----------------------------------------------------------------------------------------------------------
A Site:
----------------------------------------------------------------------------------------------------------
# dec/02/2022 11:53:22 by RouterOS 6.49.6
/interface bridge
add admin-mac=DC:2C:6E:C3:66:5C auto-mac=no comment=defconf name=bridge
add name=bridge_guest
add disabled=yes name=bridge_vpn
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
/interface vlan
add interface=bridge_guest name=VLAN_Guest vlan-id=10
add interface=ether1 name=WAN-Vlan vlan-id=20
/caps-man configuration
add channel.extension-channel=Ce channel.save-selected=no country=portugal \
datapath.arp=enabled datapath.bridge=bridge \
datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
distance=indoors installation=indoor mode=ap name=ARA-SITEICE \
rates.vht-supported-mcs="" security.authentication-types=wpa2-psk \
security.encryption=aes-ccm ssid=TEST
add channel.control-channel-width=20mhz country=portugal datapath.arp=enabled \
datapath.bridge=bridge_guest datapath.local-forwarding=yes \
datapath.vlan-id=10 datapath.vlan-mode=use-tag distance=indoors \
installation=indoor mode=ap name=AR-GUEST ssid=AR_GUEST
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add arp=enabled bridge=bridge bridge-cost=0 interface-list=LAN l2mtu=0 mtu=32 \
name=datapath1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=\
aes-256,aes-128
add enc-algorithm=aes-256 hash-algorithm=sha512 name=site-to-site
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
S2S-A-SITE-C-SITE
/ip ipsec peer
add address=B-WAN-IP/32 comment="Site to Site VPN B-SITE" name=S2S-B-SITE \
profile=site-to-site
add address=C-WAN-IP/32 exchange-mode=ike2 name=S2S-A-SITE-C-SITE profile=\
S2S-A-SITE-C-SITE send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=ecp256
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=site-to-site
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=S2S-A-SITE-C-SITE \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.100.5-192.168.100.254
add name="A-SITE Remote User VPN" ranges=192.168.103.5-192.168.103.254
add name=dhcp_pool2 ranges=10.0.0.2-10.0.0.254
add name=B-SITE-pool ranges=192.168.101.0/24
add name="Guest Pool" ranges=192.168.5.2-192.168.5.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=VLAN_Guest name=dhcp_guest
/ppp profile
set *FFFFFFFE bridge=bridge local-address=192.168.103.1 remote-address=\
"A-SITE Remote User VPN"
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=ARA-SITEICE \
slave-configurations=AR-GUEST
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=WAN-Vlan list=WAN
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
192.168.100.0
add address=10.0.0.1/24 interface=VLAN_Guest network=10.0.0.0
add address=A-WAN-IP/24 interface=WAN-Vlan network=A-WANNETWORK
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set servers=SERVER-A1,SERVER-A2,62.28.116.41,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
log-prefix="FW Ping" protocol=icmp
add action=accept chain=forward disabled=yes dst-port=25,587 protocol=tcp \
src-address=192.168.100.0/24
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input log=yes log-prefix="FW from 101" src-address=\
192.168.101.0/24
add action=accept chain=input log=yes log-prefix="FW From 102" src-address=\
192.168.102.0/24
add action=accept chain=input src-address=192.168.103.0/24
add action=accept chain=input log=yes log-prefix="FW B-SITE RUV Accepted" \
src-address=192.168.104.0/24
add action=accept chain=output dst-address=192.168.101.0/24
add action=accept chain=output dst-address=192.168.102.0/24 log=yes \
log-prefix="FW to 102"
add action=accept chain=output dst-address=192.168.103.0/24
add action=accept chain=output dst-address=192.168.104.0/24
add action=accept chain=forward disabled=yes dst-port=25,587 protocol=tcp \
src-port=25,587
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=srcnat dst-address=192.168.101.0/24 log=yes \
log-prefix="NAT To 101" src-address=192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.102.0/24 log=yes \
log-prefix="NAT 100->102" src-address=192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.105.0/24 src-address=\
192.168.100.0/24
add action=accept chain=dstnat dst-address=192.168.100.0/24 log=yes \
log-prefix="NAT from 101" src-address=192.168.101.0/24
add action=accept chain=dstnat dst-address=192.168.100.0/24 log=yes \
