Here's my config:
# feb/01/2023 07:41:29 by RouterOS 7.7
# software id = 8VD7-31RY
#
# model = CCR2004-1G-12S+2XS
# serial number =
/interface bridge
add name=loopback100
add name=loopback101
add comment="OOB - 192.168.178.0/24" name=loopback178
add comment="OpenVPN OOB Public" name=loopback778
/interface ethernet
set [ find default-name=sfp-sfpplus8 ] comment="cnet-sw-core1 T2/0/8"
set [ find default-name=sfp-sfpplus10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
set [ find default-name=sfp-sfpplus11 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
comment="cnet-sw-core1 T1/0/3"
set [ find default-name=sfp-sfpplus12 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
/interface vlan
add interface=ether1 name=ether1.36 vlan-id=36
/interface bonding
add mode=802.3ad name=core1-po12-WAN slaves=sfp-sfpplus11,sfp-sfpplus8 \
transmit-hash-policy=layer-2-and-3
add mode=802.3ad name=core1-po13-LAN slaves=sfp-sfpplus9,sfp-sfpplus10 \
transmit-hash-policy=layer-2-and-3
/interface vlan
add interface=core1-po12-WAN name=core1-po12.254 vlan-id=254
add comment="ASR1 PtP" interface=core1-po12-WAN name=core1-po12.645 vlan-id=\
645
add comment="ASR2 PtP" interface=core1-po12-WAN name=core1-po12.646 vlan-id=\
646
add interface=core1-po12-WAN name=core1-po12.999 vlan-id=999
add comment=Forethought disabled=yes interface=core1-po12-WAN name=\
core1-po12.2590 vlan-id=2590
add interface=core1-po13-LAN name=core1-po13.7 vlan-id=7
add interface=core1-po13-LAN name=core1-po13.20 vlan-id=20
add comment="Sunset Mesa" interface=core1-po13-LAN name=core1-po13.48 \
vlan-id=48
add comment=CGNAT interface=core1-po13-LAN name=core1-po13.50 vlan-id=50
add comment=Waterdog interface=core1-po13-LAN name=core1-po13.58 vlan-id=58
add comment=Colona disabled=yes interface=core1-po13-LAN name=core1-po13.61 \
vlan-id=61
add comment="Springcreek COAX" interface=core1-po13-LAN name=core1-po13.62 \
vlan-id=62
add comment=CGNAT interface=core1-po13-LAN name=core1-po13.70 vlan-id=70
add comment="Calix AE-mgmt" interface=core1-po13-LAN name=core1-po13.85 \
vlan-id=85
add interface=core1-po13-LAN name=core1-po13.127 vlan-id=127
add comment="Naturita Library" interface=core1-po13-LAN name=core1-po13.236 \
vlan-id=236
/interface list
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=43 name=TR-069 value="'
http://192.168.126.96:7547'"
add code=43 name=Option43 value=\
"'01043139322e3136382e3132362e39363a37353437'"
add code=43 name=ACS value=\
0x011A687474703A2F2F3139322E3136382E3132362E39363A37353437
/ip dhcp-server option sets
add name=GenieACS options=Option43
/ip pool
add name=pool-vlan127 ranges=192.168.124.2-192.168.127.254
add name=pool-vlan7 ranges=192.168.172.2-192.168.175.254
add name=pool-oob178 ranges=192.168.178.2-192.168.178.200
add name=pool-smn-dhcp ranges=10.48.0.2-10.48.3.254
add name=pool-waterdog-dhcp ranges=10.58.0.2-10.58.3.254
add name=dhcp_vlan80_agent ranges=192.168.80.2-192.168.80.254
add name=pool-naturita-lib ranges=
add name=dhcp_pool80_public ranges=
add name=dhcp_pool_vlan61 ranges=10.61.0.2-10.61.0.254
add name=dhcp_pool_vlan50 ranges=100.64.1.2-100.64.1.100
add name=dhcp_pool_vlan85 ranges=192.168.85.2-192.168.85.254
/ip dhcp-server
add address-pool=pool-vlan127 interface=core1-po13.127 name=ZHONE-DHCP-127
add address-pool=pool-vlan7 interface=core1-po13.7 lease-script="{\r\
\n# CONFIGURATION SETTINGS\r\
\n# ############\r\
\n# Change these values for your Sonar instance\r\
\n:local url \""\r\
\n:local apikey \"\"\r\
\n# The maximum retries to send to Sonar\r\
