Community discussions

MikroTik App
 
lanhampr
newbie
Topic Author
Posts: 34
Joined: Wed Aug 04, 2021 7:18 pm

Blocking access to Mikrotik

Wed Feb 01, 2023 3:00 am

I am confused about how to block ports to the Mikrotik, like SSH, API, etc...

I created an address list for networks allowed and filter to block ports but my blocking is not working. I am sure I don't need in-interface=core1-po12-WAN but tried it anyhow.

OS 7.7

add action=accept chain=input comment="Block all access to ssh except cnet-mgmt" \
connection-state=established,related dst-port=22 in-interface=core1-po12-WAN protocol=tcp \
src-address-list=cnet-mgmt
add action=accept chain=input comment="Block all access to http except cnet-mgmt" \
connection-state=established,related dst-port=80 in-interface=core1-po12-WAN protocol=tcp \
src-address-list=cnet-mgmt
add action=accept chain=input comment="Block all access to winbox except cnet-mgmt" \
connection-state=established,related dst-port=8291 in-interface=core1-po12-WAN protocol=tcp \
src-address-list=cnet-mgmt
add action=accept chain=input comment=OSPF connection-state=established,related in-interface=\
core1-po12-WAN src-address-list=cnet-ospf
add action=accept chain=input comment="Sonar API SSL Login" connection-state=\
established,related dst-port=8729 in-interface=core1-po12-WAN protocol=tcp \
src-address-list=sonar
add action=drop chain=input in-interface=core1-po12-WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Blocking access to Mikrotik

Wed Feb 01, 2023 4:20 am

Cant help much with only part of the config since many parts are inter related.

/export file=anynameyouwish ( minus router serial # and any public WANIP information )

Its best to stick to an allow needed traffic and use drop rule at end of both input and forward chain to block anything not wanted and dont need to know what that is cause your dropping it all!!!

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(admin rules)
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

add action=drop chain=forward



In the forward chain if you need additional traffic between subnets or vlans, then you put those with the rules in green.
In the input chain if you need additional incoming traffic to the router ( like wireguard ) or you want to change the LAN rule to be more specific due that in the blue section.

ex.
From:
add action=accept chain=input in-interface-list=LAN

TO:
add action=accept chain=input in-interface-list=Trusted source-address-list=Authorized { where Authorized is comprised of possible admin IPs needing access to config router }
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { always the last rule you put in so you dont lock yourself out }
 
lanhampr
newbie
Topic Author
Posts: 34
Joined: Wed Aug 04, 2021 7:18 pm

Re: Blocking access to Mikrotik

Wed Feb 01, 2023 5:03 pm

Here's my config:

# feb/01/2023 07:41:29 by RouterOS 7.7
# software id = 8VD7-31RY
#
# model = CCR2004-1G-12S+2XS
# serial number =
/interface bridge
add name=loopback100
add name=loopback101
add comment="OOB - 192.168.178.0/24" name=loopback178
add comment="OpenVPN OOB Public" name=loopback778
/interface ethernet
set [ find default-name=sfp-sfpplus8 ] comment="cnet-sw-core1 T2/0/8"
set [ find default-name=sfp-sfpplus10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus11 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
comment="cnet-sw-core1 T1/0/3"
set [ find default-name=sfp-sfpplus12 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
/interface vlan
add interface=ether1 name=ether1.36 vlan-id=36
/interface bonding
add mode=802.3ad name=core1-po12-WAN slaves=sfp-sfpplus11,sfp-sfpplus8 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=core1-po13-LAN slaves=sfp-sfpplus9,sfp-sfpplus10 \
transmit-hash-policy=layer-2-and-3
/interface vlan
add interface=core1-po12-WAN name=core1-po12.254 vlan-id=254
add comment="ASR1 PtP" interface=core1-po12-WAN name=core1-po12.645 vlan-id=\
645
add comment="ASR2 PtP" interface=core1-po12-WAN name=core1-po12.646 vlan-id=\
646
add interface=core1-po12-WAN name=core1-po12.999 vlan-id=999
add comment=Forethought disabled=yes interface=core1-po12-WAN name=\
core1-po12.2590 vlan-id=2590
add interface=core1-po13-LAN name=core1-po13.7 vlan-id=7
add interface=core1-po13-LAN name=core1-po13.20 vlan-id=20
add comment="Sunset Mesa" interface=core1-po13-LAN name=core1-po13.48 \
vlan-id=48
add comment=CGNAT interface=core1-po13-LAN name=core1-po13.50 vlan-id=50
add comment=Waterdog interface=core1-po13-LAN name=core1-po13.58 vlan-id=58
add comment=Colona disabled=yes interface=core1-po13-LAN name=core1-po13.61 \
vlan-id=61
add comment="Springcreek COAX" interface=core1-po13-LAN name=core1-po13.62 \
vlan-id=62
add comment=CGNAT interface=core1-po13-LAN name=core1-po13.70 vlan-id=70
add comment="Calix AE-mgmt" interface=core1-po13-LAN name=core1-po13.85 \
vlan-id=85
add interface=core1-po13-LAN name=core1-po13.127 vlan-id=127
add comment="Naturita Library" interface=core1-po13-LAN name=core1-po13.236 \
vlan-id=236
/interface list
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=TR-069 value="'http://192.168.126.96:7547'"
add code=43 name=Option43 value=\
"'01043139322e3136382e3132362e39363a37353437'"
add code=43 name=ACS value=\
0x011A687474703A2F2F3139322E3136382E3132362E39363A37353437
/ip dhcp-server option sets
add name=GenieACS options=Option43
/ip pool
add name=pool-vlan127 ranges=192.168.124.2-192.168.127.254
add name=pool-vlan7 ranges=192.168.172.2-192.168.175.254
add name=pool-oob178 ranges=192.168.178.2-192.168.178.200
add name=pool-smn-dhcp ranges=10.48.0.2-10.48.3.254
add name=pool-waterdog-dhcp ranges=10.58.0.2-10.58.3.254
add name=dhcp_vlan80_agent ranges=192.168.80.2-192.168.80.254
add name=pool-naturita-lib ranges=
add name=dhcp_pool80_public ranges=
add name=dhcp_pool_vlan61 ranges=10.61.0.2-10.61.0.254
add name=dhcp_pool_vlan50 ranges=100.64.1.2-100.64.1.100
add name=dhcp_pool_vlan85 ranges=192.168.85.2-192.168.85.254
/ip dhcp-server
add address-pool=pool-vlan127 interface=core1-po13.127 name=ZHONE-DHCP-127
add address-pool=pool-vlan7 interface=core1-po13.7 lease-script="{\r\
\n# CONFIGURATION SETTINGS\r\
\n# ############\r\
\n# Change these values for your Sonar instance\r\
\n:local url \""\r\
\n:local apikey \"\"\r\
\n# The maximum retries to send to Sonar\r\
\n:local max 2\r\
\n# #############\r\