log-prefix="NAT 102->100" src-address=192.168.102.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.103.0/24 \
src-address=192.168.100.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.104.0/24 \
src-address=192.168.100.0/24
add action=accept chain=dstnat disabled=yes dst-address=192.168.100.0/24 \
src-address=192.168.104.0/24
add action=accept chain=dstnat dst-address=192.168.100.0/24 src-address=\
192.168.105.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.101.0/24 \
src-address=192.168.103.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.100.0/24 \
src-address=192.168.103.0/24
add action=masquerade chain=srcnat comment=\
"Allow access to web server from inside LAN" dst-address=SERVER-A2 \
dst-port=80,443 log=yes log-prefix=web-masq out-interface-list=LAN \
protocol=tcp src-address=192.168.100.0/24
add action=masquerade chain=srcnat dst-address=192.168.100.167 dst-port=\
37777,37778 out-interface-list=LAN protocol=tcp src-address=\
192.168.100.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="SMTP Server Masquerade" \
src-address=192.168.100.13
add action=dst-nat chain=dstnat comment="Site HTTP/S NAT " dst-address=\
A-WAN-IP dst-port=80,443 protocol=tcp to-addresses=SERVER-A2
add action=dst-nat chain=dstnat comment="Maintenance site" disabled=yes \
dst-address=A-WAN-IP dst-port=80,443 protocol=tcp to-addresses=\
192.168.100.13
add action=dst-nat chain=dstnat comment="SMTP STARTLS" dst-address=\
A-WAN-IP dst-port=587 protocol=tcp to-addresses=192.168.100.13 \
to-ports=587
add action=dst-nat chain=dstnat dst-port=37777,37778 protocol=tcp \
to-addresses=192.168.100.167
add action=dst-nat chain=dstnat comment=AROficina dst-port=4444 log=yes \
log-prefix=AROFICINA protocol=tcp to-addresses=192.168.100.13 to-ports=\
4444
add action=dst-nat chain=dstnat comment=VIM dst-port=4442 log=yes log-prefix=\
"VIM ACCESS" protocol=tcp to-addresses=192.168.100.13 to-ports=4442
add action=dst-nat chain=dstnat comment="Cloud Key\? OBSOLETE" dst-port=8080 \
protocol=tcp src-address=B-WAN-IP to-addresses=192.168.100.7 \
to-ports=8080
add action=dst-nat chain=dstnat comment=CRS_2 dst-port=444 protocol=tcp \
to-addresses=192.168.100.12 to-ports=443
add action=dst-nat chain=dstnat comment="Contratos Digitais" disabled=yes \
dst-port=4443 protocol=tcp to-addresses=192.168.100.100 to-ports=4443
add action=dst-nat chain=dstnat comment="Contratos Digitais - Novo servidor" \
dst-port=4443 protocol=tcp to-addresses=192.168.100.13 to-ports=4443
add action=dst-nat chain=dstnat comment="RW License\?" dst-port=1648 \
protocol=tcp src-address=82.155.94.12 to-addresses=80.172.211.118 \
to-ports=1648
add action=dst-nat chain=dstnat comment="SMTP weirdo" disabled=yes dst-port=\
587 protocol=tcp src-address=81.193.203.213 to-addresses=192.168.100.13 \
to-ports=587
add action=dst-nat chain=dstnat comment=SMTPweirdo2 disabled=yes dst-port=587 \
protocol=tcp src-address=A-WAN-IP to-addresses=192.168.100.13 \
to-ports=587
add action=dst-nat chain=dstnat comment=\
"SQL C-SITE :: OBSOLETE IF VPN FUNCTIONAL" dst-port=1433 protocol=tcp \
src-address=82.155.94.12 to-addresses=SERVER-A1 to-ports=1433
add action=dst-nat chain=dstnat dst-port=475 protocol=tcp src-address=\
82.155.94.12 to-addresses=SERVER-A1 to-ports=475
add action=dst-nat chain=dstnat comment="TMP RW License" disabled=yes \
dst-port=1648 protocol=tcp src-address=94.133.170.153 to-addresses=\
80.172.211.118 to-ports=1648
add action=dst-nat chain=dstnat comment="TMP SQL" disabled=yes dst-port=1433 \
protocol=tcp src-address=94.133.170.153 to-addresses=SERVER-A2 \
to-ports=1433
add action=dst-nat chain=dstnat comment="TMP SQL 2" disabled=yes dst-port=475 \
protocol=tcp src-address=94.133.170.153 to-addresses=SERVER-A2 \
to-ports=475
add action=dst-nat chain=dstnat comment=\
";;;; Internal Access to server via external ip address" disabled=yes \
dst-address=85.244.235.154 dst-port=80,433,20,21 protocol=tcp \
src-address=192.168.100.0/24 to-addresses=192.168.100.252
add action=dst-nat chain=dstnat comment="Autorent Mobile App" dst-port=4446 \
protocol=tcp to-addresses=192.168.100.13 to-ports=4446
add action=dst-nat chain=dstnat comment="C-SITErent CD" dst-port=8883 protocol=\
tcp to-addresses=192.168.100.13 to-ports=8883
add action=dst-nat chain=dstnat comment="C-SITErent Mobile App" dst-port=8884 \
protocol=tcp to-addresses=192.168.100.13 to-ports=8884
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add peer=S2S-B-SITE
