I noticed @sindy's signature so I'm posting my config in hopes that helps clarify things.
# oct/05/2022 10:50:00 by RouterOS 6.49.6
# software id = LGM4-DTDZ
#
# model = CCR2004-1G-12S+2XS
# serial number = D4F10CA1207B
/interface bridge
add name=bridge1 vlan-filtering=yes
add disabled=yes name=bridge1065 pvid=1065 \
vlan-filtering=yes
add name=vpn_bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus11 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
/interface vrrp
add disabled=yes interface=sfp-sfpplus1 name=vrrp1 priority=200
/interface vlan
add interface=sfp-sfpplus1 name=vlan101 vlan-id=101
add interface=sfp-sfpplus1 name=vlan102 vlan-id=102
add interface=sfp-sfpplus1 name=vlan103 vlan-id=103
add interface=sfp-sfpplus1 name=vlan104 vlan-id=104
add interface=sfp-sfpplus3 name=vlan201 vlan-id=201
add interface=sfp-sfpplus3 name=vlan301 vlan-id=301
add interface=sfp-sfpplus9 name=vlan1010 vlan-id=1010
add interface=sfp-sfpplus11 name=vlan1044_SAN vlan-id=1044
add interface=sfp-sfpplus9 name=vlan1046_OSInternal vlan-id=1046
add interface=sfp-sfpplus11 name=vlan1047_Servers vlan-id=1047
add interface=sfp-sfpplus9 name=vlan1048_OSServers vlan-id=1048
add interface=sfp-sfpplus9 name=vlan1049_IPMI vlan-id=1049
add interface=sfp-sfpplus3 name=vlan1064 vlan-id=1064
add interface=sfp-sfpplus3 name=vlan1065 vlan-id=1065
add interface=sfp-sfpplus1 name=vlan1066 vlan-id=1066
add interface=sfp-sfpplus11 name=vlan1067Server_mgmt vlan-id=1067
add interface=sfp-sfpplus9 name=vlan1068_OpenStackSwitch vlan-id=1068
/interface vrrp
add disabled=yes interface=vlan101 name=vrrp101
add disabled=yes interface=vlan102 name=vrrp102
add disabled=yes interface=vlan103 name=vrrp103
add disabled=yes interface=vlan104 name=vrrp104
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des name=\
profile1
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=\
aes-128 lifetime=8h name=Amazon
/ip ipsec peer
add address=54.201.30.69/32 local-address=my.public.ip.12 name=AmazonVPC2 \
profile=Amazon
add address=34.210.124.60/32 local-address=my.public.ip.12 name=AmazonVPC \
profile=Amazon
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-vpn-070053c6ddad646ce-0
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-vpn-070053c6ddad646ce-1
/ip pool
add name=pool101 ranges=\
192.168.128.11-192.168.131.254
add name=pool102 ranges=\
192.168.136.11-192.168.139.254
add name=pool103 ranges=\
192.168.144.11-192.168.147.254
add name=pool104 ranges=\
192.168.152.11-192.168.155.254
add name=pool301 ranges=192.168.168.2-192.168.171.254
add name=pool201 ranges=192.168.160.3-192.168.163.254
add name=VPNPOOL ranges=192.168.32.2-192.168.32.254
/ip dhcp-server
add address-pool=pool101 disabled=no interface=vlan101 lease-time=23h59m \
name=server101
add address-pool=pool102 disabled=no interface=vlan102 lease-time=23h59m \
name=server102
add address-pool=pool103 disabled=no interface=vlan103 lease-time=23h59m \
name=server103
add address-pool=pool104 disabled=no interface=vlan104 lease-time=23h59m \
name=server104
add address-pool=pool201 disabled=no interface=vlan201 lease-script=\
internal_Wifi lease-time=23h59m name=server201 src-address=192.168.160.1
add address-pool=pool301 disabled=no interface=vlan301 lease-script=\
Guest_WiFi lease-time=1h name=server301 src-address=192.168.168.1
/ppp profile
set *0 change-tcp-mss=default wins-server=192.168.5.40
add dns-server=192.168.5.40 local-address=192.168.32.1 name=vpn_profile \
remote-address=VPNPOOL use-encryption=yes wins-server=192.168.5.40
/queue tree
add disabled=yes max-limit=3G name=Download parent=global priority=1 queue=\