\n:local max 2\r\
\n# #############\r\
\n# END CONFIGURATION SETTINGS\r\
\n# Do not edit below\r\
\n \r\
\n# Each https request has a 30 second retry\r\
\n:local message \"\"\r\
\n:local attempts 0\r\
\n:local success 0\r\
\n:local remoteID \"000000000000\"\r\
\n:do {\r\
\n :set attempts (\$attempts+1);\r\
\n :if (\$leaseBound = 0) do {\r\
\n :do {\r\
\n :set message \"release\";\r\
\n /tool fetch duration=30s url=\"https://\$url/api/dhcp\?ip_address=\
\$leaseActIP&mac_address=\$leaseActMAC&remote_id=\$remoteID&expired=1&api_\
key=\$apikey\" mode=https as-value output=user;\r\
\n :set success 1;\r\
\n } on-error={\r\
\n :log error \"DHCP FAILED to send unassignment to \$url on attempt \
\$attempts out of \$max for \$leaseActMAC / \$leaseActIP\";\r\
\n :delay 3s;\r\
\n }\r\
\n } else {\r\
\n # see note below\r\
\n :set remoteID [/ip dhcp-server lease get [find where address=\$lease\
ActIP] agent-remote-id];\r\
\n :set message \"assign\";\r\
\n :delay 1s;\r\
\n :do {\r\
\n /tool fetch duration=30s url=\"https://\$url/api/dhcp\?ip_address=\
\$leaseActIP&mac_address=\$leaseActMAC&remote_id=\$remoteID&expired=0&api_\
key=\$apikey\" mode=https as-value output=user;\r\
\n :set success 1;\r\
\n } on-error={\r\
\n :log error \"DHCP FAILED to send assignment to \$url on attempt \$\
attempts out of \$max for \$leaseActMAC / \$leaseActIP\";\r\
\n :delay 3s;\r\
\n }\r\
\n }\r\
\n :if (\$success) do {\r\
\n :log info \"DHCP \$message lease message successfully sent \$leaseAc\
tMAC / \$leaseActIP / \$remoteID to \$url\";\r\
\n :set attempts \$max; # break out of the do..while loop\r\
\n }\r\
\n} while ( \$attempts < \$max )\r\
\n}" name=ZHONE-DHCP-7
add address-pool=pool-oob178 interface=loopback178 name=dhcp178
add address-pool=pool-smn-dhcp interface=core1-po13.48 name=dhcp48
add address-pool=pool-waterdog-dhcp interface=core1-po13.58 name=dhcp58
add address-pool=dhcp_vlan80_agent interface=core1-po13.20 lease-time=1m \
name=dhcp80 relay=192.168.80.1
add address-pool=dhcp_pool_vlan50 interface=core1-po13.50 lease-script="{\r\
\n# CONFIGURATION SETTINGS\r\
\n# ############\r\
\n# Change these values for your Sonar instance\r\
\n:local url \"\"\r\
\n:local apikey \"\"\r\
\n# The maximum retries to send to Sonar\r\
\n:local max 2 \r\
\n# #############\r\
\n# END CONFIGURATION SETTINGS\r\
\n# Do not edit below\r\
\n \r\
\n# Each https request has a 30 second retry\r\
\n:local message \"\"\r\
\n:local attempts 0\r\
\n:local success 0\r\
\n:local remoteID \"00:00:00:00:00:00\"\r\
\n:do {\r\
\n :set attempts (\$attempts+1);\r\
\n :if (\$leaseBound = 0) do {\r\
\n :do {\r\
\n :set message \"release\";\r\
\n /tool fetch duration=30s url=\"https://\$url/api/dhcp\?ip_address=\
\$leaseActIP&mac_address=\$remoteID&expired=1&api_key=\$apikey\" mode=http\
s as-value output=user;\r\
\n :set success 1;\r\
\n } on-error={\r\
\n :log error \"DHCP FAILED to send unassignment to \$url on attempt \
\$attempts out of \$max for \$leaseActMAC / \$leaseActIP\";\r\
\n :delay 3s;\r\
\n }\r\
\n } else {\r\
\n :set message \"assign\";\r\
\n :delay 1s;\r\
\n # see note below\r\
\n :set remoteID [/ip dhcp-server lease get [find where address=\$lease\
ActIP] agent-remote-id];\r\
\n :do {\r\
\n /tool fetch duration=30s url=\"https://\$url/api/dhcp\?ip_address=\
\$leaseActIP&mac_address=\$leaseActMAC&remote_id=\$remoteID&expired=0&api_\
key=\$apikey\" mode=https as-value output=user;\r\
\n :set success 1;\r\
\n } on-error={\r\
\n :log error \"DHCP FAILED to send assignment to \$url on attempt \$\
