[admin@SSIMAKATIR01] > /export

# jan/18/2018 08:44:08 by RouterOS 6.41

# software id =
#
# model = CCR1009-7G-1C-1S+
# serial number = 3;f;;f;df
/interface ethernet
set [ find default-name=combo1 ] mac-address=64:D1:54:EF:8A:DD
set [ find default-name=ether1 ] comment="\"RISE ISP1\"" mac-address=\
64:D1:54:EF:8A:DE
set [ find default-name=ether2 ] comment="\"Eastern ISP2\"" mac-address=\
64:D1:54:EF:8A:DF
set [ find default-name=ether3 ] comment="\"LAN VLAN\" " mac-address=\
64:D1:54:EF:8A:E0
set [ find default-name=ether4 ] mac-address=64:D1:54:EF:8A:E1
set [ find default-name=ether5 ] mac-address=64:D1:54:EF:8A:E2
set [ find default-name=ether6 ] mac-address=64:D1:54:EF:8A:E3
set [ find default-name=ether7 ] mac-address=64:D1:54:EF:8A:E4
set [ find default-name=sfp-sfpplus1 ] mac-address=64:D1:54:EF:8A:DC
/interface vlan
add comment=MGMT interface=ether3 name="MGMT 205 - MGMT" vlan-id=205
add comment=DATA interface=ether3 name="VLAN 100 - DATA" vlan-id=100
add comment=Voice interface=ether3 name="VLAN 150 - Voice" vlan-id=150
add comment=Wireless interface=ether3 name="VLAN 175 - Wireless" vlan-id=175
add comment=VPN interface=ether3 name="VLAN 200 - VPN" vlan-id=200
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=DATA ranges=192.168.100.2-192.168.100.254
add name=Voice ranges=192.168.150.2-192.168.150.254
add name=Wireless ranges=192.168.175.2-192.168.175.254
add name=VPN ranges=192.168.200.2-192.168.200.126
add name=MGMT ranges=192.168.200.129-192.168.200.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether3 name=dhcp1
add address-pool=DATA disabled=no interface="VLAN 100 - DATA" name=DATA
add address-pool=Voice disabled=no interface="VLAN 150 - Voice" name=Voice
add address-pool=Wireless disabled=no interface="VLAN 175 - Wireless" name=\
Wireless
add address-pool=VPN disabled=no interface="VLAN 200 - VPN" name=VPN
add address-pool=MGMT disabled=no interface="MGMT 205 - MGMT" name=MGMT
/ppp profile
add comment="\"L2TP_VPN\"" local-address=VPN name=L2TP_VPN remote-address=VPN \
use-mpls=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface l2tp-server server
set default-profile=L2TP_VPN enabled=yes ipsec-secret="\$\pogiako" \
use-ipsec=yes
/interface pptp-server server
set enabled=yes
/ip accounting
set account-local-traffic=yes enabled=yes
/ip address
add address=43.000.0.00 interface=ether1 network=43.000.0.00
add address=192.168.100.1/24 comment="DATA Gateway" interface="VLAN 100 - DATA" \
network=192.168.100.0
add address=192.168.150.1/24 comment="Voice Gateway" interface=\
"VLAN 150 - Voice" network=192.168.150.0
add address=192.168.175.1/24 comment="Wireless Gateway" interface=\
"VLAN 175 - Wireless" network=192.168.175.0
add address=192.168.200.1/24 comment="VPN Gateway" interface="VLAN 200 - VPN" \
network=192.168.200.0
add address=192.168.205.1/24 comment="\"MGMT Gateway\"" interface=\
"MGMT 205 - MGMT" network=192.168.205.0
add address=115.85.14.2 comment="EASTERN ISP" interface=ether2 network=\
115.00.00.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no
add dhcp-options=hostname,clientid interface=ether2
/ip dhcp-server lease
add address=192.168.100.246 client-id=1:38:d5:47:e:5d:cf mac-address=\
38:D5:47:0E:5D:CF server=DATA
add address=192.168.100.251 mac-address=2C:56:DC:39:8E:9D
add address=192.168.150.2 client-id=1:0:b:82:81:5:1e mac-address=\
00:0B:82:81:05:1E server=Voice
add address=192.168.175.237 client-id=1:0:80:92:e1:2e:31 mac-address=\
00:80:92:E1:2E:31 server=Wireless
add address=192.168.100.66 client-id=1:0:11:32:81:6c:94 mac-address=\
00:11:32:81:6C:94 server=DATA
add address=192.168.175.229 client-id=1:10:62:eb:91:68:fc mac-address=\
10:62:EB:91:68:FC server=Wireless
/ip dhcp-server network
add address=192.168.100.0/24 comment="DATA Network" dns-server=\
192.168.100.250,192.168.100.248,8.8.8.8,8.8.4.4 domain=dcalabon.com \
gateway=192.168.100.1
add address=192.168.150.0/24 comment="Voice Network" dns-server=\
192.168.100.250,192.168.100.248,8.8.8.8,8.8.4.4 domain=dcalabon.com \
gateway=192.168.150.1
add address=192.168.175.0/24 comment="Wireless Network" dns-server=\
192.168.100.250,192.168.100.248,8.8.8.8,8.8.4.4 domain=dcalabon.com \
gateway=192.168.175.1
add address=192.168.200.0/24 comment="VPN Network" dns-server=\
192.168.0.250,192.168.0.248,8.8.8.8,8.8.4.4 domain=dcalabon.comgateway=\
192.168.200.1
add address=192.168.205.0/24 comment="\"MGMT Network\"" dns-server=\
192.168.100.250,192.168.100.248,8.8.8.8,8.8.4.4 domain=dcalabon.com \
gateway=192.168.205.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,192.168.x.x
