/interface bridge
add name=bridge_ER
add fast-forward=no name=bridge_LAN priority=0x2000
add name=bridge_SKA priority=0x2000
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no name=ER_sfp1
set [ find default-name=ether1 ] name=WAN1_ether1_acc
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full \
auto-negotiation=no name=WAN2-sfp2-adn
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full \
auto-negotiation=no name=WAN3_sfp3_ISNL
set [ find default-name=ether2 ] comment=ER
set [ find default-name=ether3 ] comment="MGH Public Port"
set [ find default-name=ether4 ] comment=Peyala full-duplex=no
set [ find default-name=ether5 ] comment="OBHAI NVR"
set [ find default-name=ether7 ] comment="7th Floor R2"
set [ find default-name=ether8 ] comment="7th Floor R1-Cafe"
set [ find default-name=ether10 ] comment=6th-R1-Obhai&GBL
set [ find default-name=ether11 ] comment=6th-R2-YML
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full \
auto-negotiation=no disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-SKA
/interface list
add comment=WAN-List name=WAN
add comment=LAN-List name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_SKA_Mgt ranges=192.168.222.161-192.168.222.190
add name=dhcp_pool_SKA_CCR ranges="192.168.48.65-192.168.48.250,192.168.49.35-\
192.168.49.250,192.168.50.61-192.168.50.250,192.168.51.35-192.168.51.250"
/ip dhcp-server
add address-pool=dhcp_pool_SKA_Mgt disabled=yes interface=bridge_LAN \
lease-time=3d name=dhcp_SKA
add address-pool=dhcp_pool_SKA_CCR interface=bridge_SKA lease-time=2d name=\
dhcp_mgh
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=dhcp_pool_SKA_Mgt \
name=profile-mgmt remote-address=dhcp_pool_SKA_Mgt
/queue simple
add max-limit=15M/15M name="queue_OBHAI NVR" target=192.168.222.58/32 time=\
0s-21h59m,sun,mon,tue,wed,thu
add disabled=yes max-limit=10M/10M name=1 target=192.168.48.188/32 time=\
0s-23h59m,sun,mon,tue,wed,thu,fri,sat
add disabled=yes max-limit=10M/10M name=2 target=192.168.50.213/32 time=\
0s-23h59m,sun,mon,tue,wed,thu,fri,sat
add disabled=yes max-limit=10M/10M name=3 target=192.168.48.226/32 time=\
0s-23h59m,sun,mon,tue,wed,thu,fri,sat
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=Group-Acc
add fib name=Group-Adn
add fib name=Group-ISNL
/user group
set read policy="winbox,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,\
!test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/interface bridge port
add bridge=bridge_LAN ingress-filtering=no interface=ether5
add bridge=bridge_LAN ingress-filtering=no interface=ether3
add bridge=bridge_LAN ingress-filtering=no interface=ether4
add bridge=bridge_SKA ingress-filtering=no interface=ether10
add bridge=bridge_SKA ingress-filtering=no interface=ether11
add bridge=bridge_SKA ingress-filtering=no interface=ether7
add bridge=bridge_SKA ingress-filtering=no interface=ether8
add bridge=bridge_SKA ingress-filtering=no interface=ether6
add bridge=bridge_ER ingress-filtering=no interface=ER_sfp1
add bridge=bridge_ER ingress-filtering=no interface=ether2
add bridge=bridge_SKA ingress-filtering=no interface=ether12
add bridge=bridge_LAN ingress-filtering=no interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set default-profile=profile-mgmt enabled=yes use-ipsec=yes
/interface list member
add comment=ISP interface=WAN1_ether1_acc list=WAN
add interface=WAN2-sfp2-adn list=WAN
add comment=Local interface=bridge_LAN list=LAN
add interface=bridge_SKA list=LAN
add interface=WAN3_sfp3_ISNL list=WAN
add interface=wireguard-SKA list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate=*1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 default-profile=profile-mgmt
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard-SKA public-key=\
"o3cQUJ1cf7Ss5YOtvwU3cRPyorLrqtFE1s570E7wCgE="
/ip address
add address=3.3.3.3/30 interface=WAN2-sfp2-adn network=3.3.3.4
add address=2.2.2.2/30 interface=WAN1_ether1_acc network=\
2.2.2.192
add address=192.168.222.1/24 interface=bridge_LAN network=192.168.222.0
add address=192.168.50.1/22 interface=bridge_SKA network=192.168.48.0
add address=4.4.4.4/30 interface=WAN3_sfp3_ISNL network=\
4.4.4.248
add address=192.168.100.1/24 interface=wireguard-SKA network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.48.0/22 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.50.1
add address=192.168.222.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.222.1
/ip dns
set cache-max-ttl=12w6d cache-size=700000KiB servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS
add address=192.168.222.0/24 list=LAN_IP
add address=192.168.48.0/22 list=LAN_IP
add address=192.168.100.0/24 list=LAN_IP
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
in-interface=wireguard-SKA protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" in-interface=\
wireguard-SKA log=yes src-address=192.168.100.0/24
add action=drop chain=input comment=DNS_Spoofing_Protect connection-state=new \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 \
in-interface-list=WAN protocol=udp
add action=fasttrack-connection chain=forward comment=Fasttrack_DNS_TCP \
connection-state="" dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment=Fasttrack_DNS_UDP \
dst-port=53 hw-offload=yes protocol=udp
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=forward src-address-list=BOGONS
add action=drop chain=forward dst-address-list=BOGONS
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1_ether1_acc \
new-connection-mark=conn_1 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_1 new-routing-mark=\
