diff --git a/config_hex.grote.lan.rsc b/config_hex.grote.lan.rsc index 1c6e2d9..cad40b3 100644 --- a/config_hex.grote.lan.rsc +++ b/config_hex.grote.lan.rsc @@ -1,4 +1,4 @@ -# 2023-07-21 18:48:06 by RouterOS 7.10 +# 2023-07-21 18:48:14 by RouterOS 7.10 # software id = NPZE-DVQU # # model = RB750Gr3 @@ -73,3 +73,102 @@ add interface=ether2 /ip firewall address-list add address=192.168.2.0/24 list=subnet2 add address=192.168.2.0/24 list=mgmt_access +add address=192.168.3.0/24 list=subnet3 +add address=10.25.25.0/24 list=subnet2525 +add address=10.25.26.0/24 list=mgmt_access +add address=10.25.26.0/24 list=subnet2526 +add address=192.168.3.0/24 list=mgmt_access +add address=10.25.27.0/24 list=subnet2527 +add address=10.25.27.0/24 list=mgmt_access +add address=192.168.2.43 list=snmp_server +/ip firewall filter +add action=accept chain=input connection-state=established,related \ + log-prefix="Allow established, related: " +add action=drop chain=input connection-state=invalid log-prefix=\ + "Drop invalid:" +add action=accept chain=input in-interface=wireguard_s2s_hex log-prefix=\ + "Allow OSPF: " protocol=ospf +add action=accept chain=input icmp-options=!5:0-255 log-prefix="Allow ICMP: " \ + protocol=icmp +add action=accept chain=input dst-port=13232,13233 in-interface=ether2 \ + log-prefix="Allow Wireguard: " protocol=udp +add action=accept chain=input dst-port=22,8291 log-prefix=\ + "Allow ssh+winbox: " protocol=tcp src-address-list=mgmt_access +add action=drop chain=input log-prefix="INPUT: Drop anything not allowed: " +add action=fasttrack-connection chain=forward connection-state=\ + established,related hw-offload=yes log-prefix="FastTrack Connection: " +add action=accept chain=forward connection-state=established,related \ + log-prefix="Allow established, related: " +add action=drop chain=forward connection-state=invalid log-prefix=\ + "Drop invalid:" +add action=accept chain=forward dst-address-list=subnet3 log-prefix=\ + "Allow SN2 -> SN3: " src-address-list=subnet2 +add action=accept chain=forward dst-address-list=subnet3 log-prefix=\ + "Allow SN2526 -> SN3: " src-address-list=subnet2526 +add action=accept chain=forward dst-address-list=subnet3 log-prefix=\ + "Allow SN2525 -> SN3: " src-address-list=subnet2525 +add action=accept chain=forward in-interface=wireguard_clients log-prefix=\ + "Allow WG-Clients-> Ether2: " out-interface=ether2 src-address-list=\ + subnet2527 +add action=drop chain=forward disabled=yes log=yes log-prefix=\ + "FORWARD: Drop anything not allowed: " +/ip firewall nat +add action=masquerade chain=srcnat log-prefix="NAT: Alles von SN2" \ + out-interface=!wireguard_s2s_hex +/ip service +set telnet disabled=yes +set ftp disabled=yes +set www disabled=yes +set ssh address=192.168.2.0/24,192.168.3.0/24,10.25.26.0/24 +set api disabled=yes +set winbox address=192.168.2.0/24,192.168.3.0/24,10.25.26.0/24 +set api-ssl disabled=yes +/ip ssh +set strong-crypto=yes +/routing ospf interface-template +add area=ospf-area-1 disabled=no interfaces=wireguard_s2s_hex networks=\ + 10.25.26.0/30 type=ptmp +/routing ospf static-neighbor +add address=10.25.26.1%wireguard_s2s_hex area=ospf-area-1 disabled=no +/snmp +set contact="mgrote " location="S\FCdstra\DFe" \ + trap-community=librenms-v3 trap-generators=temp-exception,interfaces \ + trap-version=3 +/system clock +set time-zone-name=Europe/Berlin +/system identity +set name=hex +/system logging +add disabled=yes topics=ospf +/system note +set show-at-login=no +/system ntp client +set enabled=yes +/system ntp client servers +add address=0.de.pool.ntp.org +/system routerboard settings +set silent-boot=yes +/system watchdog +set automatic-supout=no ping-timeout=5m watch-address=10.25.26.1 +/tool bandwidth-server +set enabled=no +/tool mac-server +set allowed-interface-list=none +/tool mac-server mac-winbox +set allowed-interface-list=winbox-access +/tool mac-server ping +set enabled=no +/tool netwatch +add disabled=no down-script="# set variables\r\ + \n:local wginterface wireguard_s2s_hex\r\ + \n# Valid characters in variable names are letters and digits. If variable\ + \_name contains any other character, then variable name should be put in d\ + ouble quotes.\r\ + \n\r\ + \n:log error \"wireguard-tunnel down: \$wginterface\"\r\ + \n/interface/wireguard/disable \$wginterface\r\ + \n:delay 20s\r\ + \n/interface/wireguard/enable \$wginterface\r\ + \n:log info \"Restart wireguard-tunnel: \$wginterface\"\r\ + \nping 192.168.2.1\r\ + \n" host=192.168.2.1 interval=30s timeout=1s type=simple