# version: 7.21.2 (stable) # factory-software: 6.44.3 # total-memory: 1024.0MiB # cpu: ARM # cpu-count: 4 # total-hdd-space: 512.0MiB # architecture-name: arm # board-name: RB4011iGS+ # platform: MikroTik # installed-version: 7.21.2 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLIC TIME # U dhcp lease removed tim2 write 2026-04-11 19:11:44 # U dhcp lease removed tim2 write 2026-04-11 17:03:23 # U dhcp lease removed tim2 write 2026-04-11 17:00:30 # U dhcp lease removed tim2 write 2026-04-11 17:00:30 # U dhcp lease removed tim2 write 2026-04-11 17:00:30 # U route 192.168.102.0/24 added tim2 write 2026-04-11 14:48:16 # U pool pool-vlan102-work removed tim2 write 2026-04-11 14:47:06 # U dhcp server dhcp-vlan102-work removed tim2 write 2026-04-11 14:46:59 # U address removed tim2 write 2026-04-11 14:46:53 # U dhcp server dhcp-vlan202-work-voice changed tim2 write 2026-04-10 11:19:15 # U pool CiscoAP removed tim2 write 2026-04-10 00:15:14 # U pool pool-vlan020-endpoints removed tim2 write 2026-04-10 00:15:10 # U pool pool-vlan040-users removed tim2 write 2026-04-10 00:15:06 # U pool pool-vlan142-guest2 removed tim2 write 2026-04-10 00:15:00 # U pool pool-vlan132-guest1 removed tim2 write 2026-04-10 00:15:00 # U pool pool-vlan302-pxe removed tim2 write 2026-04-10 00:14:52 # U pool pool-vlan402-lab-voice removed tim2 write 2026-04-10 00:14:48 # U dhcp lease removed tim2 write 2026-04-10 00:14:30 # U dhcp network removed tim2 write 2026-04-10 00:14:20 # U dhcp network removed tim2 write 2026-04-10 00:14:13 # U dhcp server dhcp-vlan-302-iPXE removed tim2 write 2026-04-10 00:14:07 # U route 192.168.132.0/24 added tim2 write 2026-04-10 00:12:22 # U address removed tim2 write 2026-04-10 00:12:11 # U address changed tim2 write 2026-04-10 00:05:58 # U route 192.168.30.0/24 added tim2 write 2026-04-10 00:03:28 # U dhcp network removed tim2 write 2026-04-09 23:58:29 # U dhcp network removed tim2 write 2026-04-09 23:58:21 # U dhcp network removed tim2 write 2026-04-09 23:58:21 # U dhcp server dhcp-vlan142-guest2 removed tim2 write 2026-04-09 23:58:03 # U dhcp server dhcp-vlan132-guest1 removed tim2 write 2026-04-09 23:58:03 # U dhcp server dhcp-vlan040-users removed tim2 write 2026-04-09 23:57:56 # U dhcp server dhcp-vlan020-endpoints removed tim2 write 2026-04-09 23:57:53 # U dhcp server CiscoAP removed tim2 write 2026-04-09 23:57:49 # U dhcp server dhcp-vlan402-lab-voice removed tim2 write 2026-04-09 23:57:45 # U dhcp network removed tim2 write 2026-04-09 23:55:16 # U pool pool-vlan030-servers removed tim2 write 2026-04-09 23:55:05 # U dhcp server dhcp-vlan040-users changed tim2 write 2026-04-09 23:54:45 # U dhcp server dhcp-vlan040-users changed tim2 write 2026-04-09 23:54:41 # U dhcp server dhcp-vlan030-servers removed tim2 write 2026-04-09 23:54:29 # U address removed tim2 write 2026-04-09 23:54:19 # U route 192.168.40.0/24 added tim2 write 2026-04-09 17:12:29 # U address removed tim2 write 2026-04-09 17:12:22 # U dhcp server dhcp-vlan402-lab-voice changed tim2 write 2026-04-09 17:12:16 # U dhcp server dhcp-vlan040-users changed tim2 write 2026-04-09 17:12:16 # U added tim2 write 2026-04-09 12:00:11 # U removed tim2 write 2026-04-09 12:00:09 # U changed tim2 write 2026-04-09 11:56:15 # U route 192.168.242.0/24 added tim2 write 2026-04-09 11:53:03 # U route 192.168.232.0/24 added tim2 write 2026-04-09 11:53:01 # U route 192.168.142.0/24 added tim2 write 2026-04-09 11:53:01 # U route 192.168.110.0/24 added tim2 write 2026-04-09 11:53:01 # U route 192.168.20.0/24 added tim2 write 2026-04-09 11:53:01 # U dhcp network removed tim2 write 2026-04-09 11:31:28 # U address removed tim2 write 2026-04-09 11:31:21 # U dhcp server CiscoAP changed tim2 write 2026-04-09 11:31:15 # U dhcp network removed tim2 write 2026-04-09 11:20:25 # U dhcp server dhcp-vlan402-lab-voice changed tim2 write 2026-04-09 11:13:38 # U dhcp server dhcp-vlan142-guest2 changed tim2 write 2026-04-09 11:13:35 # U dhcp server dhcp-vlan132-guest1 changed tim2 write 2026-04-09 11:13:35 # U dhcp server dhcp-vlan020-endpoints changed tim2 write 2026-04-09 11:13:35 # U address removed tim2 write 2026-04-09 11:10:29 # U address removed tim2 write 2026-04-09 11:10:24 # U address removed tim2 write 2026-04-09 11:10:24 # U address removed