Group-Acc passthrough=yes
add action=mark-connection chain=input in-interface=WAN2-sfp2-adn \
new-connection-mark=conn_2 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_2 new-routing-mark=\
Group-Adn passthrough=yes
add action=mark-connection chain=input in-interface=WAN3_sfp3_ISNL \
new-connection-mark=conn_4 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_4 new-routing-mark=\
Group-ISNL passthrough=yes
add action=mark-routing chain=prerouting comment=Management \
in-interface-list=LAN new-routing-mark=Group-Adn passthrough=no \
src-address=192.168.222.0/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-Adn passthrough=no src-address=192.168.222.32/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-Acc passthrough=no src-address=192.168.222.64/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.222.96/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-Adn passthrough=no src-address=192.168.222.128/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.222.160/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.222.192/27
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-Adn passthrough=no src-address=192.168.222.224/27
add action=mark-routing chain=prerouting comment=Management_7th \
in-interface-list=LAN new-routing-mark=Group-Adn passthrough=no \
src-address=192.168.48.0/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.48.64/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.48.128/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.48.192/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.49.0/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.49.64/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.49.128/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.49.192/26
add action=mark-routing chain=prerouting comment=Management_6th \
in-interface-list=LAN new-routing-mark=Group-Adn passthrough=no \
src-address=192.168.50.0/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.50.64/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.50.128/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.50.192/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-Acc passthrough=no src-address=192.168.51.0/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-ISNL passthrough=no src-address=192.168.51.64/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-Acc passthrough=no src-address=192.168.51.128/26
add action=mark-routing chain=prerouting in-interface-list=LAN \
new-routing-mark=Group-Acc passthrough=no src-address=192.168.51.192/26
add action=mark-routing chain=prerouting comment=WG in-interface=\
wireguard-SKA new-routing-mark=Group-Adn passthrough=no src-address=\
192.168.100.0/24
/ip firewall nat
add action=src-nat chain=srcnat out-interface=WAN1_ether1_acc to-addresses=\
2.2.2.2
add action=src-nat chain=srcnat out-interface=WAN2-sfp2-adn to-addresses=\
3.3.3.3
add action=src-nat chain=srcnat out-interface=WAN3_sfp3_ISNL to-addresses=\
4.4.4.4
/ip firewall raw
add action=drop chain=prerouting src-address-list=blacklisted-ip
add action=drop chain=prerouting src-address-list=PPTP_Attack
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address-list=LAN_IP \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"Drop local if not from default IP range" dst-address=!255.255.255.255 \
in-interface-list=LAN src-address=!0.0.0.0 src-address-list=!LAN_IP
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
1.0.0.1 pref-src="" routing-table=Group-Acc scope=30 suppress-hw-offload=\
no target-scope=15
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=Group-Acc scope=30 suppress-hw-offload=\
no target-scope=15
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=Group-Adn scope=30 suppress-hw-offload=\
no target-scope=15
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
1.0.0.1 pref-src="" routing-table=Group-Adn scope=30 suppress-hw-offload=\
no target-scope=15
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=202.51.181.5
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
175.29.161.193
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=\
203.188.250.249
add disabled=no dst-address=1.0.0.1/32 gateway=2.2.2.2 scope=10
add disabled=no dst-address=8.8.4.4/32 gateway=3.3.3.3 scope=10
add disabled=no dst-address=9.9.9.9/32 gateway=4.4.4.4 scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
9.9.9.9 pref-src="" routing-table=Group-ISNL scope=30 \
suppress-hw-offload=no target-scope=15
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=Group-ISNL scope=30 \
suppress-hw-offload=no target-scope=15
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
1.0.0.1 pref-src="" routing-table=Group-ISNL scope=30 \
suppress-hw-offload=no target-scope=15
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
9.9.9.9 pref-src="" routing-table=Group-Adn scope=30 suppress-hw-offload=\
no target-scope=15
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
9.9.9.9 pref-src="" routing-table=Group-Acc scope=30 suppress-hw-offload=\
no target-scope=15
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2213
set api disabled=yes
set winbox port=10662
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Dhaka
/system health settings
set cpu-overtemp-threshold=90C
/system identity
set name=MikroTik_SKA
/system ntp client
set enabled=yes
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes reformat-hold-button=1m reformat-hold-button-max=2m
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no