pcq-download-default
add disabled=yes limit-at=2500M max-limit=3G name=user-down packet-mark=user \
parent=Download priority=5 queue=pcq-download-default
add disabled=yes limit-at=2500M max-limit=3G name=server-down packet-mark=\
server-down parent=Download priority=3 queue=pcq-download-default
add disabled=yes limit-at=5M max-limit=5M name=voip-down packet-mark=voip \
parent=Download priority=2 queue=pcq-download-default
/routing bgp instance
set default as=65016 client-to-client-reflection=no redistribute-connected=\
yes redistribute-static=yes router-id=my.public.ip.12
add as=65000 client-to-client-reflection=no name=AWSVPC1 \
redistribute-connected=yes redistribute-static=yes router-id=\
169.254.175.170
add as=65000 client-to-client-reflection=no disabled=yes name=AWSVPC2 \
redistribute-connected=yes redistribute-static=yes router-id=\
169.254.157.34
/snmp community
set [ find default=yes ] disabled=yes
add addresses=192.168.8.124/32 authentication-protocol=SHA1 \
encryption-protocol=AES name=lightcast security=private
/system logging action
set 3 remote=192.168.5.71 remote-port=10514 src-address=192.168.5.1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge nat
add action=accept chain=srcnat
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add disabled=yes tagged=sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 \
vlan-ids=1064
add bridge=bridge1 disabled=yes tagged=sfp-sfpplus3 vlan-ids=201
add bridge=bridge1 disabled=yes tagged=sfp-sfpplus3 vlan-ids=301
/interface l2tp-server server
set default-profile=vpn_profile enabled=yes use-ipsec=yes
/ip address
add address=192.168.88.1/24 interface=ether1 network=\
192.168.88.0
add address=my.public.ip.12/28 interface=sfp-sfpplus12 network=my.public.ip.0
add address=192.168.64.10/24 disabled=yes network=192.168.64.0
add address=192.168.64.1/24 disabled=yes interface=vrrp1 network=192.168.64.0
add address=192.168.128.1/22 interface=\
vlan101 network=192.168.128.0
add address=192.168.136.1/22 interface=\
vlan102 network=192.168.136.0
add address=192.168.144.1/22 interface=\
vlan103 network=192.168.144.0
add address=192.168.152.1/22 interface=\
vlan104 network=192.168.152.0
add address=192.168.168.1/22 disabled=yes network=\
192.168.168.0
add address=192.168.65.1/24 interface=vlan1065 network=192.168.65.0
add address=192.168.160.1/22 disabled=yes network=192.168.160.0
add address=192.168.168.1/22 disabled=yes network=192.168.168.0
add address=192.168.160.1/22 interface=\
vlan201 network=192.168.160.0
add address=192.168.168.1/22 interface=\
vlan301 network=192.168.168.0
add address=192.168.64.1/24 interface=\
vlan1064 network=192.168.64.0
add address=192.168.32.1/24 interface=vpn_bridge \
network=192.168.32.0
add address=192.168.66.1/24 interface=\
vlan1066 network=192.168.66.0
add address=192.168.5.1/24 interface=\
vlan1047_Servers network=192.168.5.0
add address=192.168.67.1/24 interface=\
vlan1067Server_mgmt network=192.168.67.0
add address=10.44.44.2/24 interface=\
vlan1044_SAN network=10.44.44.0
add address=my.public.ip.11/28 interface=\
sfp-sfpplus12 network=my.public.ip.0
add address=my.public.ip.10/28 interface=sfp-sfpplus12 network=my.public.ip.0
add address=my.public.ip.4/28 interface=sfp-sfpplus12 network=my.public.ip.0
add address=my.public.ip.5/28 interface=sfp-sfpplus12 network=my.public.ip.0
add address=my.public.ip.6/28 interface=sfp-sfpplus12 network=my.public.ip.0
add address=my.public.ip.7/28 interface=sfp-sfpplus12 network=my.public.ip.0
add address=my.public.ip.8/28 interface=sfp-sfpplus12 network=my.public.ip.0