\n# END CONFIGURATION SETTINGS\r\
\n# Do not edit below\r\
\n \r\
\n# Each https request has a 30 second retry\r\
\n:local message \"\"\r\
\n:local attempts 0\r\
\n:local success 0\r\
\n:local remoteID \"000000000000\"\r\
\n:do {\r\
\n :set attempts (\$attempts+1);\r\
\n :if (\$leaseBound = 0) do {\r\
\n :do {\r\
\n :set message \"release\";\r\
\n /tool fetch duration=30s url=\"https://\$url/api/dhcp\?ip_address=\
\$leaseActIP&mac_address=\$leaseActMAC&remote_id=\$remoteID&expired=1&api_\
key=\$apikey\" mode=https as-value output=user;\r\
\n :set success 1;\r\
\n } on-error={\r\
\n :log error \"DHCP FAILED to send unassignment to \$url on attempt \
\$attempts out of \$max for \$leaseActMAC / \$leaseActIP\";\r\
\n :delay 3s;\r\
\n }\r\
\n } else {\r\
\n # see note below\r\
\n :set remoteID [/ip dhcp-server lease get [find where address=\$lease\
ActIP] agent-remote-id];\r\
\n :set message \"assign\";\r\
\n :delay 1s;\r\
\n :do {\r\
\n /tool fetch duration=30s url=\"https://\$url/api/dhcp\?ip_address=\
\$leaseActIP&mac_address=\$leaseActMAC&remote_id=\$remoteID&expired=0&api_\
key=\$apikey\" mode=https as-value output=user;\r\
\n :set success 1;\r\
\n } on-error={\r\
\n :log error \"DHCP FAILED to send assignment to \$url on attempt \$\
attempts out of \$max for \$leaseActMAC / \$leaseActIP\";\r\
\n :delay 3s;\r\
\n }\r\
\n }\r\
\n :if (\$success) do {\r\
\n :log info \"DHCP \$message lease message successfully sent \$leaseAc\
tMAC / \$leaseActIP / \$remoteID to \$url\";\r\
\n :set attempts \$max; # break out of the do..while loop\r\
\n }\r\
\n} while ( \$attempts < \$max )\r\
\n}" name=ZHONE-DHCP-7
add address-pool=pool-oob178 interface=loopback178 name=dhcp178
add address-pool=pool-smn-dhcp interface=core1-po13.48 name=dhcp48
add address-pool=pool-waterdog-dhcp interface=core1-po13.58 name=dhcp58
add address-pool=dhcp_vlan80_agent interface=core1-po13.20 lease-time=1m \
name=dhcp80 relay=192.168.80.1
add address-pool=dhcp_pool_vlan50 interface=core1-po13.50 lease-script="{\r\
\n# CONFIGURATION SETTINGS\r\
\n# ############\r\
\n# Change these values for your Sonar instance\r\
\n:local url \"\"\r\
\n:local apikey \"\"\r\
\n# The maximum retries to send to Sonar\r\
\n:local max 2 \r\
\n# #############\r\
\n# END CONFIGURATION SETTINGS\r\
\n# Do not edit below\r\
\n \r\
\n# Each https request has a 30 second retry\r\
\n:local message \"\"\r\
\n:local attempts 0\r\
\n:local success 0\r\
\n:local remoteID \"00:00:00:00:00:00\"\r\
\n:do {\r\
\n :set attempts (\$attempts+1);\r\
\n :if (\$leaseBound = 0) do {\r\
\n :do {\r\
\n :set message \"release\";\r\
\n /tool fetch duration=30s url=\"https://\$url/api/dhcp\?ip_address=\
\$leaseActIP&mac_address=\$remoteID&expired=1&api_key=\$apikey\" mode=http\
s as-value output=user;\r\
\n :set success 1;\r\
\n } on-error={\r\
\n :log error \"DHCP FAILED to send unassignment to \$url on attempt \
\$attempts out of \$max for \$leaseActMAC / \$leaseActIP\";\r\
\n :delay 3s;\r\
\n }\r\
\n } else {\r\
\n :set message \"assign\";\r\
\n :delay 1s;\r\
\n # see note below\r\
\n :set remoteID [/ip dhcp-server lease get [find where address=\$lease\
ActIP] agent-remote-id];\r\
\n :do {\r\
\n /tool fetch duration=30s url=\"https://\$url/api/dhcp\?ip_address=\
\$leaseActIP&mac_address=\$leaseActMAC&remote_id=\$remoteID&expired=0&api_\
key=\$apikey\" mode=https as-value output=user;\r\
\n :set success 1;\r\
\n } on-error={\r\
\n :log error \"DHCP FAILED to send assignment to \$url on attempt \$\
attempts out of \$max for \$leaseActMAC / \$leaseActIP\";\r\
