- # sep/10/2018 21:14:55 by RouterOS 6.41.2
- # software id = ID2F-BQE9
- #
- # model = 951Ui-2HnD
- # serial number = 8D0008AA310A
- /interface bridge
- add arp=reply-only mtu=1500 name=OpocznoLublin-LAN
- add arp=reply-only mtu=1500 name=OpocznoLublin-LAN_Kamery
- add arp=reply-only mtu=1500 name=OpocznoLublin-Wifi_GOSC
- add arp=reply-only mtu=1500 name=OpocznoLublin-Wifi_LAN
- /interface ethernet
- set [ find default-name=ether1 ] arp=reply-only disabled=yes
- set [ find default-name=ether2 ] arp=reply-only name=ether2-master
- set [ find default-name=ether3 ] arp=reply-only
- set [ find default-name=ether4 ] arp=reply-only
- set [ find default-name=ether5 ] arp=reply-only
- /interface wireless
- set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
- distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-7F6391 \
- wireless-protocol=802.11 wps-mode=disabled
- /interface gre
- add !keepalive local-address=87.251.228.130 name=gre-tunnel1 remote-address=\
- 195.28.0.237
- /interface vlan
- add arp=reply-only interface=ether2-master name=vlan10.2 vlan-id=10
- add arp=reply-only interface=ether3 name=vlan10.3 vlan-id=10
- add arp=reply-only interface=ether2-master name=vlan20.2 vlan-id=20
- add arp=reply-only interface=ether3 name=vlan20.3 vlan-id=20
- add arp=reply-only interface=ether2-master name=vlan30.2 vlan-id=30
- add arp=reply-only interface=ether3 name=vlan30.3 vlan-id=30
- add arp=reply-only interface=ether4 name=vlan30.4 vlan-id=30
- add arp=reply-only interface=ether5 name=vlan30.5 vlan-id=30
- add arp=reply-only interface=ether2-master name=vlan40.2 vlan-id=40
- add arp=reply-only interface=ether3 name=vlan40.3 vlan-id=40
- add arp=reply-only interface=ether4 name=vlan40.4 vlan-id=40
- add arp=reply-only interface=ether5 name=vlan40.5 vlan-id=40
- /interface list
- add comment=defconf name=WAN
- add comment=defconf name=LAN
- add exclude=dynamic name=discover
- add name=mactel
- add name=mac-winbox
- add name=Dozwolone_inteface
- /interface wireless security-profiles
- set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
- mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
- Megastore100 wpa2-pre-shared-key=Megastore100
- /ip dhcp-server option
- add code=43 name=unifi value=0x0104c0a80b0d
- /ip ipsec proposal
- set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
- pfs-group=modp1536
- /ip pool
- add name=OpocznoLublin-LAN ranges=172.28.25.2-172.28.25.62
- add name=OpocznoLublin-LAN_Kamery ranges=172.28.25.66-172.28.25.126
- add name=OpocznoLublin-Wifi_LAN ranges=172.28.25.130-172.28.25.190
- add name=OpocznoLublin-Wifi_GOSC ranges=172.28.25.194-172.28.25.254
- /ip dhcp-server
- add add-arp=yes address-pool=OpocznoLublin-LAN bootp-support=dynamic \
- disabled=no interface=OpocznoLublin-LAN name=OpocznoLublin-LAN
- add add-arp=yes address-pool=OpocznoLublin-LAN_Kamery bootp-support=dynamic \
- disabled=no interface=OpocznoLublin-LAN_Kamery name=\
- OpocznoLublin-LAN_Kamery
- add add-arp=yes address-pool=OpocznoLublin-Wifi_LAN bootp-support=dynamic \
- disabled=no interface=OpocznoLublin-Wifi_LAN name=OpocznoLublin-Wifi_LAN
- add add-arp=yes address-pool=OpocznoLublin-Wifi_GOSC bootp-support=dynamic \
- disabled=no interface=OpocznoLublin-Wifi_GOSC name=\
- OpocznoLublin-Wifi_GOSC
- /port
- set 0 name=usb1
- /interface ppp-client
- add apn=m2m.plusgsm.pl default-route-distance=0 disabled=no info-channel=1 \
- name=ppp-out1 pin=1816 port=usb1
- /routing ospf instance
- set [ find default=yes ] router-id=172.31.19.18
- /snmp community
- set [ find default=yes ] addresses=0.0.0.0/0 read-access=no
- add addresses=0.0.0.0/0 authentication-password=Polska123 \
- authentication-protocol=SHA1 encryption-password=Poland123 name=nagios \
- security=private
- /system logging action
- set 3 remote=195.28.0.110
- /interface bridge port
- add bridge=OpocznoLublin-LAN hw=no interface=ether2-master
- add bridge=OpocznoLublin-LAN comment=defconf hw=no interface=wlan1
- add bridge=OpocznoLublin-LAN hw=no interface=vlan10.2
- add bridge=OpocznoLublin-LAN hw=no interface=vlan10.3
- add bridge=OpocznoLublin-LAN_Kamery hw=no interface=vlan20.2
- add bridge=OpocznoLublin-LAN_Kamery hw=no interface=vlan20.3
- add bridge=OpocznoLublin-Wifi_LAN hw=no interface=vlan30.2
- add bridge=OpocznoLublin-Wifi_LAN hw=no interface=vlan30.3
- add bridge=OpocznoLublin-Wifi_LAN hw=no interface=vlan30.4
- add bridge=OpocznoLublin-Wifi_LAN hw=no interface=vlan30.5
- add bridge=OpocznoLublin-Wifi_GOSC hw=no interface=vlan40.2
- add bridge=OpocznoLublin-Wifi_GOSC hw=no interface=vlan40.3
- add bridge=OpocznoLublin-Wifi_GOSC hw=no interface=vlan40.4
- add bridge=OpocznoLublin-Wifi_GOSC hw=no interface=vlan40.5
- add bridge=OpocznoLublin-LAN hw=no interface=ether3
- add bridge=OpocznoLublin-LAN hw=no interface=ether4
- add bridge=OpocznoLublin-LAN hw=no interface=ether5
- /ip neighbor discovery-settings
- set discover-interface-list=discover
- /interface list member
- add comment=defconf list=LAN
- add comment=defconf interface=ether1 list=WAN
- add interface=ether2-master list=discover
- add interface=ether3 list=discover
- add interface=ether4 list=discover
- add interface=ether5 list=discover
- add interface=wlan1 list=discover
- add interface=ppp-out1 list=discover
- add interface=vlan10.2 list=discover
- add interface=vlan20.2 list=discover
- add interface=vlan30.2 list=discover
- add interface=vlan40.2 list=discover
- add interface=vlan10.3 list=discover
- add interface=vlan20.3 list=discover
- add interface=vlan30.3 list=discover
- add interface=vlan40.3 list=discover
- add interface=vlan30.4 list=discover
- add interface=vlan40.4 list=discover
- add interface=vlan30.5 list=discover
- add interface=vlan40.5 list=discover
- add interface=OpocznoLublin-LAN list=discover
- add interface=OpocznoLublin-LAN_Kamery list=discover
- add interface=OpocznoLublin-Wifi_LAN list=discover
- add interface=OpocznoLublin-Wifi_GOSC list=discover
- add interface=gre-tunnel1 list=discover
- add list=mactel
- add list=mac-winbox
- add interface=OpocznoLublin-LAN list=Dozwolone_inteface
- add interface=OpocznoLublin-Wifi_LAN list=Dozwolone_inteface
- add interface=OpocznoLublin-LAN_Kamery list=Dozwolone_inteface
- /interface wireless access-list
- add mac-address=8C:70:5A:DE:94:9C vlan-mode=no-tag
- /ip address
- add address=172.28.25.1/26 interface=OpocznoLublin-LAN network=172.28.25.0
- add address=172.28.25.65/26 interface=OpocznoLublin-LAN_Kamery network=\
- 172.28.25.64
- add address=172.28.25.129/26 interface=OpocznoLublin-Wifi_LAN network=\
- 172.28.25.128
- add address=172.28.25.193/26 interface=OpocznoLublin-Wifi_GOSC network=\
- 172.28.25.192
- add address=172.31.19.18/30 interface=gre-tunnel1 network=172.31.19.16
- /ip dhcp-client
- add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
- ether1
- /ip dhcp-server lease
- add address=172.28.25.2 mac-address=8C:3B:AD:B1:20:BE server=\
- OpocznoLublin-LAN
- add address=172.28.25.5 client-id=1:f0:9f:c2:9e:67:36 mac-address=\
- F0:9F:C2:9E:67:36 server=OpocznoLublin-LAN
- add address=172.28.25.4 client-id=1:f0:9f:c2:9e:67:54 mac-address=\