add address=my.public.ip.9/28 interface=sfp-sfpplus12 network=my.public.ip.0
add address=169.254.175.170/30 interface=sfp-sfpplus12 network=\
169.254.175.168
add address=169.254.157.34/30 interface=sfp-sfpplus12 network=169.254.157.32
add address=192.168.68.1/24 interface=\
vlan1068_OpenStackSwitch network=192.168.68.0
add address=192.168.7.1/24 interface=\
vlan1049_IPMI network=192.168.7.0
add address=192.168.8.1/22 interface=\
vlan1046_OSInternal network=192.168.8.0
add address=10.10.10.1/24 interface=\
vlan1010 network=10.10.10.0
add address=my.public.ip.33/27 interface=\
vlan1048_OSServers network=my.public.ip.32
add address=my.public.ip.32 disabled=yes interface=vlan1048_OSServers network=\
my.public.ip.32
/ip dhcp-server lease
add address=192.168.160.2 client-id=1:b4:fb:e4:2a:4a:11 mac-address=\
B4:FB:E4:2A:4A:11 server=server201
/ip dhcp-server network
add address=192.168.128.0/22 dns-server=192.168.5.40 gateway=192.168.128.1 \
netmask=22
add address=192.168.136.0/24 dns-server=192.168.5.40 gateway=192.168.136.1 \
netmask=22
add address=192.168.144.0/22 dns-server=192.168.5.40 gateway=192.168.144.1 \
netmask=24
add address=192.168.152.0/22 dns-server=192.168.5.40 gateway=192.168.152.1 \
netmask=22
add address=192.168.160.0/22 dns-server=192.168.5.40 gateway=192.168.160.1 \
netmask=22
add address=192.168.168.0/22 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.168.1 \
netmask=22
/ip dns
set servers=192.168.5.40,172.16.1.1
/ip firewall address-list
add address=192.168.128.0/22 list=users
add address=192.168.136.0/22 list=users
add address=192.168.144.0/22 list=users
add address=192.168.152.0/22 list=users
add address=192.168.32.0/24 list=users
add address=192.168.5.0/24 list=servers
add address=63.247.65.242 list=netdepot
add address=65.254.34.186 list=netdepot
add address=66.248.200.0/22 list=sucuri
add address=185.93.228.0/22 list=sucuri
add address=192.88.134.0/23 list=sucuri
add address=my.public.ip.0/28 list=servers
add address=192.168.160.0/22 list=users
add address=192.168.168.0/22 list=guests
add address=192.168.65.0/24 list=cameras
add address=192.168.66.0/24 list=Routers
add address=10.44.44.0/24 list=servers
add address=192.168.65.2 list=users
add address=192.168.65.3 list=users
add address=192.168.65.0/24 list=Routers
add address=192.168.67.0.24 list=Routers
add address=192.168.68.0/24 list=Routers
add address=192.168.65.2 list=johnson_list
add address=192.168.65.3 list=johnson_list
add address=192.168.65.4 list=johnson_list
add address=192.168.65.5 list=johnson_list
add address=192.168.8.0/22 list=servers
add address=192.168.7.0/24 list=IPMI
add address=192.168.8.0/22 list=OpenStack
add address=192.168.33.3 list=users
add address=192.168.7.11 list=Routers
add address=192.168.7.12 list=Routers
add address=10.10.10.0/24 list=OpenStack
add address=10.10.10.0/24 list=servers
add address=my.public.ip.32/27 list=OpenStackPublic
/ip firewall filter
add action=accept chain=forward comment=established,related connection-state=\
established,related
add action=accept chain=input dst-port=500,1701,4500,450 \
protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward connection-state=related
add action=accept chain=forward src-address-list=cameras
add action=accept chain=input src-address-list=cameras
add action=accept chain=forward src-address-list=users
add action=accept chain=input src-address-list=users
add action=accept chain=forward src-address-list=Routers
add action=accept chain=input src-address-list=Routers
add action=accept chain=input src-address-list=servers
add action=accept chain=forward src-address-list=servers
add action=accept chain=forward disabled=yes in-interface=all-vlan \
out-interface=all-vlan
add action=accept chain=input dst-port=53 protocol=udp \
src-address-list=guests
add action=accept chain=forward src-address-list=guests
add action=accept chain=forward src-address=10.49.49.0/24
add action=accept chain=forward dst-address-list=OpenStackPublic
add action=accept chain=forward src-address-list=OpenStackPublic
add action=accept chain=input disabled=yes dst-address-list=OpenStackPublic
add action=accept chain=input disabled=yes src-address-list=OpenStackPublic
add action=accept chain=forward disabled=yes src-address-list=netdepot
add action=accept chain=forward dst-address-list=johnson_list\
src-address=192.168.33.2
add action=accept chain=input dst-address-list=johnson_list src-address=\
192.168.33.2
add action=accept chain=forward src-address=192.168.33.3
add action=accept chain=input dst-address-list=IPMI src-address=192.168.33.3
add action=accept chain=forward dst-address-list=OpenStack src-address=\
192.168.33.3
add action=accept chain=input dst-address-list=OpenStack src-address=\
192.168.33.3
add action=accept chain=forward dst-address=192.168.68.0/24 src-address=\
192.168.33.3
add action=accept chain=input dst-address=192.168.68.0/24 src-address=\
192.168.33.3
add action=drop chain=forward dst-address=192.168.5.0/24 src-address=\
192.168.33.3
add action=drop chain=forward dst-address=192.168.65.0/24 src-address=\
192.168.33.3
add action=drop chain=forward dst-address=192.168.66.0/24 src-address=\
192.168.33.0/24
add action=drop chain=forward dst-address=192.168.67.0/24 src-address=\
192.168.33.0/24
add action=drop chain=forward dst-address=192.168.128.0/22 src-address=\
192.168.33.0/24
add action=drop chain=forward dst-address=192.168.136.0/22 src-address=\
192.168.33.0/24
add action=drop chain=forward dst-address=192.168.144.0/22 src-address=\
192.168.33.0/24
add action=drop chain=forward dst-address=192.168.152.0/22 src-address=\
192.168.33.0/24
add action=drop chain=forward dst-address=192.168.160.0/22 src-address=\
192.168.33.0/24
add action=return chain=servers comment="return to fwd chain" disabled=yes
add action=accept chain=forward comment=icmp icmp-options=8:0 protocol=icmp
add action=accept chain=forward icmp-options=3:0-255 protocol=icmp
add action=accept chain=input disabled=yes protocol=icmp
add action=drop chain=input src-address-list=invalid_login
add action=accept chain=forward comment="working nat" connection-nat-state=\
dstnat
add action=accept chain=input comment="established, related" \
connection-state=established,related
add action=accept chain=input connection-state=related disabled=yes
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=core src-address=10.49.49.0/24
add action=accept chain=input comment=icmp protocol=icmp
add action=accept chain=input comment=winbox dst-port=8291 in-interface=\
!sfp-sfpplus12 protocol=tcp
add action=accept chain=input comment=ssh dst-port=5022 in-interface=\
!sfp-sfpplus12 protocol=tcp
add action=log chain=input disabled=yes
add action=accept chain=input disabled=yes dst-port="" protocol=tcp \
src-address=192.188.180.15 src-port=443,8443
add action=add-src-to-address-list address-list=invalid_login \
address-list-timeout=30m chain=input comment=\
"Tiered \"fail2ban\" for invalid_logins" connection-state=new dst-port=\
8291 protocol=tcp src-address-list=login_stage_3
add action=add-src-to-address-list address-list=login_stage_3 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=login_stage_2
add action=add-src-to-address-list address-list=login_stage_2 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=login_stage_1
add action=add-src-to-address-list address-list=login_stage_1 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp
add action=reject chain=forward comment="default reject" reject-with=\
icmp-port-unreachable
add action=reject chain=input comment="default reject" reject-with=\
icmp-port-unreachable
/ip firewall mangle
add action=mark-connection chain=forward comment=voip new-connection-mark=\
voip-conn passthrough=yes protocol=udp src-port=5060-5099
add action=mark-connection chain=forward new-connection-mark=voip-conn \
passthrough=yes protocol=tcp src-port=5060-5099
add action=mark-connection chain=forward new-connection-mark=voip-conn \
passthrough=yes protocol=udp src-port=8000-8200
add action=mark-connection chain=forward new-connection-mark=voip-conn \
passthrough=yes protocol=tcp src-port=8801-8802
add action=mark-connection chain=forward dscp=46 new-connection-mark=\
voip-conn passthrough=yes protocol=udp src-port=16384-65535
add action=mark-packet chain=prerouting connection-mark=voip-conn \
new-packet-mark=voip passthrough=no
add action=mark-packet chain=forward connection-mark=user-conn \
new-packet-mark=user passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=\
fsr-backup passthrough=no src-address-list=fsr
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address=10.10.112.47 \
src-address=192.168.160.0/22
add action=accept chain=srcnat dst-address=\
169.254.175.169 src-address=169.254.175.170
add action=accept chain=srcnat dst-address=\
169.254.157.33 src-address=169.254.157.34
add action=accept chain=srcnat dst-address=\
172.30.0.0/16 src-address=192.168.5.0/24
add action=accept chain=srcnat dst-address=\
192.168.5.0/24 src-address=172.30.0.0/16
add action=accept chain=srcnat dst-address=\
172.30.0.0/16 src-address=192.168.144.0/22
add action=accept chain=srcnat dst-address=172.30.0.0/16 src-address=\
192.168.8.0/22
add action=accept chain=srcnat dst-address=192.168.8.0/22 src-address=\
172.30.0.0/16
add action=accept chain=srcnat dst-address=172.30.0.0/16 src-address=\
my.public.ip.32/27
add action=accept chain=srcnat dst-address=my.public.ip.32/27 src-address=\
172.30.0.0/16
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.40 \
src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.40 \
src-address=192.168.5.0/24
add action=masquerade chain=srcnat disabled=\
yes dst-address=192.168.9.249 src-address=192.168.5.0/24
add action=masquerade chain=srcnat dst-address=192.168.5.18 src-address=\
172.16.0.0/16
add action=masquerade chain=srcnat dst-address=192.168.5.18 out-interface=\
sfp-sfpplus12 src-address-list=users
add action=dst-nat chain=dstnat dst-address=my.public.ip.8 src-address-list=\
users to-addresses=192.168.5.18
add action=masquerade chain=srcnat dst-address=192.168.5.18 src-address=\
192.168.5.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.42 \
src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.42 \
src-address=192.168.5.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.25 \
src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.25 \
src-address=192.168.5.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.66 \
src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.5.66 \
src-address=192.168.5.0/24
add action=masquerade chain=srcnat dst-address=\
192.168.5.37 src-address=172.16.0.0/16
add action=masquerade chain=srcnat dst-address=192.168.5.37 src-address=\
192.168.5.0/24
add action=masquerade chain=srcnat out-interface=\