\n :delay 3s;\r\
\n }\r\
\n }\r\
\n :if (\$success) do {\r\
\n :log info \"DHCP \$message lease message successfully sent \$leaseAc\
tMAC / \$remoteID / \$leaseActIP to \$url\";\r\
\n :set attempts \$max; # break out of the do..while loop\r\
\n }\r\
\n} while ( \$attempts < \$max )\r\
\n}" lease-time=1h name=CGNAT
add address-pool=dhcp_pool_vlan85 interface=core1-po13.85 name=dhcp85
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=192.168.178.1 name=oobvpn-profile remote-address=\
pool-oob178 use-compression=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default router-id=x.x.x.x
/routing ospf area
add disabled=no instance=default name=backbone-v2
/routing table
add disabled=no fib name=forethought
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=core1-po12-WAN list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Client cipher=aes256 default-profile=oobvpn-profile \
enabled=yes port=443
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether1 \
network=192.168.88.0
add address=10.254.255.14/16 interface=core1-po12.254 network=10.254.0.0
add address=10.99.99.14/24 interface=core1-po12.999 network=10.99.99.0
add address=10.100.100.14 interface=loopback100 network=10.100.100.14
add address=192.168.172.1/22 comment="ONT DHCP Mgmt VLAN7" interface=\
core1-po13.7 network=192.168.172.0
add address=192.168.124.1/22 comment="ONT DHCP Alt Mgmt VLAN127" interface=\
core1-po13.127 network=192.168.124.0
add address=x.x.x.x/29 comment="OpenVPN OOB Public" interface=\
loopback778 network=x.x.x.x
add address=192.168.178.1/24 comment="OOB - 192.168.178.0/24" interface=\
loopback178 network=192.168.178.0
add address=192.168.48.1/24 comment="Sunset Mesa Radio IP's" disabled=yes \
interface=core1-po13.48 network=192.168.48.0
add address=10.48.0.1/22 comment="Sunset Mesa Client DHCP" disabled=yes \
interface=core1-po13.48 network=10.48.0.0
add address=x.x.x.x/27 comment="Sunset Mesa Client Statics" disabled=\
yes interface=core1-po13.48 network=x.x.x.x
add address=192.168.58.1/24 comment="Waterdog Wireless Mgmt" interface=\
core1-po13.58 network=192.168.58.0
add address=10.58.0.1/22 comment="Waterdog DHCP" interface=core1-po13.58 \
network=10.58.0.0
add address=x.x.x.x/28 comment="Waterdog Statics" interface=\
core1-po13.58 network=x.x.x.x
add address=10.62.0.1/24 comment="Springcreek COAX" interface=core1-po13.62 \
network=10.62.0.0
add address=192.168.20.14 interface=core1-po13.20 network=192.168.20.14
add address=x.x.x.x/29 comment=CGNAT disabled=yes interface=\
core1-po13.70 network=x.x.x.x
add address=100.64.1.1/24 interface=core1-po13.50 network=100.64.1.0
add address=x.x.x.x/29 comment=NAT interface=core1-po13-LAN network=\
x.x.x.x
add address=192.168.85.1/24 comment="Calix AE mgmt - VLAN85" interface=\
core1-po13.85 network=192.168.85.0
add address=x.x.x.x comment=Loopback101 interface=loopback101 network=\
x.x.x.x
add address=x.x.x.x/31 comment="ASR1 - PtP" interface=core1-po12.645 \
network= x.x.x.x
add address= x.x.x.x/31 comment="ASR2 - PtP" interface=core1-po12.646 \
network= x.x.x.x
/ip dhcp-client
add disabled=yes interface=ether1.36
/ip dhcp-server alert
add disabled=no interface=core1-po13.127
add disabled=no interface=core1-po13.7
add disabled=no interface=core1-po13.58
add disabled=no interface=core1-po13.61
/ip dhcp-server lease
add address= x.x.x.x comment="Summit Materials Elam" mac-address=\
x.x.x.x server=dhcp58
add address= x.x.x.x comment="Dr. David Dreitlein" mac-address=\
x.x.x.x server=dhcp58
