Sorted out the RB5009. But getting an even slower cross vlan connection now. In the 15 Mbits/sec range.
I did lift and shift the settings from the hex manually. But would have thought it would still have worked?
Including the config.
# 2024-04-11 07:24:33 by RouterOS 7.14.2
# software id = EBIH-DSRK
#
# model = RB5009UG+S+
# serial number = HFH09FYM095
/interface bridge
add admin-mac=78:9A:18:C7:1E:BF auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=
/interface vlan
add interface=ether3 name=CAM88 vlan-id=88
add interface=ether3 name=IoT687 vlan-id=687
add interface=ether3 name=VLAN82 vlan-id=82
add interface=ether3 name=VLAN3000 vlan-id=3000
add interface=ether3 name=WIFI20 vlan-id=20
add interface=ether3 name=WORK999 vlan-id=999
add interface=ether3 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=option66 value="'192.168.82.239'"
add code=60 name=pi-60 value="'PXEClient'"
add code=43 name=pi-43 value="'Raspberry Pi Boot'"
/ip dhcp-server option sets
add name=set1 options=option66
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=192.168.99.0/24-IPPool ranges=192.168.99.10-192.168.99.254
add name=dhcp ranges=192.168.41.10-192.168.41.254
add name=192.168.82.0/24-IPPool ranges=192.168.82.10-192.168.82.254
add name=192.168.41.0/24-IPPool ranges=192.168.41.2-192.168.41.254
add name=192.168.89.0/24-IPPool ranges=192.168.89.10-192.168.89.254
add name=192.168.40.0/24-IPPool ranges=192.168.40.2-192.168.40.254
add name=10.0.68.0/24-IPPool ranges=10.0.68.2-10.0.68.254
add name=192.168.42.0/24-IPPool ranges=192.168.42.10-192.168.42.254
add name=192.168.253.0/29-IPPool ranges=192.168.253.2-192.168.253.6
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=192.168.99.0/24-IPPool interface=WORK999 lease-time=10m name=192.168.99.0-DHCP
add address-pool=192.168.253.0/29-IPPool interface=VLAN3000 lease-time=10m name=192.168.254.0-DHCP
add address-pool=192.168.89.0/24-IPPool insert-queue-before=bottom interface=CAM88 lease-time=10m name=192.168.89.0-DHCP
add address-pool=192.168.42.0/24-IPPool insert-queue-before=bottom interface=WIFI20 lease-time=10m name=192.168.42.0-DHCP
add address-pool=192.168.41.0/24-IPPool interface=vlan10 lease-script="# When \"1\" all DNS entries with IP address of DHCP lease are removed\r\
\n:local dnsRemoveAllByIp \"1\"\r\
\n# When \"1\" all DNS entries with hostname of DHCP lease are removed\r\
\n:local dnsRemoveAllByName \"1\"\r\
\n# When \"1\" addition and removal of DNS entries is always done also for non-FQDN hostname\r\
\n:local dnsAlwaysNonfqdn \"1\"\r\
\n# DNS domain to add after DHCP client hostname\r\
\n:local dnsDomain \"lan\"\r\
\n# DNS TTL to set for DNS entries\r\
\n:local dnsTtl \"00:15:00\"\r\
\n# Source of DHCP client hostname, can be \"lease-hostname\" or any other lease attribute, like \"host-name\" or \"comment\"\r\
\n:local leaseClientHostnameSource \"lease-hostname\"\r\
\n\r\
\n:local leaseComment \"dhcp-lease-script_\$leaseServerName_\$leaseClientHostnameSource\"\r\
\n:local leaseClientHostname\r\
\n:if (\$leaseClientHostnameSource = \"lease-hostname\") do={\r\
\n :set leaseClientHostname \$\"lease-hostname\"\r\
\n} else={\r\
\n :set leaseClientHostname ([:pick \\\r\
\n [/ip dhcp-server lease print as-value where server=\"\$leaseServerName\" address=\"\$leaseActIP\" mac-address=\"\$leaseActMAC\"] \\\r\
\n 0]->\"\$leaseClientHostnameSource\")\r\
\n}\r\
\n:local leaseClientHostnames \"\$leaseClientHostname\"\r\
\n:if ([:len [\$dnsDomain]] > 0) do={\r\
\n :if (\$dnsAlwaysNonfqdn = \"1\") do={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain,\$leaseClientHostname\"\r\
\n } else={\r\
\n :set leaseClientHostnames \"\$leaseClientHostname.\$dnsDomain\"\r\
\n }\r\
\n}\r\
\n:if (\$dnsRemoveAllByIp = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and address=\"\$leaseActIP\"]\r\
