.0.52 comment=#DHCP name=SonosZP.drosk ttl=6m
add address=10.0.0.53 comment=#DHCP name=SonosZP.drosk ttl=6m
add address=10.0.0.42 comment=#DHCP name=.drosk ttl=6m
add address=10.0.0.40 comment=#DHCP name=.drosk ttl=6m
add address=10.0.0.45 comment=#DHCP name=.drosk ttl=6m
add address=10.0.0.41 comment=#DHCP name=.drosk ttl=6m
add address=10.0.0.5 comment=#DHCP name=Pulse.drosk ttl=6m
add address=10.0.0.35 comment=#DHCP name= \
ttl=6m
add address=10.0.0.3 comment=#DHCP name=MR60.drosk ttl=6m
add address=10.0.0.55 comment=#DHCP name="Nvidia Shield TV.drosk" ttl=6m
add address=10.0.0.51 comment=#DHCP name=SonosZP.drosk ttl=6m
add address=10.0.0.37 comment=#DHCP name=HomeBase2.drosk ttl=6m
add address=10.0.0.36 comment=#DHCP name=homeassistant.drosk ttl=6m
add address=10.0.0.7 comment=#DHCP name=Easee-Home.drosk ttl=6m
add address=10.0.0.11 comment=#DHCP name= ttl=6m
add address=10.0.0.10 comment=#DHCP name=asd.drosk ttl=\
6m
add address=10.0.0.38 comment=#DHCP name="[redacted].drosk" ttl=6m
add address=10.0.0.56 comment=#DHCP name=[redacted]TV.drosk ttl=6m
add address=10.0.0.60 comment=#DHCP name=[redacted]ASUS.drosk ttl=6m
/ip firewall address-list
add address=123.123.123.123 disabled=yes list=WANs
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=WireguardDrosken dst-port=13231 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=wg dst-port=51845 in-interface-list=\
WAN protocol=udp to-addresses=10.0.0.31 to-ports=51845
add action=dst-nat chain=dstnat comment=piholeNAT1 dst-address=!10.0.0.31 \
dst-port=53 in-interface=bridge protocol=udp src-address=!10.0.0.31 \
to-addresses=10.0.0.31
add action=dst-nat chain=dstnat comment=piholeNAT2 dst-address=!10.0.0.31 \
dst-port=53 in-interface=bridge protocol=tcp src-address=!10.0.0.31 \
to-addresses=10.0.0.31
add action=masquerade chain=srcnat comment=piholeNAT3 dst-address=10.0.0.31 \
dst-port=53 protocol=udp src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=piholeNAT4 dst-address=10.0.0.31 \
dst-port=53 protocol=tcp src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="home google" dst-port=8123 protocol=\
tcp to-addresses=10.0.0.36 to-ports=8123
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip kid-control device
add mac=[redacted] name="RpiZEthernet;4"
add mac=[redacted] name="homeassistant;4"
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Stockholm
/system scheduler
add disabled=yes interval=1m name=PingCheckPiDNS on-event=":local piholeDNS \"\
10.0.0.31\"\r\
\n:local testDomain \"www.google.com\"\r\
\n\r\
\n\r\
\n:if ([/ip firewall nat [find comment=\"piholeNAT1\"] enabled]) do={\r\
\n :do {\r\
\n :resolve \$testDomain server \$piholeDNS\r\
\n } on-error={\r\
\n\t\t/ip firewall nat disable [find comment=\"piholeNAT1\"]\r\
\n\t\t/ip firewall nat disable [find comment=\"piholeNAT2\"]\r\
\n\t\t/ip firewall nat disable [find comment=\"piholeNAT3\"]\r\
\n\t\t/ip firewall nat disable [find comment=\"piholeNAT4\"]\r\
\n }\r\
\n} else={\r\
\n :do {\r\
\n :resolve \$testDomain server \$piholeDNS\r\
\n\t\t/ip firewall nat enable [find comment=\"piholeNAT1\"]\r\
\n\t\t/ip firewall nat enable [find comment=\"piholeNAT2\"]\r\
\n\t\t/ip firewall nat enable [find comment=\"piholeNAT3\"]\r\
\n\t\t/ip firewall nat enable [find comment=\"piholeNAT4\"]\r\
\n } on-error={}\r\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/06/2021 start-time=18:56:53
/system script
add dont-require-permissions=no name=script1 owner=andi policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
test
add dont-require-permissions=no name=leasescript001 owner=andi policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
local DHCPtag\r\
\n:set DHCPtag \"#DHCP\"\r\
\n\r\
\n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
\r\
\n\r\
\n:if ( \$leaseBound = 1 ) do=\\\r\
\n{\r\
\n :local ttl\r\
\n :local domain\r\
\n :local hostname\r\
\n :local fqdn\r\
\n :local leaseId\r\
\n :local comment\r\
\n\r\
\n /ip dhcp-server\r\
\n :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
\n network \r\
\n :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
\n \r\
\n .. lease\r\
\n :set leaseId [ find address=\$leaseActIP ]\r\
\n\r\
\n# Check for multiple active leases for the same IP address. It's weird a\
nd it shouldn't be, but just in case.\r\
\n\r\
\n :if ( [ :len \$leaseId ] != 1) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: not registering domain name for address \$lease\
ActIP because of multiple active leases for \$leaseActIP\"\r\
\n :error \"multiple active leases for \$leaseActIP\"\r\
\n } \r\
\n\r\
\n :set hostname [ get \$leaseId host-name ]\r\
\n :set comment [ get \$leaseId comment ]\r\
\n /\r\
\n\r\
\n :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
\n\r\
\n :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name for address \$lea\
seActIP because of empty lease host-name or comment\"\r\
\n :error \"empty lease host-name or comment\"\r\
\n }\r\
\n :if ( [ :len \$domain ] <= 0 ) do=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name for address \$lea\
seActIP because of empty network domain name\"\r\
\n :error \"empty network domain name\"\r\
\n }\r\
\n\r\
\n :set fqdn \"\$hostname.\$domain\"\r\
\n \r\
\n /ip dns static\r\
\n :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
no ] ] = 0 ) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
ess \$leaseActIP with ttl \$ttl\"\r\
\n add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
abled=no\r\
\n } else=\\\r\
\n {\r\
\n :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
s \$leaseActIP because of existing active static DNS entry with this name \
or address\" \r\
\n }\r\
\n /\r\
\n} \\\r\
\nelse=\\\r\
\n{\r\
\n /ip dns static\r\
\n :local dnsDhcpId \r\
\n :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
\n\r\
\n :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\r\
\n {\r\
\n :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
easeActIP\"\r\
\n remove \$dnsDhcpId\r\
\n }\r\
\n /\r\
\n}"
/system watchdog
set automatic-supout=no ping-start-after-boot=0ms ping-timeout=2m \
send-email-from=[redacted]@gmail.com send-email-to=\
[redacted]@gmail.com send-smtp-server=smtp.gmail.com watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN