# oct/14/2022 13:28:29 by RouterOS 7.1.3
# software id = 6XXI-TFM8
#
# model = RB4011iGS+
# serial number =
/interface bridge
add admin-mac=48:8F:5A:C5:70:CD auto-mac=no ingress-filtering=no name=bridge \
vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-vlan
/interface vlan
add interface=bridge name=dmz-vlan vlan-id=20
add interface=bridge name=guest-vlan vlan-id=30
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=disabled name=pppoe-out1 \
user=[plusnet login]
/interface list
add name=WAN
add name=LAN
add name=DMZ
add include=DMZ,LAN name=LOCAL
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-128 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 disabled=yes enc-algorithms=\
aes-256-cbc,aes-128-cbc pfs-group=modp4096
/ip pool
add name=private_pool ranges=192.168.0.2-192.168.0.100
add name=vpn_pool ranges=192.168.5.2-192.168.5.100
add name=guest_pool ranges=192.168.3.2-192.168.3.100
add name=dmz_pool ranges=192.168.2.2-192.168.2.100
/ip dhcp-server
add address-pool=private_pool authoritative=after-2sec-delay interface=bridge \
lease-time=23h59m59s name=private-dhcp
add address-pool=guest_pool interface=guest-vlan lease-time=23h59m59s name=\
guest-dhcp
add address-pool=dmz_pool interface=dmz-vlan lease-time=23h59m59s name=\
dmz-dhcp
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_VIRGIN
add fib name=to_PLUSNET
/snmp community
set [ find default=yes ] addresses=192.168.2.0/24,192.168.0.0/24
add addresses=::/0 authentication-protocol=SHA1 name=v3user security=private
/system logging action
set 1 disk-file-name=disk1/log
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/certificate settings
set crl-download=yes crl-store=system crl-use=yes
/interface bridge port
add bridge=bridge comment=Bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether5 pvid=20
add bridge=bridge ingress-filtering=no interface=ether6
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface=ether9
add bridge=bridge ingress-filtering=no interface=ether10
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=DMZ ingress-filtering=no interface=ether4 pvid=20
add bridge=bridge ingress-filtering=no interface=ether3 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether2,bridge untagged=ether3,ether4 vlan-ids=20
add bridge=bridge tagged=ether2,bridge vlan-ids=30
/interface detect-internet
set internet-interface-list=WAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=guest-vlan list=LAN
add interface=ether3 list=DMZ
add interface=ether4 list=DMZ
add interface=ether8 list=WAN
add interface=wireguard-vlan list=LAN
add interface=dmz-vlan list=DMZ
/interface wireguard peers
add allowed-address=192.168.5.2/32 comment="Dads Iphone" interface=\
wireguard-vlan public-key="key1"
add allowed-address=192.168.5.3/32 comment="Work Computer" interface=\
wireguard-vlan public-key="key2"
add allowed-address=192.168.5.4/32 comment="Dads iPad" interface=\
wireguard-vlan public-key="key3"
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
add address=192.168.3.1/24 interface=guest-vlan network=192.168.3.0
add address=192.168.2.1/24 interface=dmz-vlan network=192.168.2.0
add address=192.168.5.1/24 interface=wireguard-vlan network=192.168.5.0
/ip dhcp-client
add comment=defconf interface=ether1
add default-route-distance=2 interface=ether8
/ip dhcp-server lease
add address=192.168.0.105 always-broadcast=yes mac-address=00:15:99:61:67:53 \
server=private-dhcp use-src-mac=yes
add address=192.168.0.150 client-id=1:5c:aa:fd:f1:ef:c6 comment=Media \
mac-address=5C:AA:FD:F1:EF:C6 server=private-dhcp
add address=192.168.0.130 comment="Nest Smoke Alarms" mac-address=\
18:B4:30:A7:71:BB server=private-dhcp
add address=192.168.0.131 mac-address=18:B4:30:A7:80:C2 server=private-dhcp
add address=192.168.0.132 mac-address=18:B4:30:A7:48:AB server=private-dhcp
add address=192.168.0.250 client-id=1:fc:ec:da:4d:1:7e comment=\
"Network Infrastructure" mac-address=FC:EC:DA:4D:01:7E server=\
private-dhcp
add address=192.168.3.1 allow-dual-stack-queue=no client-id=fake-router-guest \
comment="Guest Network" server=guest-dhcp
add address=192.168.2.1 allow-dual-stack-queue=no client-id=fake-router-dmz \
comment=DMZ server=dmz-dhcp
add address=192.168.2.102 mac-address=7C:2F:80:5D:38:B1 server=dmz-dhcp
add address=192.168.2.101 client-id=\
ff:fb:6b:b1:e4:0:2:0:0:ab:11:ca:4f:63:3e:ed:27:42:23 mac-address=\
00:1C:2B:0D:D1:5C server=dmz-dhcp
add address=192.168.0.106 client-id=1:28:3a:4d:89:bc:a6 mac-address=\
28:3A:4D:89:BC:A6 server=private-dhcp
add address=192.168.0.251 client-id=\
ff:4f:4d:d7:c:0:2:0:0:ab:11:97:81:e5:59:db:bf:68:8d mac-address=\
18:E8:29:B4:5F:57 server=private-dhcp
add address=192.168.0.140 client-id=1:b4:fb:e4:fe:29:3e comment=Cameras \
mac-address=B4:FB:E4:FE:29:3E server=private-dhcp
add address=192.168.0.104 client-id=1:b8:27:eb:c0:fd:cc mac-address=\
B8:27:EB:C0:FD:CC server=private-dhcp
add address=192.168.2.110 mac-address=00:1E:06:36:3C:E6 server=dmz-dhcp
add address=192.168.2.105 client-id=1:dc:a6:32:32:9c:27 mac-address=\
DC:A6:32:32:9C:27 server=dmz-dhcp
add address=192.168.0.253 client-id=1:f4:92:bf:a0:b9:fb mac-address=\
F4:92:BF:A0:B9:FB server=private-dhcp
add address=192.168.0.107 client-id=1:f8:a2:6d:a:47:31 mac-address=\
F8:A2:6D:0A:47:31 server=private-dhcp
add address=192.168.0.117 client-id=macbook-air-wifi2 mac-address=\
84:38:35:57:2C:4A server=private-dhcp
add address=192.168.0.151 client-id=1:40:2f:86:32:24:8 mac-address=\
40:2F:86:32:24:08 server=private-dhcp
add address=192.168.0.152 client-id=1:74:40:be:24:99:b0 mac-address=\
74:40:BE:24:99:B0 server=private-dhcp
add address=192.168.0.156 client-id=1:a0:85:fc:1e:81:1e mac-address=\
A0:85:FC:1E:81:1E server=private-dhcp
add address=192.168.0.252 client-id=1:24:5a:4c:6e:8e:29 mac-address=\
24:5A:4C:6E:8E:29 server=private-dhcp
add address=192.168.0.116 client-id=1:70:9c:d1:62:25:69 mac-address=\
70:9C:D1:62:25:69 server=private-dhcp
add address=192.168.0.155 client-id=1:4c:3b:df:4b:24:bf mac-address=\
4C:3B:DF:4B:24:BF server=private-dhcp
add address=192.168.0.153 client-id=1:24:e8:53:90:b2:a6 mac-address=\
24:E8:53:90:B2:A6 server=private-dhcp
add address=192.168.0.113 client-id=gareth-iphone mac-address=\
0E:DA:C1:EB:5B:A9 server=private-dhcp
add address=192.168.0.141 client-id=1:68:d7:9a:e5:27:3f mac-address=\
68:D7:9A:E5:27:3F server=private-dhcp
add address=192.168.0.118 client-id=1:ec:26:51:75:50:5b mac-address=\
EC:26:51:75:50:5B server=private-dhcp
add address=192.168.0.154 client-id=1:b0:37:95:5f:71:d7 mac-address=\
B0:37:95:5F:71:D7 server=private-dhcp
add address=192.168.0.112 client-id="Dad iPad" mac-address=C4:12:34:09:45:6F \
server=private-dhcp
add address=192.168.0.111 client-id=work-laptop mac-address=88:66:5A:42:9A:A6 \
server=private-dhcp
add address=192.168.0.110 client-id=mac-studio comment=Workstations \
mac-address=9C:76:0E:4E:60:D4 server=private-dhcp
add address=192.168.0.119 client-id=justin-phone mac-address=\
AA:CB:35:DE:BA:FA server=private-dhcp
add address=192.168.0.114 client-id=Gareth-iPad-mini mac-address=\
9C:04:EB:B5:6D:52 server=private-dhcp
add address=192.168.0.102 client-id=1:e4:5f:1:bd:74:5b comment=\
"Printers and Servers" mac-address=E4:5F:01:BD:74:5B server=private-dhcp
add address=192.168.0.103 mac-address=B8:27:EB:7A:37:6E server=private-dhcp
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1 \
netmask=24
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1 \
netmask=24
/ip dns
set allow-remote-requests=yes max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.1 name=router.lan
add address=192.168.0.102 name=kodi.lan ttl=1h
add address=192.168.2.105 name=plex.lan
add address=192.168.0.251 name=unifi.lan
add address=192.168.2.105 name=pubsvr.lan
/ip firewall address-list
add address=192.168.2.0/24 comment="DMZ VLAN" list=public-vlan
add address=192.168.3.0/24 comment="Guest VLAN" list=public-vlan
add address=192.168.0.0/24 comment="Private VLAN" list=private-vlan
add address=192.168.0.113 disabled=yes list="Gareth Work"
add address=192.168.0.117 list=Justin
add address=192.168.0.118 list=Justin
add address=192.168.0.111 list="Gareth Work"
add address=192.168.0.119 list=Justin
add address=192.168.0.110 list="Gareth Work"
add address=192.168.5.0/24 comment="Wireguard VLAN" list=private-vlan
add address=192.168.0.112 list="Gareth Work"
add address=192.168.0.116 list=Justin
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid \
log-prefix=Input
add action=accept chain=input comment="Accept Ping" protocol=icmp
add action=accept chain=input dst-address=192.168.0.1 src-address=192.168.0.1
add action=accept chain=input dst-port=53,67,68 in-interface-list=LOCAL \
protocol=udp
add action=accept chain=input comment="SNMP Monitoring" dst-port=161 \