attempts out of \$max for \$leaseActMAC / \$leaseActIP\";\r\
\n :delay 3s;\r\
\n }\r\
\n }\r\
\n :if (\$success) do {\r\
\n :log info \"DHCP \$message lease message successfully sent \$leaseAc\
tMAC / \$remoteID / \$leaseActIP to \$url\";\r\
\n :set attempts \$max; # break out of the do..while loop\r\
\n }\r\
\n} while ( \$attempts < \$max )\r\
\n}" lease-time=1h name=CGNAT
add address-pool=dhcp_pool_vlan85 interface=core1-po13.85 name=dhcp85
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=192.168.178.1 name=oobvpn-profile remote-address=\
pool-oob178 use-compression=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default router-id=x.x.x.x
/routing ospf area
add disabled=no instance=default name=backbone-v2
/routing table
add disabled=no fib name=forethought
/snmp community
set [ find default=yes ] disabled=yes
add addresses=::/0 name=
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=core1-po12-WAN list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Client cipher=aes256 default-profile=oobvpn-profile \
enabled=yes port=443
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=ether1 \
network=192.168.88.0
add address=10.254.255.14/16 interface=core1-po12.254 network=10.254.0.0
add address=10.99.99.14/24 interface=core1-po12.999 network=10.99.99.0
add address=10.100.100.14 interface=loopback100 network=10.100.100.14
add address=192.168.172.1/22 comment="ONT DHCP Mgmt VLAN7" interface=\
core1-po13.7 network=192.168.172.0
add address=192.168.124.1/22 comment="ONT DHCP Alt Mgmt VLAN127" interface=\
core1-po13.127 network=192.168.124.0
add address=x.x.x.x/29 comment="OpenVPN OOB Public" interface=\
loopback778 network=x.x.x.x
add address=192.168.178.1/24 comment="OOB - 192.168.178.0/24" interface=\
loopback178 network=192.168.178.0
add address=192.168.48.1/24 comment="Sunset Mesa Radio IP's" disabled=yes \
interface=core1-po13.48 network=192.168.48.0
add address=10.48.0.1/22 comment="Sunset Mesa Client DHCP" disabled=yes \
interface=core1-po13.48 network=10.48.0.0
add address=x.x.x.x/27 comment="Sunset Mesa Client Statics" disabled=\
yes interface=core1-po13.48 network=x.x.x.x
add address=192.168.58.1/24 comment="Waterdog Wireless Mgmt" interface=\
core1-po13.58 network=192.168.58.0
add address=10.58.0.1/22 comment="Waterdog DHCP" interface=core1-po13.58 \
network=10.58.0.0
add address=x.x.x.x/28 comment="Waterdog Statics" interface=\
core1-po13.58 network=x.x.x.x
add address=10.62.0.1/24 comment="Springcreek COAX" interface=core1-po13.62 \
network=10.62.0.0
add address=192.168.20.14 interface=core1-po13.20 network=192.168.20.14
add address=x.x.x.x/29 comment=CGNAT disabled=yes interface=\
core1-po13.70 network=x.x.x.x
add address=100.64.1.1/24 interface=core1-po13.50 network=100.64.1.0
add address=x.x.x.x/29 comment=NAT interface=core1-po13-LAN network=\
x.x.x.x
add address=192.168.85.1/24 comment="Calix AE mgmt - VLAN85" interface=\
core1-po13.85 network=192.168.85.0
add address=x.x.x.x comment=Loopback101 interface=loopback101 network=\
x.x.x.x
add address=x.x.x.x/31 comment="ASR1 - PtP" interface=core1-po12.645 \
network= x.x.x.x
add address= x.x.x.x/31 comment="ASR2 - PtP" interface=core1-po12.646 \
network= x.x.x.x
/ip dhcp-client
add disabled=yes interface=ether1.36
/ip dhcp-server alert
add disabled=no interface=core1-po13.127
add disabled=no interface=core1-po13.7
add disabled=no interface=core1-po13.58
add disabled=no interface=core1-po13.61
/ip dhcp-server lease
add address= x.x.x.x comment="Summit Materials Elam" mac-address=\
x.x.x.x server=dhcp58