sfp-sfpplus12
add action=masquerade chain=srcnat dst-address=\
192.168.5.80 src-address=172.16.0.0/16
add action=masquerade chain=srcnat dst-address=192.168.5.80 src-address=\
192.168.5.0/24
add action=src-nat chain=srcnat src-address=192.168.5.80 \
to-addresses=my.public.ip.9
add action=dst-nat chain=dstnat dst-address=\
my.public.ip.9 dst-port=10051 protocol=tcp to-addresses=172.16.1.1
add action=dst-nat chain=dstnat dst-address=\
my.public.ip.10 dst-port=80,443,990,5022,7000-7009 protocol=tcp \
to-addresses=192.168.5.40
add action=dst-nat chain=dstnat disabled=\
yes dst-address=my.public.ip.11 dst-port=21,80,443,5022,7000-7009 protocol=\
tcp to-addresses=192.168.8.90
add action=src-nat chain=srcnat disabled=yes src-address=\
192.168.5.42 to-addresses=my.public.ip.4
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.4 \
src-address=172.16.1.1 to-addresses=192.168.5.42
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.4 \
dst-port=80,443,5022 protocol=tcp to-addresses=192.168.5.42
add action=src-nat chain=srcnat disabled=yes src-address=192.168.5.25\
to-addresses=my.public.ip.6
add action=src-nat chain=srcnat disabled=yes dst-address=207.210.70.162 \
src-address=192.168.5.25 to-addresses=my.public.ip.6
add action=src-nat chain=srcnat disabled=yes dst-address=63.247.65.143 \
src-address=192.168.5.25 to-addresses=my.public.ip.6
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.6 \
src-address=207.210.70.162 to-addresses=192.168.5.25
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.6 \
src-address=63.247.65.146 to-addresses=192.168.5.25
add action=src-nat chain=srcnat disabled=yes dst-address=44.225.58.100 \
protocol=tcp src-address=192.168.5.25 src-port=3306 to-addresses=\
my.public.ip.6
add action=src-nat chain=srcnat disabled=yes dst-address=54.208.175.103 \
protocol=tcp src-address=192.168.5.25 src-port=3306 to-addresses=\
my.public.ip.6
add action=src-nat chain=srcnat disabled=yes dst-address=3.212.168.141 \
protocol=tcp src-address=192.168.5.25 src-port=3306 to-addresses=\
my.public.ip.6
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.6 \
dst-port=3306 protocol=tcp src-address=44.225.58.100 to-addresses=\
192.168.5.25
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.6 \
dst-port=3306 protocol=tcp src-address=54.208.175.103 to-addresses=\
192.168.5.25
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.6 \
dst-port=3306 protocol=tcp src-address=3.212.168.142 to-addresses=\
192.168.5.25
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.6 \
dst-port=53 protocol=udp to-addresses=192.168.5.25
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.6 \
dst-port=53,80,443,5022 protocol=tcp to-addresses=192.168.5.25
add action=src-nat chain=srcnat to-addresses=my.public.ip.7
add action=dst-nat chain=dstnat dst-address=my.public.ip.7 dst-port=\
80,443,5005,5008 protocol=tcp to-addresses=192.168.5.37
add action=src-nat chain=srcnat disabled=yes dst-address=44.228.108.208\
protocol=tcp src-address=192.168.5.18 src-port=3306 \
to-addresses=my.public.ip.8
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.8 \
dst-port=3306 protocol=tcp src-address=44.228.108.208 to-addresses=\
192.168.5.18
add action=dst-nat chain=dstnat disabled=yes \
dst-address=my.public.ip.8 dst-port=80 protocol=tcp to-addresses=\
192.168.5.48 to-ports=8088
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.8 \
dst-port=443 protocol=tcp to-addresses=192.168.5.48 to-ports=4443
add action=src-nat chain=srcnat disabled=yes \
src-address=192.168.5.66 to-addresses=my.public.ip.5
add action=src-nat chain=srcnat disabled=yes dst-address=74.81.91.18 \