- F0:9F:C2:9E:67:54 server=OpocznoLublin-LAN
- add address=172.28.25.78 client-id=1:0:46:b8:2:76:48 mac-address=\
- 00:46:B8:02:76:48 server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.77 client-id=1:0:46:b8:2:76:30 mac-address=\
- 00:46:B8:02:76:30 server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.76 client-id=1:0:46:b8:2:75:c mac-address=\
- 00:46:B8:02:75:0C server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.75 client-id=1:0:46:b8:2:76:19 mac-address=\
- 00:46:B8:02:76:19 server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.74 client-id=1:0:46:b8:2:75:41 mac-address=\
- 00:46:B8:02:75:41 server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.73 client-id=1:0:46:b8:2:75:2 mac-address=\
- 00:46:B8:02:75:02 server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.72 client-id=1:0:46:b8:2:76:79 mac-address=\
- 00:46:B8:02:76:79 server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.71 client-id=1:0:46:b8:2:75:3e mac-address=\
- 00:46:B8:02:75:3E server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.70 client-id=1:0:46:b8:2:76:7b mac-address=\
- 00:46:B8:02:76:7B server=OpocznoLublin-LAN_Kamery
- add address=172.28.25.66 mac-address=70:85:C2:73:36:6A server=\
- OpocznoLublin-LAN_Kamery
- add address=172.28.25.62 client-id=1:e0:d5:5e:2b:48:45 mac-address=\
- E0:D5:5E:2B:48:45 server=OpocznoLublin-LAN
- add address=172.28.25.46 client-id=1:e0:d5:5e:c:a3:93 mac-address=\
- E0:D5:5E:0C:A3:93 server=OpocznoLublin-LAN
- add address=172.28.25.47 client-id=1:e0:d5:5e:f:1d:bf mac-address=\
- E0:D5:5E:0F:1D:BF server=OpocznoLublin-LAN
- add address=172.28.25.10 client-id=1:0:25:36:21:ff:c0 mac-address=\
- 00:25:36:21:FF:C0 server=OpocznoLublin-LAN
- add address=172.28.25.254 always-broadcast=yes mac-address=00:04:A3:00:00:3E \
- server=OpocznoLublin-Wifi_GOSC
- /ip dhcp-server network
- add address=172.28.25.0/26 dhcp-option=unifi dns-server=\
- 192.168.11.129,192.168.11.131 domain=megastorenet.pl gateway=172.28.25.1 \
- netmask=26 ntp-server=195.28.0.225
- add address=172.28.25.64/26 dns-server=192.168.11.129,192.168.11.131 domain=\
- megastorenet.pl gateway=172.28.25.65 netmask=26 ntp-server=195.28.0.225
- add address=172.28.25.128/26 dhcp-option=unifi dns-server=\
- 192.168.11.131,192.168.11.129 domain=megastorenet.pl gateway=\
- 172.28.25.129 netmask=26 ntp-server=195.28.0.225
- add address=172.28.25.192/26 comment=defconf dhcp-option=unifi dns-server=\
- 8.8.8.8 domain=megastorenet.pl gateway=172.28.25.193 netmask=26 \
- ntp-server=195.28.0.225
- /ip dns
- set allow-remote-requests=yes
- /ip dns static
- add address=192.168.88.1 name=router.lan
- /ip firewall address-list
- add address=192.168.2.0/24 list=IT
- add address=192.168.3.0/24 list=IT
- add address=192.168.11.0/24 list=Serwery
- /ip firewall filter
- add action=drop chain=forward comment="defconf: drop invalid" \
- connection-state=invalid
- add action=drop chain=input comment="defconf: drop invalid" connection-state=\
- invalid
- add action=accept chain=input comment=\
- "defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input protocol=ospf
- add chain=input dst-port=23,22,80,3389,443,8291,8292,161,500 protocol=tcp \
- src-address=195.28.0.0/23
- add chain=input protocol=gre src-address=195.28.0.0/23
- add chain=input protocol=ipsec-esp src-address=195.28.0.0/23
- add chain=input dst-port=161 protocol=udp src-address=195.28.0.0/23
- add action=accept chain=input in-interface=ppp-out1 src-address=185.30.145.31
- add action=accept chain=forward comment=\
- "defconf: accept established,related, untracked" connection-state=\
- established,related,untracked
- add action=accept chain=input in-interface=OpocznoLublin-LAN
- add action=drop chain=input comment="defconf: drop all not coming from LAN" \
- in-interface-list=!LAN
- add action=drop chain=input comment=\
- "!!!!! W\A3\A5CZY\C6 i zobaczy\E6 czy wszytsko dzia\B3a" disabled=yes
- add chain=forward dst-port=161 protocol=tcp src-address=195.28.0.0/23
- add action=accept chain=forward comment=\
- "Dostep dla Dozwolone_inteface do Internet" in-interface-list=\
- Dozwolone_inteface out-interface=ppp-out1
- add action=accept chain=forward in-interface=OpocznoLublin-Wifi_GOSC \
- out-interface=ppp-out1
- add action=accept chain=forward in-interface=!OpocznoLublin-Wifi_GOSC \
- out-interface=gre-tunnel1
- add action=accept chain=forward comment=\
- "Dostep dla !OpocznoLublin-Wifi_Gosc do Bacula" dst-address=192.168.11.13 \
- in-interface=OpocznoLublin-Wifi_GOSC out-interface=gre-tunnel1
- add action=accept chain=forward comment=\
- "Dost\EAp dla IT do dozwolone_inteface" out-interface-list=\
- Dozwolone_inteface src-address-list=IT
- add action=accept chain=forward comment=\
- "Dost\EAp dla Dozwolone_Inteface do gre i adresacji serwery" \
- dst-address-list=Serwery in-interface-list=Dozwolone_inteface \
- out-interface=gre-tunnel1
- add action=accept chain=forward comment="defconf: accept in ipsec policy" \
- ipsec-policy=in,ipsec
- add action=accept chain=forward comment="defconf: accept out ipsec policy" \
- ipsec-policy=out,ipsec
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
- connection-state=established,related
- add action=drop chain=forward in-interface=OpocznoLublin-Wifi_GOSC \
- out-interface-list=Dozwolone_inteface
- add action=drop chain=forward comment=\
- "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
- connection-state=new in-interface-list=WAN
- add action=drop chain=forward comment=\
- "!!!!! W\A3\A5CZY\C6 i zobaczy\E6 czy wszytsko dzia\B3a" disabled=yes
- /ip firewall nat
- add action=masquerade chain=srcnat comment="defconf: masquerade" \
- out-interface=ppp-out1
- /ip ipsec peer
- add address=195.28.0.237/32 dh-group=modp2048,modp1536,modp1024 \
- enc-algorithm=aes-256 hash-algorithm=sha256 secret=\
- 5tbgfrfcerg5htbgvrt5gtbr
- /ip ipsec policy
- set 0 disabled=yes
- add dst-address=195.28.0.237/32 protocol=gre sa-dst-address=195.28.0.237 \
- sa-src-address=87.251.228.130 src-address=87.251.228.130/32 tunnel=yes
- /ip route
- add distance=1 dst-address=195.28.0.237/32 gateway=ppp-out1
- /routing ospf interface
- add authentication=md5 authentication-key=Egemqm interface=gre-tunnel1 \
- network-type=point-to-point
- /routing ospf network
- add area=backbone network=172.31.19.16/30
- add area=backbone network=172.28.25.0/26
- add area=backbone network=172.28.25.64/26
- add area=backbone network=172.28.25.128/26
- add area=backbone network=172.28.25.192/26
- /snmp
- set enabled=yes
- /system clock
- set time-zone-name=Europe/Warsaw
- /system logging
- add action=disk topics=account
- add action=remote topics=account
- add action=disk topics=critical
- add action=remote topics=critical
- add action=remote topics=error
- add action=disk topics=error
- add action=remote topics=info
- add action=disk topics=info
- add action=remote topics=interface
- add topics=interface
- add action=remote topics=warning
- /tool mac-server
- set allowed-interface-list=mactel
- /tool mac-server mac-winbox
- set allowed-interface-list=mac-winbox