add peer=S2S-A-SITE-C-SITE
/ip ipsec policy
add dst-address=192.168.101.0/24 peer=S2S-B-SITE proposal=site-to-site \
src-address=192.168.100.0/24 tunnel=yes
add dst-address=192.168.102.0/24 peer=S2S-A-SITE-C-SITE proposal=S2S-A-SITE-C-SITE \
src-address=192.168.100.0/24 tunnel=yes
/ip route
add distance=1 gateway=62.28.228.45
add check-gateway=arp distance=2 dst-address=192.168.102.0/24 gateway=bridge \
pref-src=192.168.100.1
/ip service
set www-ssl disabled=no
/ppp secret
Secrets
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=AR-A-SITE-GW
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
----------------------------------------------------------------------------------------------------------
B site:
----------------------------------------------------------------------------------------------------------
# dec/02/2022 11:54:52 by RouterOS 6.49.6
/caps-man configuration
add name=cfg1 security.authentication-types=wpa-psk security.encryption="" \
ssid=B-SITE
/interface bridge
add name=bridge1
/caps-man interface
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=DC:2C:6E:F8:AF:14 \
master-interface=none name=cap1 radio-mac=DC:2C:6E:F8:AF:14 radio-name=\
DC2C6EF8AF14
/interface vlan
add interface=ether1 name="WAN VLAN" vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=\
aes-256,aes-128
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
site-to-site
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
"S2S C-SITE"
/ip ipsec peer
add address=C-WAN-IP/32 name="S2S C-SITE" profile="S2S C-SITE"
add address=A-WAN-IP/32 name="S2S A-SITE" profile=site-to-site
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=ecp256
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=site-to-site
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name="S2S C-SITE" \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.101.5-192.168.101.254
add name="B-SITE Remote User VPN" ranges=192.168.104.5-192.168.104.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
set *FFFFFFFE bridge=bridge1 local-address=192.168.104.1 remote-address=\
"B-SITE Remote User VPN"
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add interface=bridge1 list=LAN
add interface="WAN VLAN" list=WAN
/ip address
add address=192.168.101.1/24 interface=bridge1 network=192.168.101.0
add address=B-WAN-IP/24 interface="WAN VLAN" network=B-WANNETWORK
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.168.101.0/24 comment=defconf gateway=192.168.101.1 netmask=24
/ip dns
set servers=SERVER-A1,SERVER-A2,8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment=\
";;; defconf: accept estagbilished, related, untracked " \
connection-state=established,related,untracked
add action=drop chain=input comment=";;;; defconf: drop invalid" \
connection-state=invalid log-prefix=dropInvalid
add action=accept chain=input comment=";;;;; defconf: accept ICMP" protocol=\
icmp
add action=accept chain=input comment=\
";;;;defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=accept chain=input in-interface="WAN VLAN" log-prefix=IPSEC \
protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input log=yes log-prefix=\
"FW RUVPN Connection Accepted" src-address=192.168.104.0/24
add action=accept chain=input dst-address=192.168.101.0/24 src-address=\
192.168.103.0/24
add action=accept chain=input src-address=192.168.100.0/24
add action=accept chain=output dst-address=192.168.100.0/24
add action=drop chain=input comment=\
";;;defconf: drop all not coming from LAN" in-interface-list=!LAN \
log-prefix="lan drop"
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface-list=WAN log=yes log-prefix="wan drop"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=\
192.168.101.0/24
add action=accept chain=srcnat dst-address=192.168.102.0/24 src-address=\
192.168.101.0/24
add action=accept chain=dstnat dst-address=192.168.101.0/24 src-address=\
192.168.100.0/24 src-address-list=""
add action=accept chain=srcnat dst-address=192.168.100.0/24 log=yes \
log-prefix="NAT RUV Natted" src-address=192.168.104.0/24
add action=accept chain=dstnat dst-address=192.168.104.0/24 src-address=\
192.168.100.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add peer="S2S A-SITE"
add peer="S2S C-SITE"
/ip ipsec policy
add dst-address=192.168.100.0/24 peer="S2S A-SITE" proposal=site-to-site \
src-address=192.168.101.0/24 tunnel=yes
add dst-address=192.168.102.0/24 peer="S2S C-SITE" src-address=192.168.101.0/24 \