tim2 write 2026-04-09 11:10:24 # U ospf-instance-1 changed tim2 write 2026-04-07 18:59:46 # U ospf-instance-1 changed tim2 write 2026-04-07 18:59:16 # U address removed tim2 write 2026-04-07 17:42:06 # U address changed tim2 write 2026-04-07 10:17:47 # U address changed tim2 write 2026-04-07 10:16:56 # U filter rule changed tim2 write 2026-04-07 01:05:56 # U device changed write 2026-04-06 21:00:16 # U Netwatch config added tim2 write 2026-04-06 21:00:13 # U device changed tim2 write 2026-04-06 20:38:23 # U device changed tim2 write 2026-04-06 20:35:42 # U device changed tim2 write 2026-04-06 20:34:17 # U address added tim2 write 2026-04-06 20:34:07 # U device added tim2 write 2026-04-06 20:34:00 # U device removed tim2 write 2026-04-06 20:32:27 # U address removed tim2 write 2026-04-06 20:32:21 # U address changed tim2 write 2026-04-06 20:29:18 # U device changed tim2 write 2026-04-06 20:28:01 # U address changed tim2 write 2026-04-06 20:26:26 # U address added tim2 write 2026-04-06 20:25:53 # U device added tim2 write 2026-04-06 20:23:12 # U changed tim2 write 2026-04-06 18:55:35 # U filter-rule-1 added tim2 write 2026-04-05 19:19:00 # U filter-rule-2 removed tim2 write 2026-04-05 19:18:54 # U filter-rule-1 removed tim2 write 2026-04-05 19:18:54 # U ospf-instance-1 changed tim2 write 2026-04-05 19:18:08 # U filter-rule-2 added tim2 write 2026-04-05 19:17:33 # U ospf-instance-1 changed tim2 write 2026-04-05 19:17:12 # U filter-rule-1 added tim2 write 2026-04-05 19:13:36 # U ospf-instance-1 changed tim2 write 2026-04-05 14:58:49 # U filter rule changed tim2 write 2026-04-05 14:55:18 # U filter rule changed tim2 write 2026-04-05 14:55:18 # U filter rule changed tim2 write 2026-04-05 14:55:18 # U filter rule changed tim2 write 2026-04-05 14:55:18 # U filter rule changed tim2 write 2026-04-05 14:55:18 # U filter rule changed tim2 write 2026-04-05 14:55:10 # U filter rule changed tim2 write 2026-04-05 14:55:10 # # software id = AY9J-5L1Y # # model = RB4011iGS+ # serial number = D1270B39070F /interface bridge add comment="LAN bridge (VLAN filtering)" ingress-filtering=no name=bridgeLAN priority=0x1000 pvid=999 vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] comment="Physically connected to ONU 10G - 123net INTERNET!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" set [ find default-name=ether2 ] comment="Leg 1 to LACP NetGear WOW" set [ find default-name=ether3 ] comment="Leg 2 to LACP NetGear WOW" set [ find default-name=ether4 ] comment="NOT CONNECTED!!!!!!!!!!!!!!!!" set [ find default-name=ether5 ] comment="NOT CONNECTED!!!!!!!!!!!!!!!!!!!!!!!" set [ find default-name=ether6 ] comment=OOB set [ find default-name=ether7 ] comment="NOT CONNECTED!!!!!!!!!!!!!!!" set [ find default-name=ether8 ] comment="NOT CONNECTED!!!!!!!!!!!!!!!!!!!!!!" set [ find default-name=ether9 ] comment="Leg 1 to LACP Cisco 3850 Layer 3 Switch" set [ find default-name=ether10 ] comment="Leg 2 LACP to Cisco 3850 Layer 3 Switch" poe-out=off set [ find default-name=sfp-sfpplus1 ] comment="WAN candidate - SFP+ copper module" /interface wireguard add comment="WireGuard tunnel to work tik" listen-port=51820 mtu=1420 name=wg-work private-key="4KJtCDVlmQ24JqEvasFhED5LMVU1SCpxcNXy822n23M=" /interface vlan add comment="CiscoAP VLAN 110" interface=bridgeLAN name=CiscoAP vlan-id=110 add comment="Where all EndPoints are connected" interface=bridgeLAN name=vlan020-endpoints vlan-id=20 add comment="Where Servers are connected" interface=bridgeLAN name=vlan030-servers vlan-id=30 add comment=DATA!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! interface=bridgeLAN name=vlan040-users vlan-id=40 add comment=MGMT!!!!!!!!!!!!!!!!!!!!!!!! interface=bridgeLAN name=vlan099-mgmt vlan-id=99 add comment="DMZ Web Hosint" interface=bridgeLAN name=vlan100-dmz vlan-id=100 add comment=Work_LAN interface=bridgeLAN name=vlan102-work vlan-id=102 add comment="Guest WiFi Network 1" interface=bridgeLAN name=vlan132-guest1 vlan-id=132 add comment="Guest WiFi Network 2" interface=bridgeLAN name=vlan142-guest2 vlan-id=142 add comment="Movie_LAN (Dirty-LAN)" interface=bridgeLAN name=vlan160-dirty vlan-id=160 add comment=Work_Phone_VLAN_202 interface=bridgeLAN name=vlan202-work-voice vlan-id=202 add comment="iPXE Boot