add address= x.x.x.x comment="Dr. David Dreitlein" mac-address=\
x.x.x.x server=dhcp58
add address= x.x.x.x comment="John Johnson" mac-address=\
x.x.x.x server=dhcp58
add address= x.x.x.x mac-address= x.x.x.x
add address=192.168.126.96 client-id=\
ff:9f:6e:85:24:0:2:0:0
11:cf:df:45:ba:55:8c:e4:d6 comment=\
"GenieACS - cnet-genie" mac-address= x.x.x.x server=\
ZHONE-DHCP-127
add address=192.168.174.74 dhcp-option-set=GenieACS mac-address=\
x.x.x.x server=ZHONE-DHCP-7
add address=192.168.174.69 comment=TEST_ONT dhcp-option=ACS mac-address=\
x.x.x.x server=ZHONE-DHCP-7
add address=192.168.174.21 mac-address= x.x.x.x server=ZHONE-DHCP-7
/ip dhcp-server matcher
add address-pool=pool-vlan127 code=43 name=ZNID-GE-4240 server=ZHONE-DHCP-7 \
value="00-01-47-01-01-01-0C-5A-4E-49-44-2D-47-45-2D-34-32-34-30-05-08-30-3\
7-36-39-36-30-33-30-02-08-53-33-2E-30-2E-37-33-33-06-0A-30-30-30-30-30-30-\
30-30-30-30-07-0C-5A-4E-54-53-30-30-37-35-36-45-39-45-0A-01-01"
/ip dhcp-server network
add address=10.48.0.0/22 comment="Sunset Mesa" dns-server=1.1.1.1,8.8.8.8 \
gateway=10.48.0.1
add address=10.58.0.0/22 comment=Waterdog dns-server=1.1.1.1,8.8.8.8 gateway=\
10.58.0.1
add address=10.61.0.0/24 comment=Colona dns-server=1.1.1.1,8.8.8.8 gateway=\
10.61.0.1
add address=100.64.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=100.64.1.1
add address=192.168.80.0/24 comment="VLAN80 DHCP Relay Agent" dns-server=\
1.1.1.1,8.8.8.8 gateway=192.168.80.1
add address=192.168.85.0/24 gateway=192.168.85.1
add address=192.168.124.0/22 comment="Zhone ONT Mgmt DHCP" dns-server=\
192.168.124.1 gateway=192.168.124.1
add address=192.168.172.0/22 comment="Zhone ONT Mgmt DHCP" dns-server=\
192.168.172.1 gateway=192.168.172.1
add address=192.168.178.0/24 comment=OpenVPN dns-server=1.1.1.1,8.8.8.8 \
gateway=192.168.178.1
add address= x.x.x.x/29 dns-server=1.1.1.1,8.8.8.8 gateway=\
x.x.x.x
add address= x.x.x.x/28 comment="Waterdog Statics" dns-server=\
1.1.1.1,8.8.8.8 gateway= x.x.x.x
/ip dns
set allow-remote-requests=yes servers=192.168.36.5,192.168.36.6
/ip firewall address-list
add address= x.x.x.x/24 list=cnet-mgmt
add address= x.x.x.x/22 list=cnet-mgmt
add address=10.100.255.0/24 disabled=yes list=cnet-mgmt
add address=192.168.88.0/24 list=cnet-mgmt
add address=10.254.0.0/16 list=cnet-mgmt
add address=192.168.127.0/24 disabled=yes list=cnet-mgmt
add address=192.168.177.0/24 disabled=yes list=cnet-mgmt
add address=192.168.36.0/24 list=cnet-mgmt
add address= x.x.x.x list=sonar
add address= x.x.x.x/24 list=cnet-ospf
add address= x.x.x.x/24 disabled=yes list=cnet-mgmt
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=input comment="Established, Related" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp \
src-address-list=!cnet-mgmt
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=accept chain=input comment=\
"Block all access to ssh except cnet-mgmt" dst-port=22 in-interface=\
core1-po12-WAN protocol=tcp src-address-list=cnet-mgmt
add action=accept chain=input comment=\
"Block all access to http except cnet-mgmt" connection-state="" dst-port=\
80 in-interface=core1-po12-WAN protocol=tcp src-address-list=cnet-mgmt
add action=accept chain=input comment=\
"Block all access to winbox except cnet-mgmt" dst-port=8291 in-interface=\
core1-po12-WAN protocol=tcp src-address-list=cnet-mgmt
add action=accept chain=input comment=OSPF in-interface=core1-po12-WAN \
protocol=ospf
add action=accept chain=input comment="Sonar API SSL Login" connection-state=\
"" dst-port=8729 in-interface=core1-po12-WAN protocol=tcp src-address=\