in-interface-list=LOCAL protocol=udp
add action=accept chain=forward dst-port=161 in-interface-list=LOCAL \
protocol=udp
add action=accept chain=forward dst-address-list=private-vlan protocol=icmp \
src-address-list=public-vlan
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
log-prefix=fireguard protocol=udp
add action=accept chain=forward in-interface=wireguard-vlan
add action=drop chain=input comment="Drop all not coming from LAN" \
in-interface-list=!LOCAL log-prefix=INPUT
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"Allow guest network access to login page on cloud-key" dst-address=\
192.168.0.251 in-interface=guest-vlan
add action=accept chain=forward comment=Plex dst-port=32400 out-interface=\
dmz-vlan protocol=tcp
add action=drop chain=forward comment=\
"Stop access to private VLANs from public VLANs" dst-address-list=\
private-vlan log-prefix=VLAN src-address-list=public-vlan
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log-prefix=INVALID
add action=drop chain=forward comment=\
"Drop all from WAN (ether1) not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting dst-address=[virgin-ip] in-interface-list=\
LOCAL
add action=accept chain=prerouting dst-address=[plusnet-ip] \
in-interface-list=LOCAL
add action=mark-connection chain=prerouting comment=\
"Mark incoming connections by ISP" connection-mark=no-mark in-interface=\
ether8 new-connection-mark=VIRGIN_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=pppoe-out1 new-connection-mark=PLUSNET_conn passthrough=yes
add action=mark-connection chain=prerouting comment=\
"Lock Gareth & Justin to plusher" connection-mark=no-mark dst-address=\
!192.168.0.0/16 dst-address-type=!local new-connection-mark=PLUSNET_conn \
passthrough=yes src-address-list=Justin
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=!192.168.0.0/16 dst-address-type=!local new-connection-mark=\
PLUSNET_conn passthrough=yes src-address-list="Gareth Work"
add action=mark-connection chain=prerouting comment=\
"DMZ goes out via plus.net" connection-mark=no-mark dst-address=\
!192.168.0.0/16 dst-address-type=!local new-connection-mark=PLUSNET_conn \
passthrough=yes src-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
"Everything else go Virgin" connection-mark=no-mark dst-address=\
!192.168.0.0/16 dst-address-type=!local new-connection-mark=VIRGIN_conn \
passthrough=yes
add action=mark-routing chain=prerouting comment="Now do Routing Marks" \
connection-mark=VIRGIN_conn dst-address-type=!local new-routing-mark=\
to_VIRGIN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=PLUSNET_conn \
dst-address-type=!local new-routing-mark=to_PLUSNET passthrough=yes
add action=mark-routing chain=output connection-mark=VIRGIN_conn \
dst-address-type=!local new-routing-mark=to_VIRGIN passthrough=yes
add action=mark-routing chain=output connection-mark=PLUSNET_conn \
dst-address-type=!local new-routing-mark=to_PLUSNET passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
pppoe-out1
add action=masquerade chain=srcnat out-interface=ether8 to-addresses=\
77.99.168.239
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=tcp \
to-addresses=192.168.2.105 to-ports=32400
add action=dst-nat chain=dstnat comment=tms-api dst-port=3001 protocol=tcp \
to-addresses=192.168.2.105 to-ports=3001
add action=dst-nat chain=dstnat comment=tms dst-port=3000 protocol=tcp \
to-addresses=192.168.2.105 to-ports=3000
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
routing-table=to_PLUSNET
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
/snmp
set contact="Gareth Webber" enabled=yes location="Kids Room Router" \
trap-generators="" trap-version=2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/London
/system identity
set name=RB4011
/system logging
set 0 topics=info,!dhcp
set 1 action=disk
set 3 action=disk
add action=remote disabled=yes topics=firewall
add action=remote disabled=yes topics=critical
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.12
add address=216.239.35.8
add address=216.239.35.4
add address=216.239.35.0
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.0.0/16 interface=ether8
add allow-address=192.168.0.0/16 interface=pppoe-out1
/tool graphing resource
add allow-address=192.168.0.0/16 store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add disabled=yes interface=bridge name=Test traffic=received