Server" interface=bridgeLAN name=vlan302-pxe vlan-id=302 add comment=PHONES!!!!!!!!!!!!!!!!!!!!!!!!! interface=bridgeLAN name=vlan402-lab-voice vlan-id=402 add comment="Native VLAN 999" interface=bridgeLAN name=vlan999-native vlan-id=999 /interface bonding add comment="LACP to Cisco 3850 Layer 3 Switch" mode=802.3ad name=Bond_To_Cisco3850_Layer3Switch slaves=ether9,ether10 transmit-hash-policy=layer-2-and-3 add comment="LACP to NetGear WOW" mode=802.3ad name=LACP_TO_NetGear_WOW slaves=ether2,ether3 /interface vrrp # received packet from 192.168.99.7 bad format add interface=vlan099-mgmt name=vrrp99 priority=110 version=2 /interface list add name=WAN add name=LAN add name=MGMT add name=OOB /ip dhcp-server option add code=66 name=Provision_66_Fusion value="'http://fusiontest:3%WQ3ff0^j@pbx-ece.123.net/app/provision'" add code=129 name=Phone_VLAN value="'VLAN-A=202'" add code=66 name=Provision_66 value="'http://provisioner.123.net'" add code=160 name=Provision_160_FUSION value="'http://fusiontest:3%WQ3ff0^j@pbx-ece.123.net/app/provision'" add code=162 name=Time_Offset value=0xFFFFB9B0 add code=42 name=Time_Server value="'216.239.35.12'" add code=66 name=Provision_66_UC value="'http://mvldeviceprov:PvNeMBssZqi9LEE@provision.myvoicelink.com/cfg'" add code=160 name=Provision_160 value="'http://provisioner.123.net'" add code=66 comment="ubuntu pxe server / iPXE client" name=timsProvision_yealink value="'http://192.168.132.10/yealink'" add code=66 comment="ubuntu pxe server / iPXE client" name=timsProvisioner_poly value="'http://192.168.132.10/polycom'" add code=129 comment="HomeLabPhones_VLAN 402" name=HomeLabPhones_VLAN value="'VLAN-A=402'" add code=42 comment="tf.nist.gov 128.138.14.211 ntp server" name=timsHomeLabNTP value="'198.137.202.32'" add code=43 comment="ubuntu pxe server /iPXE client" name=timsProvision_Yealink value="'http://192.168.132.10/yealink'" add code=160 name="Provision_160_IM_POLY 160" value="'https://config.telecomsvc.com/configServlet/Polycom'" add code=166 name=Provision_160_UC value="'http://mvldeviceprov:PvNeMBssZqi9LEE@provision.myvoicelink.com/cfg'" add code=160 name=Provision_160_IM_Yealink value="'https://config.telecomsvc.com:6716/configServlet/Yealink'" add code=66 name=Provision_66_IM_POLY value="'https://config.telecomsvc.com:6716/configServlet/Yealink'" add code=66 name=Provision_66_IM_Yealink value="'https://config.telecomsvc.com:6716/configServlet/Yealink'" add code=43 name=Provision_43_IM_Yealink value="'https://config.telecomsvc.com:6716/configServlet/Yealink'" /ip dhcp-server option sets add name=LAN_Options options=Time_Server,Time_Offset add name=Phone_Options options=Time_Offset,Time_Server,Provision_160,Provision_66,Phone_VLAN add name=Phone_Options_FUSION options="Time_Offset,Time_Server,Provision_160_FUSION,Provision_66_Fusion,Phone_VLAN" add name=Phone_Options_IM_POLY options="Time_Offset,Time_Server,Provision_160_IM_POLY 160,Provision_66_IM_POLY,Phone_VLAN" add name=HomeLabPhones options="timsHomeLabNTP,HomeLabPhones_VLAN,timsProvision_yealink,timsProvision_Yealink" add name=Phone_Options_IM options="Time_Offset,Time_Server,Provision_160_IM_Yealink,Provision_66_IM_Yealink,Phone_VLAN" /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none /ip pool add comment="vlan 99" name=pool-vlan099-mgmt ranges=192.168.99.100-192.168.99.199 add comment="Webserver vlan 100 on Proxmox" name=pool-vlan100-dmz ranges=192.168.100.100-192.168.100.199 add comment="Work voice vlan 202" name=pool-vlan202-work-voice ranges=172.16.123.100-172.16.123.199 add comment=OOB name=OOB ranges=192.168.88.100-192.168.88.200 /ip dhcp-server add address-pool=pool-vlan099-mgmt comment="Management " interface=vlan099-mgmt lease-time=1d name=dhcp-vlan099-mgmt add address-pool=pool-vlan100-dmz comment=DMZ interface=vlan100-dmz lease-time=1d name=dhcp-vlan100-dmz add address-pool=pool-vlan202-work-voice comment=Work_Phone_VLAN_202 dhcp-option-set=Phone_Options interface=vlan202-work-voice lease-time=1d name=dhcp-vlan202-work-voice # Interface not running add address-pool=OOB comment=OOB interface=ether6 name=OOB server-address=192.168.88.1 /routing ospf instance add comment=backbone disabled=no in-filter-chain=ospf-in name=ospf-instance-1 redistribute="" router-id=192.168.99.1 /routing