add address= x.x.x.x comment="John Johnson" mac-address=\
x.x.x.x server=dhcp58
add address= x.x.x.x mac-address= x.x.x.x
add address=192.168.126.96 client-id=\
ff:9f:6e:85:24:0:2:0:0:ab:11:cf:df:45:ba:55:8c:e4:d6 comment=\
"GenieACS - cnet-genie" mac-address= x.x.x.x server=\
ZHONE-DHCP-127
add address=192.168.174.74 dhcp-option-set=GenieACS mac-address=\
x.x.x.x server=ZHONE-DHCP-7
add address=192.168.174.69 comment=TEST_ONT dhcp-option=ACS mac-address=\
x.x.x.x server=ZHONE-DHCP-7
add address=192.168.174.21 mac-address= x.x.x.x server=ZHONE-DHCP-7
/ip dhcp-server matcher
add address-pool=pool-vlan127 code=43 name=ZNID-GE-4240 server=ZHONE-DHCP-7 \
value="00-01-47-01-01-01-0C-5A-4E-49-44-2D-47-45-2D-34-32-34-30-05-08-30-3\
7-36-39-36-30-33-30-02-08-53-33-2E-30-2E-37-33-33-06-0A-30-30-30-30-30-30-\
30-30-30-30-07-0C-5A-4E-54-53-30-30-37-35-36-45-39-45-0A-01-01"
/ip dhcp-server network
add address=10.48.0.0/22 comment="Sunset Mesa" dns-server=1.1.1.1,8.8.8.8 \
gateway=10.48.0.1
add address=10.58.0.0/22 comment=Waterdog dns-server=1.1.1.1,8.8.8.8 gateway=\
10.58.0.1
add address=10.61.0.0/24 comment=Colona dns-server=1.1.1.1,8.8.8.8 gateway=\
10.61.0.1
add address=100.64.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=100.64.1.1
add address=192.168.80.0/24 comment="VLAN80 DHCP Relay Agent" dns-server=\
1.1.1.1,8.8.8.8 gateway=192.168.80.1
add address=192.168.85.0/24 gateway=192.168.85.1
add address=192.168.124.0/22 comment="Zhone ONT Mgmt DHCP" dns-server=\
192.168.124.1 gateway=192.168.124.1
add address=192.168.172.0/22 comment="Zhone ONT Mgmt DHCP" dns-server=\
192.168.172.1 gateway=192.168.172.1
add address=192.168.178.0/24 comment=OpenVPN dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.178.1
add address= x.x.x.x/29 dns-server=1.1.1.1,8.8.8.8 gateway=\
x.x.x.x
add address= x.x.x.x/28 comment="Waterdog Statics" dns-server=\
1.1.1.1,8.8.8.8 gateway= x.x.x.x
/ip dns
set allow-remote-requests=yes servers=192.168.36.5,192.168.36.6
/ip firewall address-list
add address= x.x.x.x/24 list=cnet-mgmt
add address= x.x.x.x/22 list=cnet-mgmt
add address=10.100.255.0/24 disabled=yes list=cnet-mgmt
add address=192.168.88.0/24 list=cnet-mgmt
add address=10.254.0.0/16 list=cnet-mgmt
add address=192.168.127.0/24 disabled=yes list=cnet-mgmt
add address=192.168.177.0/24 disabled=yes list=cnet-mgmt
add address=192.168.36.0/24 list=cnet-mgmt
add address= x.x.x.x list=sonar
add address= x.x.x.x/24 list=cnet-ospf
add address= x.x.x.x/24 disabled=yes list=cnet-mgmt
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=input comment="Established, Related" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp \
src-address-list=!cnet-mgmt
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=accept chain=input comment=\
"Block all access to ssh except cnet-mgmt" dst-port=22 in-interface=\
core1-po12-WAN protocol=tcp src-address-list=cnet-mgmt
add action=accept chain=input comment=\
"Block all access to http except cnet-mgmt" connection-state="" dst-port=\
80 in-interface=core1-po12-WAN protocol=tcp src-address-list=cnet-mgmt
add action=accept chain=input comment=\
"Block all access to winbox except cnet-mgmt" dst-port=8291 in-interface=\
core1-po12-WAN protocol=tcp src-address-list=cnet-mgmt
add action=accept chain=input comment=OSPF in-interface=core1-po12-WAN \
protocol=ospf
add action=accept chain=input comment="Sonar API SSL Login" connection-state=\
"" dst-port=8729 in-interface=core1-po12-WAN protocol=tcp src-address=\
52.158.209.86