\n}\r\
\n:foreach h in=[:toarray value=\"\$leaseClientHostnames\"] do={\r\
\n :if (\$dnsRemoveAllByName = \"1\") do={\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and name=\"\$h\"]\r\
\n }\r\
\n /ip dns static remove [/ip dns static find comment=\"\$leaseComment\" and address=\"\$leaseActIP\" and name=\"\$h\"]\r\
\n :if (\$leaseBound = \"1\") do={\r\
\n :delay 1\r\
\n /ip dns static add comment=\"\$leaseComment\" address=\"\$leaseActIP\" name=\"\$h\" ttl=\"\$dnsTtl\"\r\
\n }\r\
\n}" lease-time=10m name=192.168.41.0-DHCP
add address-pool=10.0.68.0/24-IPPool interface=IoT687 lease-time=10m name=10.0.68.0-DHCP
add address-pool=192.168.82.0/24-IPPool insert-queue-before=bottom interface=VLAN82 lease-time=10m name=192.168.82.0-DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WORK999 list=LAN
add interface=VLAN3000 list=LAN
add interface=CAM88 list=LAN
add interface=WIFI20 list=LAN
add interface=vlan10 list=LAN
add interface=VLAN82 list=LAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=WORK999 network=192.168.99.0
add address=192.168.253.1/29 interface=VLAN3000 network=192.168.253.0
add address=192.168.89.1/24 interface=CAM88 network=192.168.89.0
add address=192.168.42.1/24 interface=WIFI20 network=192.168.42.0
add address=192.168.41.1/24 interface=vlan10 network=192.168.41.0
add address=10.0.68.1/24 interface=IoT687 network=10.0.68.0
add address=192.168.82.1/24 interface=VLAN82 network=192.168.82.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.89.253 client-id=1:e0:ca:3c:4e:65:38 mac-address=E0:CA:3C:4E:65:38 server=192.168.89.0-DHCP
add address=192.168.89.254 client-id=1:8:a1:89:53:f3:cd mac-address=08:A1:89:53:F3:CD server=192.168.89.0-DHCP
add address=192.168.42.230 mac-address=88:DC:96:87:25:C5 server=192.168.42.0-DHCP
add address=192.168.42.228 mac-address=88:DC:96:87:25:C9 server=192.168.42.0-DHCP
add address=192.168.42.227 mac-address=88:DC:97:07:68:92 server=192.168.42.0-DHCP
add address=192.168.42.11 comment=ezMaster mac-address=00:0C:29:FF:9F:C1 server=192.168.42.0-DHCP
add address=192.168.41.11 client-id=1:ec:d:e4:f:f6:44 comment="Ben fire Stick" mac-address=EC:0D:E4:0F:F6:44 server=192.168.41.0-DHCP
add address=192.168.41.61 client-id=ff:c5:5a:4d:5e:0:2:0:0:ab:11:ba:d0:eb:15:93:1d:54:e5 mac-address=00:26:B6:60:D1:52 server=192.168.41.0-DHCP
add address=192.168.41.24 client-id=1:c4:54:44:98:b0:45 comment="Main Desk Voice" mac-address=C4:54:44:98:B0:45 server=192.168.41.0-DHCP
add address=192.168.41.19 client-id=1:f0:2f:74:1c:63:9f mac-address=F0:2F:74:1C:63:9F server=192.168.41.0-DHCP
add address=192.168.41.184 comment="Zyxel GS1900-10HP PoE Switch" mac-address=D8:EC:E5:BE:74:F5 server=192.168.41.0-DHCP
add address=192.168.41.21 client-id=1:b8:27:eb:dd:5d:4 mac-address=B8:27:EB:DD:5D:04 server=192.168.41.0-DHCP
add address=192.168.41.183 comment="Server Switch" mac-address=B8:EC:A3:A8:20:01 server=192.168.41.0-DHCP
add address=192.168.41.13 mac-address=1C:6F:65:37:4C:83 server=192.168.41.0-DHCP
add address=192.168.41.9 client-id=1:84:a6:c8:e0:51:b9 mac-address=84:A6:C8:E0:51:B9 server=192.168.41.0-DHCP
add address=192.168.41.25 client-id=1:0:4:4b:fb:96:db comment="Nvidia Shield Main Bedroom wifi" mac-address=00:04:4B:FB:96:DB server=192.168.41.0-DHCP
add address=192.168.41.18 client-id=1:0:4:4b:fd:1d:7b comment="Nvidia Shield Main Bedroom Lan" mac-address=00:04:4B:FD:1D:7B server=192.168.41.0-DHCP
add address=192.168.41.29 client-id=1:fc:d7:49:8e:a5:bc comment="Ben Fire 10" mac-address=FC:D7:49:8E:A5:BC server=192.168.41.0-DHCP
add address=192.168.41.62 client-id=ff:7b:31:fe:60:0:2:0:0:ab:11:ba:d0:eb:15:93:1d:54:e5 mac-address=00:26:9E:7D:00:77 server=192.168.41.0-DHCP