ospf area add instance=ospf-instance-1 name=backbone /routing rip instance add disabled=no name=rip-instance-1 redistribute=connected,static,rip routing-table=main /snmp community set [ find default=yes ] addresses=192.168.99.43/32,192.168.99.187/32,192.168.99.184/32 authentication-password=Joshua3412@ authentication-protocol=SHA1 comment=core-router encryption-password=Joshua3412@ encryption-protocol=AES /system logging action add name=PRTG remote=192.168.1.43 target=remote /container config set registry-url=https://registry-1.docker.io /interface bridge port add bridge=bridgeLAN comment="LACP to Cisco 3850 Layer 3 Switch" interface=Bond_To_Cisco3850_Layer3Switch pvid=999 /ip firewall connection tracking set udp-timeout=3m30s /ip neighbor discovery-settings set discover-interface-list=all lldp-mac-phy-config=yes lldp-max-frame-size=yes lldp-vlan-info=yes /interface bridge vlan add bridge=bridgeLAN comment=vlan099-mgmt tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=99 add bridge=bridgeLAN comment=vlan020-endpoints tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=20 add bridge=bridgeLAN comment=vlan030-servers tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=30 add bridge=bridgeLAN comment=vlan040-users tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=40 add bridge=bridgeLAN comment=vlan102-work tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=102 add bridge=bridgeLAN comment=vlan202-work-voice tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=202 add bridge=bridgeLAN comment=vlan302-pxe tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=302 add bridge=bridgeLAN comment=vlan402-lab-voice tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=402 add bridge=bridgeLAN comment=vlan999-native untagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=999 add bridge=bridgeLAN comment=vlan160-dirty tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=160 add bridge=bridgeLAN comment=vlan132-guest1 tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=132 add bridge=bridgeLAN comment=vlan142-guest2 tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=142 add bridge=bridgeLAN tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=100 add bridge=bridgeLAN tagged=bridgeLAN,Bond_To_Cisco3850_Layer3Switch vlan-ids=110 /interface list member add interface=ether1 list=WAN add comment="WOW WAN (when used)" interface=LACP_TO_NetGear_WOW list=WAN add interface=vlan099-mgmt list=LAN add interface=vlan020-endpoints list=LAN add interface=vlan030-servers list=LAN add interface=vlan040-users list=LAN add interface=vlan102-work list=LAN add interface=vlan202-work-voice list=LAN add interface=vlan302-pxe list=LAN add interface=vlan402-lab-voice list=LAN add interface=bridgeLAN list=LAN add interface=ether6 list=MGMT add interface=ether6 list=OOB add interface=vlan160-dirty list=LAN add interface=vlan099-mgmt list=MGMT add interface=vlan132-guest1 list=LAN add interface=vlan142-guest2 list=LAN add comment="WAN over SFP+ copper (prepared)" interface=sfp-sfpplus1 list=WAN add comment=WebServer interface=vlan100-dmz list=LAN add interface=CiscoAP list=LAN /interface wireguard peers add allowed-address="172.31.255.2/32,192.168.101.0/24,192.168.10.0/24,172.16.1.0/24,192.168.253.0/24,192.168.254.0/24,192.168.40.0/24,192.168.30.0/24,192.168.102.0/24,192.168.0.0/16" client-allowed-address=::/0 comment="Subnets at my desk lab" interface=wg-work name=peer1 public-key="5PFhkHkWtQbHx9QWrKdFsPuNGzUaaNZbAFDFyRAGcQw=" /ip address add address=192.168.99.1/24 comment="MGMT VLAN 99" interface=vlan099-mgmt network=192.168.99.0 add address=192.168.88.1/24 comment="OOB management" interface=ether6 network=192.168.88.0 add address=172.31.255.1/30 comment="WireGaurd connection to work mikrotik" interface=wg-work network=172.31.255.0 add address=192.168.100.1/24 comment="DMZ WebServer" interface=vlan100-dmz network=192.168.100.0 add address=172.16.123.1/24 comment="Work Voice vlan 202" interface=vlan202-work-voice network=172.16.123.0 add address=192.168.99.254/24 comment="VRRP IP" interface=vrrp99 network=192.168.99.0 /ip dhcp-client # Interface not active add comment="DHCP Client for NetGear WOW" default-route-distance=2 interface=LACP_TO_NetGear_WOW use-peer-dns=no # Interface not