src-address=192.168.5.66 to-addresses=my.public.ip.5
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.5 \
src-address=74.81.91.18 to-addresses=192.168.5.66
add action=dst-nat chain=dstnat disabled=yes dst-address=my.public.ip.5 \
dst-port=80,443,5022 protocol=tcp to-addresses=192.168.5.66
add action=masquerade chain=srcnat dst-address=192.168.64.0/24 src-address=192.168.32.0/24
add action=masquerade chain=srcnat dst-address=192.168.66.0/24 src-address=\
192.168.32.0/24
/ip ipsec identity
add peer=AmazonVPC2
add peer=AmazonVPC
/ip ipsec policy
add dst-address=172.30.0.0/16 peer=AmazonVPC proposal=\
ipsec-vpn-070053c6ddad646ce-0 src-address=192.168.5.0/24 tunnel=yes
add dst-address=169.254.175.169/32 peer=AmazonVPC proposal=\
ipsec-vpn-070053c6ddad646ce-0 src-address=169.254.175.170/32 tunnel=yes
add dst-address=172.30.0.0/16 peer=AmazonVPC proposal=\
ipsec-vpn-070053c6ddad646ce-0 src-address=192.168.144.0/22 tunnel=yes
add dst-address=169.254.157.33/32 peer=AmazonVPC2 proposal=\
ipsec-vpn-070053c6ddad646ce-1 src-address=169.254.157.34/32 tunnel=yes
add disabled=yes dst-address=172.30.0.0/16 peer=AmazonVPC2 proposal=\
ipsec-vpn-070053c6ddad646ce-1 src-address=192.168.5.0/24 tunnel=yes
add dst-address=172.30.0.0/16 peer=AmazonVPC proposal=\
ipsec-vpn-070053c6ddad646ce-0 src-address=192.168.8.0/22 tunnel=yes
add dst-address=172.30.0.0/16 peer=AmazonVPC proposal=\
ipsec-vpn-070053c6ddad646ce-0 src-address=my.public.ip.32/27 tunnel=yes
/ip route
add distance=1 gateway=my.public.ip.1 pref-src=my.public.ip.12
add disabled=yes distance=1 dst-address=\
10.10.10.0/24 gateway=192.168.68.13
add distance=1 dst-address=10.10.112.0/24 \
gateway=192.168.128.9
add disabled=yes distance=1 dst-address=my.public.ip.32/28 gateway=\
vlan1068_OpenStackSwitch
add disabled=yes distance=1 dst-address=192.168.65.0/24 gateway=vlan1065
add distance=1 dst-address=192.168.128.0/22 gateway=vlan101
add distance=1 dst-address=192.168.136.0/22 gateway=vlan102
add distance=1 dst-address=192.168.144.0/22 gateway=vlan103
add distance=1 dst-address=192.168.152.0/22 gateway=vlan104
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=5022
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add disabled=yes name=mwaldorf profile=vpn_profile
add name=inland profile=vpn_profile
add local-address=192.168.33.1 name=johnsoncontrols profile=vpn_profile \
remote-address=192.168.33.2
add local-address=192.168.33.1 name=vexhost profile=vpn_profile \
remote-address=192.168.33.3
/radius
add address=192.168.5.80 service=ppp,ipsec timeout=2s
add address=192.168.5.40 service=ppp,ipsec timeout=2s
add address=54.203.27.225 service=ppp,ipsec \
src-address=my.public.ip.11
add address=18.204.0.31 service=ppp,ipsec \
src-address=my.public.ip.11
/routing bgp network
add network=192.168.5.0/24 synchronize=no
add network=192.168.144.0/22 synchronize=no
add network=192.168.8.0/22 synchronize=no
add network=my.public.ip.32/27 synchronize=no
/routing bgp peer
add hold-time=30s instance=AWSVPC1 keepalive-time=10s name=\
BGP-vpn-070053c6ddad646ce-0 remote-address=169.254.175.169 ttl=default
add hold-time=30s instance=AWSVPC2 keepalive-time=10s name=\
BGP-vpn-070053c6ddad646ce-1 remote-address=169.254.157.33 ttl=default
/snmp
set trap-community=lightcast trap-version=3
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=CoreRouter
/system logging
add action=remote topics=info
/tool bandwidth-server
set enabled=no
/tool sniffer
set filter-interface=*24 filter-ip-protocol=udp filter-mac-protocol=0 \
filter-port=bootpc memory-limit=1000KiB