add address=192.168.41.23 client-id=1:4c:9e:ff:6e:7a:77 comment="Main Switch" mac-address=4C:9E:FF:6E:7A:77 server=192.168.41.0-DHCP
add address=192.168.41.42 client-id=1:e4:5f:1:20:f6:9b dhcp-option=option66,pi-43,pi-60 mac-address=E4:5F:01:20:F6:9B server=192.168.41.0-DHCP
add address=192.168.41.36 mac-address=00:0C:29:EA:11:D8 server=192.168.41.0-DHCP
add address=192.168.41.53 client-id=48:B0:2D:7A:0B:05 comment="Nvidia Shield Living Room wifi" mac-address=48:B0:2D:7A:0B:05 server=192.168.41.0-DHCP
add address=192.168.41.30 client-id=1:b8:27:eb:45:63:55 mac-address=B8:27:EB:45:63:55 server=192.168.41.0-DHCP
add address=192.168.82.229 client-id=ff:66:7b:93:2a:0:2:0:0:ab:11:c7:62:4a:58:b:f9:3f:26 mac-address=48:4D:7E:E0:04:8F server=192.168.82.0-DHCP
add address=192.168.82.231 client-id=ff:66:7b:93:2a:0:2:0:0:ab:11:1a:c3:92:fd:e0:70:10:de mac-address=48:4D:7E:D9:01:C8 server=192.168.82.0-DHCP
add address=192.168.82.239 client-id=1:98:90:96:e0:3e:4c comment=Baldrick mac-address=98:90:96:E0:3E:4C server=192.168.82.0-DHCP
add address=192.168.82.238 client-id=1:e4:54:e8:d0:18:cd mac-address=E4:54:E8:D0:18:CD server=192.168.82.0-DHCP
/ip dhcp-server network
add address=10.0.68.0/24 comment=IoT dns-server=10.0.68.1 gateway=10.0.68.1 netmask=24
add address=192.168.41.0/24 comment=Main dns-server=1.1.1.1 gateway=192.168.41.1 netmask=24
add address=192.168.42.0/24 comment="Network Equipment" dns-server=192.168.42.1 gateway=192.168.42.1 netmask=24
add address=192.168.82.0/24 comment=Servers dns-server=192.168.82.1 gateway=192.168.82.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 comment=Cameras dns-server=192.168.89.1 gateway=192.168.89.1 netmask=24
add address=192.168.99.0/24 comment=Work dns-server=192.168.99.1 gateway=192.168.99.1 netmask=24
add address=192.168.253.0/29 comment=Hive dns-server=192.168.253.1 gateway=192.168.253.1 netmask=29
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.41.24 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=DESKTOP-7S7LN24.lan ttl=15m
add address=192.168.41.24 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=DESKTOP-7S7LN24 ttl=15m
add address=192.168.41.21 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=ExcerciseLibreElec.lan ttl=15m
add address=192.168.41.21 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=ExcerciseLibreElec ttl=15m
add address=192.168.41.3 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OCTO-CADLITE.lan ttl=15m
add address=192.168.41.3 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OCTO-CADLITE ttl=15m
add address=192.168.41.23 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=GS1920.lan ttl=15m
add address=192.168.41.23 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=GS1920 ttl=15m
add address=192.168.41.8 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=myHivehub.lan ttl=15m
add address=192.168.41.8 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=myHivehub ttl=15m
add address=192.168.41.19 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Main.lan ttl=15m
add address=192.168.41.19 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=Main ttl=15m
add address=192.168.41.29 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=.lan ttl=15m
add address=192.168.41.14 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OnePlus5T.lan ttl=15m
add address=192.168.41.14 comment=dhcp-lease-script_192.168.41.0-DHCP_lease-hostname name=OnePlus5T ttl=15m
/ip firewall address-list
add address=80.41.251.68 list="External IP"
add address=192.168.89.254 list="Security Cameras"
add address=192.168.89.253 list="Security Cameras"
add address=192.168.41.11 list="Bens Devices"
add address=192.168.41.29 list="Bens Devices"
add address=192.168.41.25 list="Shield TVs"
add address=192.168.41.18 list="Shield TVs"
add address=192.168.41.53 list="Shield TVs"