active add add-default-route=no default-route-tables=main interface=ether1 add add-default-route=no interface=sfp-sfpplus1 use-peer-dns=no /ip dhcp-relay add dhcp-server=192.168.160.1 disabled=no interface=vlan160-dirty name=relay1 /ip dhcp-server lease add address=192.168.99.176 client-id=1:8c:ae:4c:bc:6c:4c mac-address=8C:AE:4C:BC:6C:4C server=dhcp-vlan099-mgmt add address=192.168.99.174 client-id=1:d8:b3:70:f5:9e:fc mac-address=D8:B3:70:F5:9E:FC server=dhcp-vlan099-mgmt /ip dhcp-server network add address=172.16.123.0/24 comment="Work Voice" dhcp-option-set=Phone_Options dns-server=216.234.97.2,216.234.97.3 domain=timsablab.ddns.net gateway=172.16.123.1 netmask=24 add address=192.168.88.0/24 comment="OOB management" dns-server=192.168.99.43,192.168.88.1 gateway=192.168.88.1 add address=192.168.99.0/24 comment="MGMT For All" dns-server=192.168.99.43,192.168.99.1,8.8.8.8,1.1.1.1 domain=timsablab.ddns.net gateway=192.168.99.1 ntp-server=192.168.99.1 add address=192.168.100.0/24 comment="DMZ WebServer" dns-server=192.168.99.43,8.8.8.8,1.1.1.1 domain=timsablab.ddns.net gateway=192.168.100.1 add address=192.168.102.0/24 comment="Work Data" dns-server=8.8.8.8,1.1.1.1 domain=timsablab.ddns.net gateway=192.168.102.1 /ip dns set allow-remote-requests=yes servers=192.168.99.43,8.8.8.8,1.1.1.1 /ip dns static add address=192.168.99.2 comment="Cisco 3850 Layer 3 Switch " name=timsablabLayer3Switch type=A add address=192.168.99.3 comment="Cisco 2960 Layer 2 Switch" name=basement_switch type=A add address=192.168.99.4 comment="Cisco 2960 Layer 2 Switch" name=livingroom_switch type=A add address=192.168.99.17 comment="V17 15" name=cisco-capwap-controller type=A add address=192.168.99.171 comment="V17 12" name=Cisco-capwap-controller type=A add address=192.168.99.5 comment="Cisco Nexus Switch" name=nexusSwitch type=A add address=192.168.99.7 comment=pfSense name=pfSense type=A add address=192.168.99.13 comment=Adtran name=adtran type=A add address=192.168.99.6 comment="Cisco Router 4221" name=ciscoRouter type=A add address=192.168.99.14 comment=newLivingroomSwitch name=newLivingroomSwitch type=A add address=192.168.99.15 comment=newBoysBedroomSwitch name=newBoysBedroomSwitch type=A add address=192.168.99.6 comment=officeSwitch name=officeSwitch type=A /ip firewall address-list add address=216.150.234.0/24 comment=123NET list=123_WAN add address=172.31.255.0/30 comment="Wire Guard Tunnel To Work Mikrotik" list=wg-work add address=192.159.66.3 comment="SIPStation primary" list=SIPSTATION add address=162.253.134.142 comment="SIPStation secondary" list=SIPSTATION add address=192.168.99.0/24 comment="MGMT VLAN 99" list=vlan099-mgmt add address=192.168.20.0/24 list=vlan020-endpoints add address=192.168.30.0/24 comment="Internal Servers" list=vlan030-servers add address=192.168.40.0/24 comment="End Users" list=vlan040-users add address=192.168.132.0/24 comment="iPXE Boot server" list=vlan302-pxe add address=192.168.142.0/24 comment=FreePBX list=vlan402-lab-voice add address=192.168.160.0/24 comment="Movie VLAN 160" list=vlan160-dirty add address=192.168.88.0/24 list=oob add address=192.168.100.0/24 comment="DMA WebServer" list=vlan100-dmz add address=192.168.102.0/24 comment="Work DATA VLAN 102" list=vlan102-work add address=172.16.123.0/24 comment="Work VLAN for VOICE" list=vlan202-work-voice add address=192.168.232.0/24 list=GUEST_NETS add address=192.168.242.0/24 list=GUEST_NETS add address=192.168.142.0/24 comment=FreePBX list=VOICE_NETS add address=192.168.202.0/24 list=VOICE_NETS add address=192.168.0.0/16 list=RFC1918_LAB add address=172.16.0.0/12 list=RFC1918_LAB add address=10.0.0.0/8 list=RFC1918_LAB add address=192.168.110.0/24 list=CiscoAP /ip firewall filter add action=accept chain=forward comment="forward: LAN -> WAN" in-interface-list=LAN out-interface-list=WAN add action=accept chain=forward comment="Temp ALL" add action=accept chain=forward dst-address=192.168.99.43 dst-port=53 protocol=tcp src-address-list=vlan040-users add action=accept chain=forward comment="MGMT -> all LAN" out-interface-list=LAN src-address=192.168.99.0/24 add action=accept chain=forward comment="Allow inter-VLAN (LAN<->LAN)" disabled=yes in-interface-list=LAN out-interface-list=LAN add action=accept chain=forward