Michael Grote
32328bac8f
config_rb5009.grote.lan.rsc x Signed-off-by: Michael Grote <michael.grote@posteo.de>
174 lines
6.9 KiB
Text
174 lines
6.9 KiB
Text
# 2023-07-21 18:43:40 by RouterOS 7.10
|
|
# software id = NPZE-DVQU
|
|
#
|
|
# model = RB750Gr3
|
|
# serial number = CC210C7265A3
|
|
/interface ethernet
|
|
set [ find default-name=ether1 ] disabled=yes
|
|
set [ find default-name=ether3 ] disabled=yes
|
|
set [ find default-name=ether4 ] disabled=yes
|
|
set [ find default-name=ether5 ] disabled=yes
|
|
/interface wireguard
|
|
add listen-port=13233 mtu=1420 name=wireguard_clients private-key=\
|
|
"4EsatRG85+HxsoPF1gm6A5vZQ88xRo/fHb0xsdJMb3w="
|
|
add listen-port=13232 mtu=1420 name=wireguard_s2s_hex private-key=\
|
|
"ABE3o3tWAw2GeLfJDAKeNqG9OwudiOLFhT+ghQ6P1Fc="
|
|
/interface list
|
|
add name=LAN
|
|
add name=VPN
|
|
add name=winbox-access
|
|
/interface lte apn
|
|
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
|
|
/interface wireless security-profiles
|
|
set [ find default=yes ] supplicant-identity=MikroTik
|
|
/port
|
|
set 1 name=serial0
|
|
/routing ospf instance
|
|
add disabled=no name=ospf-instance-s2s redistribute=connected router-id=\
|
|
10.25.26.2
|
|
/routing ospf area
|
|
add area-id=0.0.0.1 disabled=no instance=ospf-instance-s2s name=ospf-area-1
|
|
/snmp community
|
|
set [ find default=yes ] read-access=no security=private
|
|
add addresses=::/0 authentication-password=9IEYe5R-usuhdH7y-LEcJpWcfeQ319 \
|
|
authentication-protocol=SHA1 encryption-password=\
|
|
GjYze03kkkeRMH3sDVbAJp9Gl6WC-I encryption-protocol=AES name=librenms-v3
|
|
/system logging action
|
|
set 0 memory-lines=10000
|
|
/ip neighbor discovery-settings
|
|
set discover-interface-list=winbox-access
|
|
/ip settings
|
|
set tcp-syncookies=yes
|
|
/ipv6 settings
|
|
set disable-ipv6=yes max-neighbor-entries=8192
|
|
/interface list member
|
|
add interface=ether2 list=LAN
|
|
add interface=wireguard_s2s_hex list=VPN
|
|
add interface=wireguard_clients list=LAN
|
|
add interface=wireguard_s2s_hex list=winbox-access
|
|
add interface=wireguard_clients list=winbox-access
|
|
add interface=ether2 list=winbox-access
|
|
/interface ovpn-server server
|
|
set auth=sha1,md5
|
|
/interface wireguard peers
|
|
add allowed-address=0.0.0.0/0 endpoint-address=mgrote.net endpoint-port=13232 \
|
|
interface=wireguard_s2s_hex persistent-keepalive=10s public-key=\
|
|
"/drwUkzCR7umH4YFTRa+D9WB8KOvTXIZxRf/9gC9kkM="
|
|
add allowed-address=10.25.27.2/24 comment=iphone_andreas interface=\
|
|
wireguard_clients public-key=\
|
|
"Y/3GVIZsdAUpKr2XJ42MVPte4qJvPpe6ZWj7lQIjPEM="
|
|
add allowed-address=10.25.27.200/32 comment=iphone_maximilian interface=\
|
|
wireguard_clients public-key=\
|
|
"45IEON4osDmTxIv/pkDTWwdUb6X33uTmZFbebkrkdHo="
|
|
add allowed-address=10.25.27.100/24 comment=ipad_maximilian interface=\
|
|
wireguard_clients public-key=\
|
|
"45/22voZXBbjYhtLLQqwPQ00tMZVB6sglrLbkEnlTUM="
|
|
/ip address
|
|
add address=10.25.26.2/30 interface=wireguard_s2s_hex network=10.25.26.0
|
|
add address=10.25.27.1/24 interface=wireguard_clients network=10.25.27.0
|
|
/ip cloud
|
|
set ddns-enabled=yes ddns-update-interval=5m
|
|
/ip dhcp-client
|
|
add interface=ether2
|
|
/ip firewall address-list
|
|
add address=192.168.2.0/24 list=subnet2
|
|
add address=192.168.2.0/24 list=mgmt_access
|
|
add address=192.168.3.0/24 list=subnet3
|
|
add address=10.25.25.0/24 list=subnet2525
|
|
add address=10.25.26.0/24 list=mgmt_access
|
|
add address=10.25.26.0/24 list=subnet2526
|
|
add address=192.168.3.0/24 list=mgmt_access
|
|
add address=10.25.27.0/24 list=subnet2527
|
|
add address=10.25.27.0/24 list=mgmt_access
|
|
add address=192.168.2.43 list=snmp_server
|
|
/ip firewall filter
|
|
add action=accept chain=input connection-state=established,related \
|
|
log-prefix="Allow established, related: "