/ip firewall address-list
add address=0.0.0.0/8 comment=Self-Identification list=bogons
add address=10.0.0.0/8 comment=Private1918- disabled=yes list=bogons
add address=127.0.0.0/8 comment=loopback3330 list=bogons
add address=169.254.0.0/16 comment=Linklocal3330 list=bogons
add address=172.16.0.0/12 comment=Private1918 disabled=yes list=bogons
add address=192.168.0.0/16 comment=Private1918 disabled=yes list=bogons
add address=192.0.2.0/24 comment=ReservedIANATESTNet1 list=bogons
add address=192.88.99.0/24 comment=6to4relayanycast3068 list=bogons
add address=192.18.0.0/15 comment=nidbtesting list=bogons
add address=198.51.100.0/24 comment=reservedianatestnet2 list=bogons
add address=203.0.113.0/24 comment=reservedianatestnet3 list=bogons
add address=224.0.0.0/4 comment=mc,classd,iana. disabled=yes list=bogons
/ip firewall filter
add action=accept chain=input comment="\"winbox\"" dst-port=8291 protocol=tcp
add action=accept chain=input comment="\"VPN\"" dst-port=1701 protocol=tcp
add action=accept chain=input comment="\"VPN\"" dst-port=1723 protocol=tcp
add action=accept chain=input comment="\"IKEv2 pass through\"" dst-port=500 \
protocol=udp
add action=accept chain=input comment="\"IKEv2 pass through\"" dst-port=4500 \
protocol=udp
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=\
Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \
protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to \
support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
\_ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp src-address-list=\
!support
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
3h chain=forward comment="Add Spammers to the list for 3 hours" \
connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
connection-state=established
add action=accept chain=input comment="Accept to related connections" \
connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RU\
LE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
disabled=yes icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=yes icmp-options=0:0 \
protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=yes icmp-options=\
11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=yes \
icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 \
protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \
protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
add action=accept chain=input protocol=gre
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1 new-connection-mark=\
WAN1_conn
add action=mark-connection chain=input in-interface=ether2 new-connection-mark=\
WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2
add action=mark-connection chain=prerouting dst-address=192.168.100.0/24 \
in-interface=ether3 new-connection-mark=WAN1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address=192.168.100.0/24 \
in-interface=ether3 new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface=ether3 new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=ether3 new-routing-mark=to_WAN2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=1 gateway=10.10.10.30
add check-gateway=ping distance=1 gateway=10.10.10.30
add check-gateway=ping distance=2 gateway=20.20.20.30
add check-gateway=ping distance=2 gateway=20.20.20.30
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api-ssl disabled=yes
/ppp secret
add comment="Network Engineer" name=dcalabon password=password profile=\
L2TP_VPN service=l2tp
add comment="IT Manager" name=rain password=password profile=L2TP_VPN \
service=l2tp
add comment="\"Chief Operating Officer\"" name=freddy password=password \
profile=L2TP_VPN service=l2tp
add comment="\"IT Support Engineer\"" name=Jeremy password=password profile=\
L2TP_VPN service=l2tp
add comment="\"Chief Finance Officer\"" name=tony password=password profile=\
L2TP_VPN service=l2tp
add comment="\"Executive\"" name=benny password=password profile=L2TP_VPN \
service=l2tp
add name=payment password=password profile=L2TP_VPN service=l2tp
add name=payment2 password=password profile=L2TP_VPN service=l2tp
add name=payment3 password=password profile=L2TP_VPN service=l2tp
add name=payment4 password=password profile=L2TP_VPN service=l2tp
add name=payment5 password=password profile=L2TP_VPN service=l2tp
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=SSIMAKATIR01
/system ntp client
set enabled=yes primary-ntp=10.100.100.100 secondary-ntp=10.0.10.10 \
server-dns-names=dcalabon.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
[admin@SSIMAKATIR01] >