comment="Servers to MGMT" dst-address-list=vlan099-mgmt src-address-list=vlan030-servers add action=drop chain=input comment="drop invalid (input)" connection-state=invalid disabled=yes add action=drop chain=forward comment="drop invalid (forward)" connection-state=invalid disabled=yes add action=accept chain=input comment="input: allow established/related" connection-state=established,related,untracked add action=accept chain=forward comment="forward: allow established/related" connection-state=established,related,untracked add action=accept chain=forward comment="Allow port-forwards (dstnat)" connection-nat-state=dstnat add action=accept chain=input comment=PRTG dst-port=161 protocol=udp add action=accept chain=input comment="DNS v2 PRTG" dst-port=53 protocol=udp add action=accept chain=forward comment="OOB -> MGMT" dst-address=192.168.99.0/24 src-address=192.168.88.0/24 add action=accept chain=forward comment="OOB -> MGMT (Proxmox access)" connection-state=new in-interface=ether6 out-interface=vlan099-mgmt src-address=192.168.88.0/24 add action=accept chain=forward comment="Allow OpenVPN forward to pfSense" dst-port=1194 in-interface=ether1 in-interface-list=WAN protocol=udp add action=accept chain=forward comment="Allow WG -> LAN" in-interface=wg-work add action=accept chain=forward comment="Allow LAN -> WG" out-interface=wg-work add action=accept chain=forward comment="USERS -> SERVERS limited TCP" dst-address=192.168.30.0/24 dst-port=80,443,22,3389 protocol=tcp src-address=192.168.40.0/24 add action=accept chain=forward comment="USERS -> SERVERS ICMP" dst-address=192.168.30.0/24 protocol=icmp src-address=192.168.40.0/24 add action=accept chain=forward comment="USERS -> SERVERS SMB" dst-address=192.168.30.0/24 dst-port=445 protocol=tcp src-address=192.168.40.0/24 add action=accept chain=forward comment="WORK_DATA -> SERVERS limited" dst-address=192.168.30.0/24 dst-port=80,443,22,3389 protocol=tcp src-address=192.168.102.0/24 add action=accept chain=forward comment="WORK_DATA -> SERVERS ICMP" dst-address=192.168.30.0/24 protocol=icmp src-address=192.168.102.0/24 add action=accept chain=forward comment="PXE -> SERVERS DHCP/TFTP" dst-address=192.168.30.0/24 dst-port=67,68,69 protocol=udp src-address=192.168.132.0/24 add action=accept chain=forward comment="PXE -> SERVERS HTTP/HTTPS" dst-address=192.168.30.0/24 dst-port=80,443 protocol=tcp src-address=192.168.132.0/24 add action=accept chain=forward comment="LAB_VOICE -> DNS/DHCP/NTP/SIP" dst-port=53,67,68,123,5060 protocol=udp src-address=192.168.142.0/24 add action=accept chain=forward comment="LAB_VOICE -> RTP if routed" dst-port=10000-20000 protocol=udp src-address=192.168.142.0/24 add action=accept chain=forward comment="WORK_VOICE -> DNS/DHCP/NTP/SIP" dst-port=53,67,68,123,5060 protocol=udp src-address=192.168.202.0/24 add action=accept chain=forward comment="WORK_VOICE -> RTP if routed" dst-port=10000-20000 protocol=udp src-address=192.168.202.0/24 add action=accept chain=forward comment="DMZ webserver -> Keycloak" dst-address=192.168.30.104 dst-port=8080 protocol=tcp src-address=192.168.100.10 add action=accept chain=forward comment="DMZ webserver -> iRedMail HTTPS" dst-address=192.168.30.103 dst-port=443 protocol=tcp src-address=192.168.100.10 add action=accept chain=forward comment="DMZ webserver -> PRTG" dst-address=192.168.99.43 dst-port=8090 protocol=tcp src-address=192.168.100.10 add action=accept chain=forward comment="DMZ webserver -> Grafana" dst-address=192.168.99.187 dst-port=3000 protocol=tcp src-address=192.168.100.10 add action=accept chain=forward comment="DMZ webserver -> FreePBX HTTPS" dst-address=192.168.142.42 dst-port=443 protocol=tcp src-address=192.168.100.10 add action=accept chain=forward comment="Allow HTTP to DMZ webserver" dst-address=192.168.100.10 dst-port=80 in-interface-list=WAN protocol=tcp add action=accept chain=forward comment="DMZ webserver -> Internal DNS" dst-address=192.168.99.43 dst-port=53 protocol=udp src-address=192.168.100.10 add action=accept chain=forward comment="Allow HTTPS to DMZ webserver" dst-address=192.168.100.10 dst-port=443 in-interface-list=WAN protocol=tcp add action=accept chain=forward comment="DMZ webserver -> Internal DNS TCP" dst-address=192.168.99.43 dst-port=53 protocol=tcp src-address=192.168.100.10 add action=drop chain=forward comment="DROP USERS -> MGMT" disabled=yes dst-address=192.168.99.0/24 src-address=192.168.40.0/24 add action=drop chain=forward comment="DROP WORK_DATA -> MGMT" disabled=yes dst-address=192.168.99.0/24 src-address=192.168.102.0/24 add action=drop chain=forward comment="DROP WORK_VOICE -> MGMT" disabled=yes dst-address=192.168.99.0/24 src-address=192.168.202.0/24 add action=drop chain=forward comment="DROP LAB_VOICE -> MGMT" disabled=yes dst-address=192.168.99.0/24 src-address=192.168.142.0/24 add action=drop chain=forward comment="DROP WORK_VOICE -> USERS" disabled=yes dst-address=192.168.40.0/24 src-address=192.168.202.0/24 add action=drop chain=forward comment="DROP LAB_VOICE -> USERS" disabled=yes dst-address=192.168.40.0/24 src-address=192.168.142.0/24 add action=drop chain=forward comment="DROP DIRTY -> internal" disabled=yes dst-address=192.168.0.0/16 src-address=192.168.160.0/24 add action=drop chain=forward comment="DROP DIRTY -> 172.16.0.0/12" disabled=yes dst-address=172.16.0.0/12 src-address=192.168.160.0/24 add action=drop chain=forward comment="DROP DIRTY -> 10.0.0.0/8" disabled=yes dst-address=10.0.0.0/8 src-address=192.168.160.0/24 add action=drop chain=forward comment="DROP GUEST1 -> internal" disabled=yes dst-address=192.168.0.0/16 src-address=192.168.232.0/24 add action=drop chain=forward comment="DROP GUEST1 -> 172.16.0.0/12" disabled=yes dst-address=172.16.0.0/12 src-address=192.168.232.0/24 add action=drop chain=forward comment="DROP GUEST2 -> internal" disabled=yes dst-address=192.168.0.0/16 src-address=192.168.242.0/24 add action=drop chain=forward comment="DROP GUEST2 -> 172.16.0.0/12" disabled=yes dst-address=172.16.0.0/12 src-address=192.168.242.0/24 add action=drop chain=forward comment="DROP GUEST2 -> 10.0.0.0/8" disabled=yes dst-address=10.0.0.0/8 src-address=192.168.242.0/24 add action=drop chain=forward comment="DROP DMZ -> internal" disabled=yes dst-address=192.168.0.0/16 src-address=192.168.100.0/24 add action=drop chain=forward comment="DROP DMZ -> 172.16.0.0/12" disabled=yes dst-address=172.16.0.0/12 src-address=192.168.100.0/24 add action=drop chain=forward comment="DROP DMZ -> 10.0.0.0/8" disabled=yes dst-address=10.0.0.0/8 src-address=192.168.100.0/24 add action=drop chain=forward comment="DROP GUEST1 -> 10.0.0.0/8" disabled=yes dst-address=10.0.0.0/8 src-address=192.168.232.0/24 add action=accept chain=input comment="input: allow ICMP" protocol=icmp add action=accept chain=input comment="input: allow from MGMT (vlan99 + ether6)" in-interface-list=MGMT add action=accept chain=input comment="Allow SSH from OpenVPN" dst-port=22 protocol=tcp src-address=10.0.30.0/24 add action=accept chain=input comment="Allow ICMP from OpenVPN" protocol=icmp src-address=10.0.30.0/24 add action=accept chain=input comment="Allow WireGuard" dst-port=51820 in-interface-list=WAN protocol=udp add action=accept chain=input comment="OSPF RULE" protocol=ospf add action=drop chain=forward comment="DEFAULT DENY inter-VLAN" disabled=yes in-interface-list=LAN out-interface-list=LAN add action=drop chain=forward comment="drop WAN->LAN not dstnat" connection-nat-state=!dstnat disabled=yes in-interface-list=WAN out-interface-list=LAN add action=drop chain=forward comment="drop all other forward" disabled=yes add action=drop chain=input comment="Drop WAN access to router" disabled=yes in-interface-list=WAN add action=drop chain=input comment="drop all other input" disabled=yes add action=accept chain=forward comment="Guest1 -> Internet" in-interface=vlan132-guest1 out-interface-list=WAN add action=accept chain=forward comment="Guest2 -> Internet" in-interface=vlan142-guest2 out-interface-list=WAN /ip firewall nat add action=accept chain=srcnat comment="NO NAT over WG" out-interface=wg-work add action=dst-nat chain=dstnat comment="OpenVPN -> pfSense" dst-port=1194 in-interface=sfp-sfpplus1 in-interface-list=WAN protocol=udp to-addresses=192.168.30.2 to-ports=1194 add action=dst-nat chain=dstnat comment="PBX SIP" dst-port=5060 in-interface=sfp-sfpplus1 in-interface-list=WAN protocol=udp src-address-list=SIPSTATION to-addresses=192.168.142.42 add action=dst-nat chain=dstnat comment="PBX RTP" dst-port=10000-20000 in-interface=sfp-sfpplus1 in-interface-list=WAN protocol=udp src-address-list=SIPSTATION to-addresses=192.168.142.42 add action=masquerade chain=srcnat comment="NAT router-originated traffic" out-interface-list=WAN add action=dst-nat chain=dstnat comment="HTTP to DMZ webserver" dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.100.10 add action=dst-nat chain=dstnat comment="HTTPS to DMZ webserver" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.100.10 add action=dst-nat chain=dstnat comment="Mail - SMTP" dst-port=25 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.103 add action=dst-nat chain=dstnat comment="Mail - Submission" dst-port=587 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.103 add action=dst-nat chain=dstnat comment="Mail - SMTPS" dst-port=465 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.103 add action=dst-nat chain=dstnat comment="Mail - IMAPS" dst-port=993 in-interface-list=WAN protocol=tcp to-addresses=192.168.30.103 add action=masquerade chain=srcnat comment="NAT for work voice vlan 202" in-interface-list=WAN src-address-list=vlan202-work-voice /ip firewall service-port set ftp disabled=yes set h323 disabled=yes set sip disabled=yes /ip ipsec policy set 0 disabled=yes /ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 /ip route add comment="Return route to OpenVPN clients" dst-address=10.123.63.0/24 gateway=192.168.99.7 add comment="Return route to OpenVPN clients" dst-address=10.0.30.0/24 gateway=192.168.99.7 add comment="WORK vlan102 via WG" distance=1 dst-address=192.168.101.0/24 gateway=wg-work add comment="WORK vlan101 via WG" distance=1 dst-address=192.168.10.0/24 gateway=wg-work add comment="WORK vlan202 via WG" distance=1 dst-address=172.16.1.0/24 gateway=wg-work add comment="WORK ether8 via WG" distance=1 dst-address=192.168.253.0/24 gateway=wg-work add comment="WORK ether9 via WG" distance=1 dst-address=192.168.254.0/24 gateway=wg-work add comment="Recursive Check Host" dst-address=8.8.4.4 gateway=216.150.234.1 scope=10 add check-gateway=ping comment="123NET Recursive Primary" distance=1 gateway=8.8.4.4 target-scope=11 add comment="VLAN20 via 3850" dst-address=192.168.20.0/24 gateway=192.168.99.2 add comment="VLAN110 via 3850" dst-address=192.168.110.0/24 gateway=192.168.99.2 add comment="VLAN402 via 3850" dst-address=192.168.142.0/24 gateway=192.168.99.2 add comment="VLAN132 via 3850" dst-address=192.168.232.0/24 gateway=192.168.99.2 add comment="VLAN142 via 3850" dst-address=192.168.242.0/24 gateway=192.168.99.2 add comment="VLAN40 via 3850" dst-address=192.168.40.0/24 gateway=192.168.99.2 add dst-address=192.168.30.0/24 gateway=192.168.99.2 add dst-address=192.168.132.0/24 gateway=192.168.99.2 add dst-address=192.168.102.0/24 gateway=192.168.99.2 /ip service set ftp disabled=yes set ssh address=192.168.99.0/24,10.0.30.0/24,172.31.255.0/30 set telnet disabled=yes set www address=192.168.99.0/24,10.0.30.0/24,172.31.255.0/30 disabled=yes set www-ssl address=192.168.99.0/24,10.0.30.0/24,172.31.255.0/30 certificate=router-cert set winbox address=192.168.99.0/24,10.0.30.0/24,172.31.255.0/30 set api disabled=yes set api-ssl disabled=yes /routing filter rule add chain=ospf-in rule="if (dst in 192.168.0.0/16 || dst in 10.0.0.0/8 || dst in 172.16.0.0/12) { accept } else { reject }" /routing ospf interface-template add area=backbone interfaces=vlan099-mgmt networks=192.168.99.0/24 priority=1 /routing rip interface-template add disabled=no instance=rip-instance-1 interfaces=LACP_TO_NetGear_WOW mode=strict /snmp set enabled=yes /system clock set time-zone-name=America/Detroit /system identity set name=timsHomeTik /system note set show-at-login=no /system ntp client set enabled=yes /system ntp server set enabled=yes /system ntp client servers add address=216.234.97.2 /tool graphing interface add interface=ether1 add interface=Bond_To_Cisco3850_Layer3Switch add interface=LACP_TO_NetGear_WOW add interface=wg-work add interface=sfp-sfpplus1 /tool mac-server set allowed-interface-list=MGMT /tool netwatch add down-script="/interface vrrp set vrrp99 priority=50" host=8.8.8.8 interval=5s type=simple up-script="/interface vrrp set vrrp99 priority=110" /tool sniffer set filter-interface=all filter-port=ms-wbt-server streaming-enabled=yes