add address=192.168.82.229 list="Traefik Box"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=\
WAN
add action=passthrough chain=forward comment="special dummy rule to show fasttrack counters"
add action=accept chain=forward comment="Time Servers" protocol=udp src-port=123
add action=accept chain=forward comment=ICMP dst-address=192.168.0.0/16 protocol=icmp src-address=192.168.0.0/16
add action=accept chain=forward comment="NETBIOS Name Service" dst-address=192.178.0.0/16 dst-port=137 protocol=udp src-port=137
# inactive time
add action=drop chain=forward comment="Bens Weekday Bedtime" src-address-list="Bens Devices" time=21h30m-7h,sun,mon,tue,wed,thu
# inactive time
add action=drop chain=forward comment="Bens Weekend Bedtime" src-address-list="Bens Devices" time=21h30m-7h,fri,sat
add action=accept chain=forward comment="Inbound External HTTP Connectivity to Traefik" in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=80
add action=accept chain=forward comment="Inbound External HTTPS Connectivity to Traefik" in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=443
add action=accept chain=forward comment="Outbound External HTTP Connectivity to Traefik" dst-port=80 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="Outbound External HTTPS Connectivity to Traefik" dst-port=443 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound HTTP Connectivity to Traefik" dst-address-list="Traefik Box" dst-port=80 in-interface=!pppoe-out1 out-interface=\
VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound HTTPS Connectivity to Traefik" dst-address-list="Traefik Box" dst-port=443 in-interface=!pppoe-out1 out-interface=\
VLAN82 protocol=tcp
add action=accept chain=forward comment="Inbound XMPP" dst-address-list="Traefik Box" in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp src-port=5222
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 dst-port=32400 in-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 in-interface=vlan10 protocol=udp
add action=accept chain=forward comment="Plex port internal" dst-address=192.168.82.238 in-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="Plex port external" dst-address=192.168.82.238 dst-port=32400 in-interface=pppoe-out1 protocol=tcp
add action=accept chain=forward comment="Main to cameras" dst-address-list="Security Cameras" out-interface=CAM88 src-address=192.168.41.19
add action=accept chain=forward comment="Internetwork Connectivity" in-interface=VLAN82 out-interface=VLAN82
add action=accept chain=forward comment="Doorbell to HA" dst-address=192.168.82.231 dst-port=8123 in-interface=vlan10 out-interface=VLAN82 protocol=tcp \
src-address=192.168.41.30
add action=accept chain=forward comment="HA to Shield TVs" dst-address-list="Shield TVs" in-interface=vlan10 out-interface=VLAN82 protocol=tcp src-address=\
192.168.82.231
add action=accept chain=forward comment="HA to Shield TVS" dst-address-list="Shield TVs" in-interface=vlan10 out-interface=VLAN82 protocol=udp src-address=\
192.168.82.231
add action=accept chain=forward comment="Shield TVs to HA" dst-address=192.168.82.231 in-interface=VLAN82 out-interface=vlan10 protocol=tcp src-address-list=\
"Shield TVs"
add action=accept chain=forward comment="Shield TVs to HA" dst-address=192.168.82.231 in-interface=VLAN82 out-interface=vlan10 protocol=udp src-address-list=\
"Shield TVs"
add action=accept chain=forward comment="Main to IoT" in-interface=vlan10 out-interface=IoT687 protocol=tcp src-address=192.168.41.19
add action=accept chain=forward comment="HA to IoT" in-interface=VLAN82 out-interface=IoT687 protocol=tcp src-address-list="Traefik Box"
add action=accept chain=forward comment="Main to Baldrick" dst-address=192.168.82.239 dst-port=80 in-interface=vlan10 out-interface=VLAN82 protocol=tcp \