tunnel=yes
/ip route
add distance=1 gateway=83.240.243.97
/lcd
set time-interval=hour
/ppp secret
Secrets
/system clock
set time-zone-name=Europe/Lisbon
----------------------------------------------------------------------------------------------------------
C site:
----------------------------------------------------------------------------------------------------------
# dec/02/2022 11:52:20 by RouterOS 7.6
/interface bridge
add admin-mac=18:FD:74:C2:99:0D auto-mac=no comment=defconf name=bridge
add name=guest-bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Portugal .mode=ap .ssid=C-SITE disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration.country=Portugal .mode=ap .ssid=C-SITE disabled=no
/interface vlan
add disabled=yes interface=ether1 name="WAN VLAN" vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add name=Guest
/interface wifiwave2 configuration
add country=Portugal mode=ap name=C-SITE-guest security=Guest \
security.authentication-types="" ssid=C-SITE-Guest
/interface wifiwave2
add configuration=C-SITE-guest configuration.mode=ap disabled=no mac-address=\
1A:FD:74:C2:99:12 master-interface=wifi2 name=C-SITE-guest
/interface vlan
add disabled=yes interface=C-SITE-guest name=guest-vlan vlan-id=1
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
S2S-A-SITE-C-SITE
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
"S2S B-SITE"
/ip ipsec peer
add address=B-WAN-IP/32 name="S2S B-SITE" profile="S2S B-SITE"
add address=A-WAN-IP/32 exchange-mode=ike2 name=S2S-A-SITE-C-SITE profile=\
S2S-A-SITE-C-SITE send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=ecp256
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=S2S-A-SITE-C-SITE \
pfs-group=modp2048
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name="S2S B-SITE C-SITE" \
pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.102.5-192.168.102.254
add name="C-SITE Remote User VPN" ranges=192.168.105.5-192.168.105.254
add name=C-SITE-guest ranges=192.168.10.5-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=C-SITE-guest interface=guest-bridge name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge=bridge local-address=192.168.104.1 remote-address=\
"C-SITE Remote User VPN"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=guest-bridge interface=C-SITE-guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.102.1/24 comment=defconf interface=bridge network=\
192.168.102.0
add address=192.168.10.1/24 interface=guest-bridge network=192.168.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=\
192.168.10.1
add address=192.168.102.0/24 comment=defconf dns-server=192.168.102.1 \
gateway=192.168.102.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
SERVER-A1,SERVER-A2,A-WAN-IP,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.102.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input src-address=192.168.105.0/24
add action=accept chain=input disabled=yes src-address=192.168.104.0/24
add action=accept chain=input disabled=yes src-address=192.168.103.0/24
add action=drop chain=forward dst-address-list="192.168.100.0/24,192.168.101.0\
/24,192.168.102.0/24,192.168.103.0/24,192.168.104.0/24,192.168.100.105/24" \
src-address=192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24 src-address-list="19\
2.168.100.0/24,192.168.101.0/24,192.168.102.0/24,192.168.103.0/24,192.168.\
104.0/24,192.168.100.105/24"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-A-SITEload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.100.0/24 \
src-address=192.168.102.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=C-SITE-guest
/ip ipsec identity
add peer=S2S-A-SITE-C-SITE
add peer="S2S B-SITE"
/ip ipsec policy
add dst-address=192.168.100.0/24 peer=S2S-A-SITE-C-SITE proposal=S2S-A-SITE-C-SITE \
src-address=192.168.102.0/24 tunnel=yes
add dst-address=192.168.101.0/24 peer="S2S B-SITE" src-address=192.168.102.0/24 \
tunnel=yes
/ip route
add check-gateway=arp disabled=no distance=2 dst-address=192.168.100.0/24 \
gateway=bridge pref-src=0.0.0.0 routing-table=main scope=30 \
suppress-hw-A-SITEload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
secrets
/system clock
set time-zone-name=Europe/Lisbon
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I tried to make 3 code blocks but the other two wouldn't become a separate thing and I didn't want a huge block of text so they're all in the same one, separated by