# version: 7.15.3 (stable) # total-memory: 256.0MiB # cpu: Intel(R) # cpu-count: 1 # total-hdd-space: 216.5MiB # architecture-name: x86_64 # board-name: CHR VMware, Inc. VMware Virtual Platform # platform: MikroTik # installed-version: 7.15.3 # # software id = # /interface bridge add name=loopback0 port-cost-mode=short /interface ethernet set [ find default-name=ether1 ] advertise=1G-baseT-full name=external set [ find default-name=ether2 ] advertise=1G-baseT-full name=internal set [ find default-name=ether3 ] advertise=1G-baseT-full name=public set [ find default-name=ether4 ] disable-running-check=no name=sys-el /interface eoip add allow-fast-path=no disabled=yes ipsec-secret="captain fellow explanation appropriate" local-address=51.255.130.132 mac-address=FE:18:82:74:C7:42 mtu=1500 name=beylix-eoip remote-address=82.69.87.199 tunnel-id=2 /interface wireguard add comment="Mullvard (clean moth)" listen-port=51820 mtu=1420 name=mullvard private-key="SEFIOoRpSqeYbLPkPNRC9p7pEUSHz3V5ExBaXo0TMkE=" add listen-port=13233 mtu=1420 name=sihnon-highgate private-key="sJyqbo30Pv+gJ6kZSAy2dSjb2ImCC4j1I96NqA7iMnw=" add listen-port=13231 mtu=1420 name=sihnon-wg private-key="yCDv/j40TQeES4RWT7BmkTayQ5OtDCMuZvHOHknX5Us=" /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-server add authoritative=after-10sec-delay interface=sys-el lease-time=3d name=sys-el server-address=51.254.241.209 /ip pool add name=lan-pool ranges=10.1.0.10-10.1.0.19 /ip dhcp-server add address-pool=lan-pool interface=internal lease-time=8h name=internal /ip smb users set [ find default=yes ] disabled=yes /port set 0 name=serial0 set 1 name=serial1 /routing bgp template set default as=64811 disabled=no output.network=bgp-networks .redistribute=connected,static,vpn,dhcp router-id=10.0.255.2 /routing table add fib name=aa add disabled=no fib name=mullvard /snmp community set [ find default=yes ] addresses=81.187.154.128/26,82.69.87.199/32 name=jellybean /system logging action set 0 memory-lines=200 /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=!dynamic /ipv6 settings set accept-router-advertisements=yes max-neighbor-entries=8192 /interface ovpn-server server set auth=sha1,md5 /interface wireguard peers add allowed-address=0.0.0.0/0 client-address=10.0.9.2/32 client-dns=51.254.241.218,8.8.8.8 comment=s21 interface=sihnon-wg name=s21 public-key="/8bz75WMDntNJPq1GQ1xa3QM3IL10eOngv0dmIq1KXc=" add allowed-address=0.0.0.0/0 client-address=10.0.9.3/32 client-dns=51.254.241.218,8.8.8.8 comment=serenity interface=sihnon-wg name=serenity public-key="PH7T+jNtdcD1twcG+su5dB7SlPX6rUQCngv5mpuymSI=" add allowed-address=0.0.0.0/0 client-address=10.0.9.4/32 client-dns=51.254.241.218,8.8.8.8 client-listen-port=51820 comment=Tablet interface=sihnon-wg name=peer6 public-key="4SrjWNP/iyklKvsMXmc04TZysWDn++j9wPBk7nCoynY=" add allowed-address=0.0.0.0/0 client-address=10.0.4.1/32 comment=beylix endpoint-address=82.69.87.199 endpoint-port=13231 interface=sihnon-wg name=beylix persistent-keepalive=5s preshared-key="2RLulmTnZf8IZrtNLCLAwp8vUV7d9MTyYQ+78RbR2e4=" public-key="vAEc5Uy2h1GIHu8sIoCWziQmZuRLS+knyM2WQWs93yk=" add allowed-address=0.0.0.0/0 comment="Mullvard France" endpoint-address=193.32.126.66 endpoint-port=51820 interface=mullvard name=mullvard-france public-key="ov323GyDOEHLT0sNRUUPYiE3BkvFDjpmi1a4fzv49hE=" add allowed-address=0.0.0.0/0 client-address=10.0.6.2/32 endpoint-address=135.181.217.249 endpoint-port=13233 interface=sihnon-highgate name=highgate persistent-keepalive=5s preshared-key="sKYjceAZYv16MJq7xo8vzVgGbKoVBYITmu+5/ecNiSA=" public-key="Y9NjXmmeIZQIr2dPjm4M0ScP63ZGfhJ/5NRF36rHaGY=" /ip address add address=51.255.130.132 comment="fanty.sihnon.net (external)" interface=external network=37.187.140.254 add address=10.0.255.2 interface=loopback0 network=10.0.255.5 add address=94.23.147.66 comment="hat.lorddeath.net NAT" interface=external