add action=drop chain=input in-interface=core1-po12-WAN
add action=drop chain=input comment="Block Access to DNS from WAN" \
connection-state=new disabled=yes dst-port=53 in-interface=core1-po12-WAN \
protocol=tcp
add action=drop chain=input connection-state=new disabled=yes dst-port=53 \
in-interface=core1-po12-WAN protocol=udp
add action=accept chain=forward comment="Established, Related" \
connection-nat-state=!srcnat connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=add-src-to-address-list address-list=SMTP_Users \
address-list-timeout=1h chain=forward comment=\
"Detect and block SMTP spamming" connection-limit=5,32 dst-port=25 limit=\
2,1:packet protocol=tcp
add action=drop chain=forward dst-port=25 protocol=tcp src-address-list=\
SMTP_Users
/ip firewall nat
add action=src-nat chain=srcnat comment="Waterdog NAT" out-interface=\
core1-po12-WAN src-address=10.58.0.0/22 to-addresses= x.x.x.x
add action=src-nat chain=srcnat comment="Genie ACS" out-interface=\
core1-po12.999 src-address=192.168.126.96 to-addresses= x.x.x.x
add action=src-nat chain=srcnat comment="VLAN_61 NAT" disabled=yes \
out-interface=core1-po12.2590 src-address=10.61.0.0/24 to-addresses=\
x.x.x.x
add action=src-nat chain=srcnat comment="VLAN_50 NAT Woodgate_Trails_LLC" \
src-address=100.64.1.0/24 to-addresses= x.x.x.x
add action=src-nat chain=srcnat comment="Sonar DHCP Updates" dst-address=\
x.x.x.x protocol=tcp to-addresses= x.x.x.x
/ip route
add comment="Static to cnethawk" disabled=no dst-address= x.x.x.x/32 \
gateway=10.254.255.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl address= x.x.x.x/32 certificate=myCa
/ip smb shares
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=cnet-mt-trideoob remote-address=192.168.178.101
add name=cdillon remote-address=192.168.178.199
add name=cnet-mt-portableoob remote-address=192.168.178.102
add name=cnet-rut955-norwoodoob remote-address=192.168.178.100
/routing ospf interface-template
add area=backbone-v2 auth-id=1 auth-key="" cost=100 disabled=no interfaces=\
core1-po12.999 networks=10.99.99.0/24 priority=0
add area=backbone-v2 auth-id=1 auth-key="" cost=100 disabled=no interfaces=\
loopback100 networks=10.100.100.14 priority=1
add area=backbone-v2 disabled=no interfaces=core1-po13.7 networks=\
192.168.172.0/22 priority=1
add area=backbone-v2 disabled=no interfaces=core1-po13.127 networks=\
192.168.124.0/22 priority=1
add area=backbone-v2 disabled=no interfaces=loopback778 networks=\
x.x.x.x/29 priority=1
add area=backbone-v2 disabled=no interfaces=loopback178 networks=\
192.168.178.0/24 priority=1
add area=backbone-v2 disabled=no interfaces=core1-po13.58 networks=\
x.x.x.x/28 priority=1
add area=backbone-v2 disabled=yes interfaces=core1-po13.70 networks=\
x.x.x.x/29 priority=1
add area=backbone-v2 disabled=no interfaces=core1-po13.85 networks=\
192.168.85.0/24 priority=1
add area=backbone-v2 auth-id=1 cost=100 disabled=no interfaces=loopback101 \
networks= x.x.x.x/32 priority=1
/snmp
set contact=Clearnetworx enabled=yes location="Montrose NOC"
/system clock
set time-zone-name=America/Denver
/system identity
set name=cnet-mt-noc
/system logging
set 0 topics=info,!ospf,!account,!ovpn
add disabled=yes prefix=ospf topics=debug
add disabled=yes topics=ospf
add disabled=yes topics=dhcp
/system ntp client
set enabled=yes
/system ntp client servers
add address= x.x.x.x
add address= x.x.x.x
/system resource irq rps
set ether1 disabled=no

Who is online

Users browsing this forum: Bing [Bot], karlisi, NxtGen [Bot], onnyloh, own3r1138 and 74 guests