src-address=192.168.41.19
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=pppoe-out1 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment=Tailscale in-interface=pppoe-out1 out-interface=VLAN82 protocol=udp src-port=3478
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=vlan10 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment=Tailscale dst-port=41641 in-interface=VLAN82 out-interface=vlan10 protocol=tcp
add action=accept chain=forward comment="PIHole to Baldrick" dst-address=192.168.82.239 in-interface=vlan10 out-interface=VLAN82 protocol=tcp src-address=\
192.168.41.42
add action=accept chain=forward comment="PIHole to Baldrick" dst-address=192.168.82.239 in-interface=vlan10 out-interface=VLAN82 protocol=udp src-address=\
192.168.41.42
add action=accept chain=forward comment="MQTT to HA" dst-address=192.168.82.231 dst-port=1883 in-interface=IoT687 out-interface=VLAN82 protocol=tcp
add action=accept chain=forward comment="HA to MQTT" in-interface=VLAN82 out-interface=IoT687 protocol=tcp src-address=192.168.82.231 src-port=1883
add action=accept chain=forward dst-port=22 out-interface=VLAN82 protocol=tcp src-address=192.168.41.19
add action=drop chain=forward comment="Drop all other traffic to 192.168.82.0/24 network" log=yes log-prefix=Server-Drop out-interface=VLAN82
add action=accept chain=forward comment="Frigate to Cameras" dst-address-list="Security Cameras" dst-port=554 in-interface=VLAN82 out-interface=CAM88 protocol=tcp \
src-address=192.168.82.238
add action=drop chain=forward comment="Drop all other traffic to 192.168.89.0/24 network" log=yes log-prefix=Server-Drop out-interface=CAM88
add action=drop chain=forward comment="Drop outbound traffic from 192.168.89.0/24 network" in-interface=CAM88 log=yes log-prefix=Server-Drop out-interface=\
pppoe-out1
add action=drop chain=forward comment="Drop all internal traffic to work network" in-interface=!pppoe-out1 log=yes log-prefix=Server-Drop out-interface=WORK999
add action=drop chain=forward comment="Drop all work traffic to internal vlans" in-interface=WORK999 log=yes log-prefix=Server-Drop out-interface=!pppoe-out1
add action=drop chain=forward comment="Drop all traffic to the IoT network" log=yes log-prefix=Server-Drop out-interface=IoT687
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=Server-Drop
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=dstnat connection-state=new in-interface-list=!WAN log-prefix=\
nodstnat
/ip firewall nat
add action=dst-nat chain=dstnat comment="Echre port 80" dst-address-list="External IP" dst-port=80 protocol=tcp to-addresses=192.168.82.229 to-ports=80
add action=dst-nat chain=dstnat comment="Echre port 443" dst-address-list="External IP" dst-port=443 protocol=tcp to-addresses=192.168.82.229 to-ports=443
add action=dst-nat chain=dstnat comment="Echre port 32400" dst-address-list="External IP" dst-port=32400 protocol=tcp to-addresses=192.168.82.238 to-ports=32400
add action=masquerade chain=srcnat comment="Internet access for 192.168.82.0 network" src-address=192.168.82.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.99.0 network" src-address=192.168.99.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.41.0 network" src-address=192.168.41.0/24
add action=masquerade chain=srcnat comment="Internet access for 192.168.253.0 network" src-address=192.168.253.0/29
add action=accept chain=dstnat dst-address=192.168.82.236 dst-address-list="External IP" dst-port=9001 protocol=tcp src-port=9001
add action=masquerade chain=srcnat comment="Internet access for 192.168.42.0 network" disabled=yes src-address=192.168.42.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set www-ssl certificate=ServerCA disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN