# 2023-07-21 18:48:14 by RouterOS 7.10
# software id = NPZE-DVQU
#
# model = RB750Gr3
# serial number = CC210C7265A3
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface wireguard
add listen-port=13233 mtu=1420 name=wireguard_clients private-key=\
    "4EsatRG85+HxsoPF1gm6A5vZQ88xRo/fHb0xsdJMb3w="
add listen-port=13232 mtu=1420 name=wireguard_s2s_hex private-key=\
    "ABE3o3tWAw2GeLfJDAKeNqG9OwudiOLFhT+ghQ6P1Fc="
/interface list
add name=LAN
add name=VPN
add name=winbox-access
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 1 name=serial0
/routing ospf instance
add disabled=no name=ospf-instance-s2s redistribute=connected router-id=\
    10.25.26.2
/routing ospf area
add area-id=0.0.0.1 disabled=no instance=ospf-instance-s2s name=ospf-area-1
/snmp community
set [ find default=yes ] read-access=no security=private
add addresses=::/0 authentication-password=9IEYe5R-usuhdH7y-LEcJpWcfeQ319 \
    authentication-protocol=SHA1 encryption-password=\
    GjYze03kkkeRMH3sDVbAJp9Gl6WC-I encryption-protocol=AES name=librenms-v3
/system logging action
set 0 memory-lines=10000
/ip neighbor discovery-settings
set discover-interface-list=winbox-access
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether2 list=LAN
add interface=wireguard_s2s_hex list=VPN
add interface=wireguard_clients list=LAN
add interface=wireguard_s2s_hex list=winbox-access
add interface=wireguard_clients list=winbox-access
add interface=ether2 list=winbox-access
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=mgrote.net endpoint-port=13232 \
    interface=wireguard_s2s_hex persistent-keepalive=10s public-key=\
    "/drwUkzCR7umH4YFTRa+D9WB8KOvTXIZxRf/9gC9kkM="
add allowed-address=10.25.27.2/24 comment=iphone_andreas interface=\
    wireguard_clients public-key=\
    "Y/3GVIZsdAUpKr2XJ42MVPte4qJvPpe6ZWj7lQIjPEM="
add allowed-address=10.25.27.200/32 comment=iphone_maximilian interface=\
    wireguard_clients public-key=\
    "45IEON4osDmTxIv/pkDTWwdUb6X33uTmZFbebkrkdHo="
add allowed-address=10.25.27.100/24 comment=ipad_maximilian interface=\
    wireguard_clients public-key=\
    "45/22voZXBbjYhtLLQqwPQ00tMZVB6sglrLbkEnlTUM="
/ip address
add address=10.25.26.2/30 interface=wireguard_s2s_hex network=10.25.26.0
add address=10.25.27.1/24 interface=wireguard_clients network=10.25.27.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=ether2
/ip firewall address-list
add address=192.168.2.0/24 list=subnet2
add address=192.168.2.0/24 list=mgmt_access
add address=192.168.3.0/24 list=subnet3
add address=10.25.25.0/24 list=subnet2525
add address=10.25.26.0/24 list=mgmt_access
add address=10.25.26.0/24 list=subnet2526
add address=192.168.3.0/24 list=mgmt_access
add address=10.25.27.0/24 list=subnet2527
add address=10.25.27.0/24 list=mgmt_access
add address=192.168.2.43 list=snmp_server
/ip firewall filter
add action=accept chain=input connection-state=established,related \
    log-prefix="Allow established, related: "
add action=drop chain=input connection-state=invalid log-prefix=\
    "Drop invalid:"
add action=accept chain=input in-interface=wireguard_s2s_hex log-prefix=\
    "Allow OSPF: " protocol=ospf
add action=accept chain=input icmp-options=!5:0-255 log-prefix="Allow ICMP: " \
    protocol=icmp
add action=accept chain=input dst-port=13232,13233 in-interface=ether2 \
    log-prefix="Allow Wireguard: " protocol=udp
add action=accept chain=input dst-port=22,8291 log-prefix=\
    "Allow ssh+winbox: " protocol=tcp src-address-list=mgmt_access
add action=drop chain=input log-prefix="INPUT: Drop anything not allowed: "
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes log-prefix="FastTrack Connection: "
add action=accept chain=forward connection-state=established,related \
    log-prefix="Allow established, related: "
add action=drop chain=forward connection-state=invalid log-prefix=\
    "Drop invalid:"
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
    "Allow SN2 -> SN3: " src-address-list=subnet2
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
    "Allow SN2526 -> SN3: " src-address-list=subnet2526
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
    "Allow SN2525 -> SN3: " src-address-list=subnet2525
add action=accept chain=forward in-interface=wireguard_clients log-prefix=\
    "Allow WG-Clients-> Ether2: " out-interface=ether2 src-address-list=\
    subnet2527
add action=drop chain=forward disabled=yes log=yes log-prefix=\
    "FORWARD: Drop anything not allowed: "
/ip firewall nat
add action=masquerade chain=srcnat log-prefix="NAT: Alles von SN2" \
    out-interface=!wireguard_s2s_hex
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.2.0/24,192.168.3.0/24,10.25.26.0/24
set api disabled=yes
set winbox address=192.168.2.0/24,192.168.3.0/24,10.25.26.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=wireguard_s2s_hex networks=\
    10.25.26.0/30 type=ptmp
/routing ospf static-neighbor
add address=10.25.26.1%wireguard_s2s_hex area=ospf-area-1 disabled=no
/snmp
set contact="mgrote <michael.grote@posteo.de>" location="S\FCdstra\DFe" \
    trap-community=librenms-v3 trap-generators=temp-exception,interfaces \
    trap-version=3
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=hex
/system logging
add disabled=yes topics=ospf
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
/system routerboard settings
set silent-boot=yes
/system watchdog
set automatic-supout=no ping-timeout=5m watch-address=10.25.26.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=winbox-access
/tool mac-server ping
set enabled=no
/tool netwatch
add disabled=no down-script="# set variables\r\
    \n:local wginterface wireguard_s2s_hex\r\
    \n# Valid characters in variable names are letters and digits. If variable\
    \_name contains any other character, then variable name should be put in d\
    ouble quotes.\r\
    \n\r\
    \n:log error \"wireguard-tunnel down: \$wginterface\"\r\
    \n/interface/wireguard/disable \$wginterface\r\
    \n:delay 20s\r\
    \n/interface/wireguard/enable \$wginterface\r\
    \n:log info \"Restart wireguard-tunnel: \$wginterface\"\r\
    \nping 192.168.2.1\r\
    \n" host=192.168.2.1 interval=30s timeout=1s type=simple