|
|
add action=drop chain=input connection-state=invalid log-prefix=\
|
|
"Drop invalid:"
|
|
add action=accept chain=input in-interface=wireguard_s2s_hex log-prefix=\
|
|
"Allow OSPF: " protocol=ospf
|
|
add action=accept chain=input icmp-options=!5:0-255 log-prefix="Allow ICMP: " \
|
|
protocol=icmp
|
|
add action=accept chain=input dst-port=13232,13233 in-interface=ether2 \
|
|
log-prefix="Allow Wireguard: " protocol=udp
|
|
add action=accept chain=input dst-port=22,8291 log-prefix=\
|
|
"Allow ssh+winbox: " protocol=tcp src-address-list=mgmt_access
|
|
add action=drop chain=input log-prefix="INPUT: Drop anything not allowed: "
|
|
add action=fasttrack-connection chain=forward connection-state=\
|
|
established,related hw-offload=yes log-prefix="FastTrack Connection: "
|
|
add action=accept chain=forward connection-state=established,related \
|
|
log-prefix="Allow established, related: "
|
|
add action=drop chain=forward connection-state=invalid log-prefix=\
|
|
"Drop invalid:"
|
|
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
|
|
"Allow SN2 -> SN3: " src-address-list=subnet2
|
|
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
|
|
"Allow SN2526 -> SN3: " src-address-list=subnet2526
|
|
add action=accept chain=forward dst-address-list=subnet3 log-prefix=\
|
|
"Allow SN2525 -> SN3: " src-address-list=subnet2525
|
|
add action=accept chain=forward in-interface=wireguard_clients log-prefix=\
|
|
"Allow WG-Clients-> Ether2: " out-interface=ether2 src-address-list=\
|
|
subnet2527
|
|
add action=drop chain=forward disabled=yes log=yes log-prefix=\
|
|
"FORWARD: Drop anything not allowed: "
|
|
/ip firewall nat
|
|
add action=masquerade chain=srcnat log-prefix="NAT: Alles von SN2" \
|
|
out-interface=!wireguard_s2s_hex
|
|
/ip service
|
|
set telnet disabled=yes
|
|
set ftp disabled=yes
|
|
set www disabled=yes
|
|
set ssh address=192.168.2.0/24,192.168.3.0/24,10.25.26.0/24
|
|
set api disabled=yes
|
|
set winbox address=192.168.2.0/24,192.168.3.0/24,10.25.26.0/24
|
|
set api-ssl disabled=yes
|
|
/ip ssh
|
|
set strong-crypto=yes
|
|
/routing ospf interface-template
|
|
add area=ospf-area-1 disabled=no interfaces=wireguard_s2s_hex networks=\
|
|
10.25.26.0/30 type=ptmp
|
|
/routing ospf static-neighbor
|
|
add address=10.25.26.1%wireguard_s2s_hex area=ospf-area-1 disabled=no
|
|
/snmp
|
|
set contact="mgrote <michael.grote@posteo.de>" location="S\FCdstra\DFe" \
|
|
trap-community=librenms-v3 trap-generators=temp-exception,interfaces \
|
|
trap-version=3
|
|
/system clock
|
|
set time-zone-name=Europe/Berlin
|
|
/system identity
|
|
set name=hex
|
|
/system logging
|
|
add disabled=yes topics=ospf
|
|
/system note
|
|
set show-at-login=no
|
|
/system ntp client
|
|
set enabled=yes
|
|
/system ntp client servers
|
|
add address=0.de.pool.ntp.org
|
|
/system routerboard settings
|
|
set silent-boot=yes
|
|
/system watchdog
|
|
set automatic-supout=no ping-timeout=5m watch-address=10.25.26.1
|
|
/tool bandwidth-server
|
|
set enabled=no
|
|
/tool mac-server
|
|
set allowed-interface-list=none
|
|
/tool mac-server mac-winbox
|
|
set allowed-interface-list=winbox-access
|
|
/tool mac-server ping
|
|
set enabled=no
|
|
/tool netwatch
|
|
add disabled=no down-script="# set variables\r\
|
|
\n:local wginterface wireguard_s2s_hex\r\
|
|
\n# Valid characters in variable names are letters and digits. If variable\
|
|
\_name contains any other character, then variable name should be put in d\
|
|
ouble quotes.\r\
|
|
\n\r\
|
|
\n:log error \"wireguard-tunnel down: \$wginterface\"\r\
|
|
\n/interface/wireguard/disable \$wginterface\r\
|
|
\n:delay 20s\r\
|
|
\n/interface/wireguard/enable \$wginterface\r\
|
|
\n:log info \"Restart wireguard-tunnel: \$wginterface\"\r\
|
|
\nping 192.168.2.1\r\
|
|
\n" host=192.168.2.1 interval=30s timeout=1s type=simple
|