52.158.209.86
add action=drop chain=input in-interface=core1-po12-WAN
add action=drop chain=input comment="Block Access to DNS from WAN" \
connection-state=new disabled=yes dst-port=53 in-interface=core1-po12-WAN \
protocol=tcp
add action=drop chain=input connection-state=new disabled=yes dst-port=53 \
in-interface=core1-po12-WAN protocol=udp
add action=accept chain=forward comment="Established, Related" \
connection-nat-state=!srcnat connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=add-src-to-address-list address-list=SMTP_Users \
address-list-timeout=1h chain=forward comment=\
"Detect and block SMTP spamming" connection-limit=5,32 dst-port=25 limit=\
2,1:packet protocol=tcp
add action=drop chain=forward dst-port=25 protocol=tcp src-address-list=\
SMTP_Users
/ip firewall nat
add action=src-nat chain=srcnat comment="Waterdog NAT" out-interface=\
core1-po12-WAN src-address=10.58.0.0/22 to-addresses= x.x.x.x
add action=src-nat chain=srcnat comment="Genie ACS" out-interface=\
core1-po12.999 src-address=192.168.126.96 to-addresses= x.x.x.x
add action=src-nat chain=srcnat comment="VLAN_61 NAT" disabled=yes \
out-interface=core1-po12.2590 src-address=10.61.0.0/24 to-addresses=\
x.x.x.x
add action=src-nat chain=srcnat comment="VLAN_50 NAT Woodgate_Trails_LLC" \
src-address=100.64.1.0/24 to-addresses= x.x.x.x
add action=src-nat chain=srcnat comment="Sonar DHCP Updates" dst-address=\
x.x.x.x protocol=tcp to-addresses= x.x.x.x
/ip route
add comment="Static to cnethawk" disabled=no dst-address= x.x.x.x/32 \
gateway=10.254.255.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl address= x.x.x.x/32 certificate=myCa
/ip smb shares
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
/ip ssh
set forwarding-enabled=both
/ppp secret
add name=cnet-mt-trideoob remote-address=192.168.178.101
add name=cdillon remote-address=192.168.178.199
add name=cnet-mt-portableoob remote-address=192.168.178.102
add name=cnet-rut955-norwoodoob remote-address=192.168.178.100
/routing ospf interface-template
add area=backbone-v2 auth-id=1 auth-key="" cost=100 disabled=no interfaces=\
core1-po12.999 networks=10.99.99.0/24 priority=0
add area=backbone-v2 auth-id=1 auth-key="" cost=100 disabled=no interfaces=\
loopback100 networks=10.100.100.14 priority=1
add area=backbone-v2 disabled=no interfaces=core1-po13.7 networks=\
192.168.172.0/22 priority=1
add area=backbone-v2 disabled=no interfaces=core1-po13.127 networks=\
192.168.124.0/22 priority=1
add area=backbone-v2 disabled=no interfaces=loopback778 networks=\
x.x.x.x/29 priority=1
add area=backbone-v2 disabled=no interfaces=loopback178 networks=\
192.168.178.0/24 priority=1
add area=backbone-v2 disabled=no interfaces=core1-po13.58 networks=\
x.x.x.x/28 priority=1
add area=backbone-v2 disabled=yes interfaces=core1-po13.70 networks=\
x.x.x.x/29 priority=1
add area=backbone-v2 disabled=no interfaces=core1-po13.85 networks=\
192.168.85.0/24 priority=1
add area=backbone-v2 auth-id=1 cost=100 disabled=no interfaces=loopback101 \
networks= x.x.x.x/32 priority=1
/snmp
set contact=Clearnetworx enabled=yes location="Montrose NOC"
/system clock
set time-zone-name=America/Denver
/system identity
set name=cnet-mt-noc
/system logging
set 0 topics=info,!ospf,!account,!ovpn
add disabled=yes prefix=ospf topics=debug
add disabled=yes topics=ospf
add disabled=yes topics=dhcp
/system ntp client
set enabled=yes
/system ntp client servers
add address= x.x.x.x
add address= x.x.x.x
/system resource irq rps
set ether1 disabled=no