network=94.23.147.66 add address=51.254.241.209/28 comment=sys-el interface=sys-el network=51.254.241.208 add address=10.1.0.1/24 interface=internal network=10.1.0.0 add address=10.0.9.1/24 interface=sihnon-wg network=10.0.9.0 add address=10.0.4.1/24 interface=sihnon-wg network=10.0.4.0 add address=10.64.50.145 interface=mullvard network=10.64.50.145 add address=10.0.6.2/24 interface=sihnon-highgate network=10.0.6.0 /ip dhcp-client add !dhcp-options disabled=yes interface=external /ip dhcp-server lease add address=10.1.0.21 comment=hat mac-address=00:0C:29:5F:D4:E6 server=internal add address=51.254.241.217 address-lists=linux-servers comment="bellerophon.sihnon.net (sys-el)" mac-address=00:0C:29:47:D4:8A add address=51.254.241.218 comment="arvad.sihnon.net (terraform)" mac-address=00:50:56:9A:5A:65 add address=51.254.241.215 comment=meadow.sihnon.net mac-address=00:50:56:9A:2D:6C add address=51.254.241.216 comment="lenore.sihnon.net (terraform)" mac-address=00:50:56:9A:D1:BF add address=51.254.241.212 comment="nandi.sihnon.net (terraform)" mac-address=00:50:56:9A:FA:3E add address=51.254.241.214 comment="aphrodite.sihnon.net (terraform)" mac-address=00:50:56:9A:2F:F0 add address=51.254.241.211 comment="niska.sihnon.net (terraform)" mac-address=00:50:56:9A:FE:EA add address=51.254.241.213 comment="beaumonde.sihnon.net (terraform)" mac-address=00:50:56:9A:72:35 add address=51.254.241.210 comment="yama.sihnon.net (terraform)" mac-address=00:50:56:9A:D4:65 /ip dhcp-server network add address=10.1.0.0/24 comment=lan dns-server=51.254.241.217,8.8.8.8,8.8.4.4 domain=shadow.sihnon.net gateway=10.1.0.1 netmask=24 ntp-server=10.1.0.1 add address=51.254.241.208/28 comment="SYS EL" dns-server=81.187.21.244,8.8.8.8,8.8.4.4 domain=sihnon.net gateway=51.254.241.209 netmask=28 ntp-server=51.254.241.209 /ip dns set servers=8.8.8.8,8.8.4.4 /ip firewall address-list add address=51.255.130.133 list=bgp-networks add address=81.187.40.198 comment="Beylix AA" list=trusted-networks add address=90.155.91.64/26 comment="7 Rushworth Row" list=trusted-networks add address=10.0.0.0/8 list=nat-outbound add address=213.52.196.70 comment="GSA OY Internet NAT" list=remote-management add address=10.1.0.0/24 list=local-networks add address=51.255.130.132 list=nat-inbound add address=62.252.145.122 comment="Allow Andrew access to proxy from work (for testing, mostly) [Not really used anymore, and IP addr has changed anyway]" disabled=yes list=proxy-whitelist add address=90.255.43.75 comment="Allow Evie access to proxy because Vodafone are shitheads <3 [also not really used]" disabled=yes list=proxy-whitelist add address=82.69.87.199 comment="Zen line" list=remote-management add address=82.69.87.199 comment="Zen line" list=trusted-networks add address=81.187.21.240/28 list=local-networks add address=91.121.231.112/29 list=local-networks add address=82.69.87.199 comment=beylix-ipsec list=ipsec-peers add address=178.32.51.204 comment=highgate-ipsec list=ipsec-peers add address=37.187.140.108 comment=mingo.sihnon.net list=esx-servers add address=188.165.192.126 comment=constance.sihnon.net list=esx-servers add address=91.121.231.118 comment="canaan.sihnon.net\n" list=vcenter-servers add address=51.255.130.132/30 comment="mingo VMs" list=local-networks add address=45.67.124.188 comment=geaaru list=remote-management add address=81.187.21.240/28 list=trusted-networks add address=51.254.241.211 comment=niska.sihnon.net list=web-servers add address=51.254.241.215 comment=meadow.sihnon.net list=linux-servers add address=51.254.241.12 comment=nandi.sihnon.net list=linux-servers add address=51.254.241.211 comment=niska.sihnon.net list=linux-servers add address=51.254.241.216 comment=lenore.sihnon.net list=quassel-servers add address=51.254.241.216 list=linux-servers add address=90.155.91.64/26 comment="Andrew's House" list=remote-management add address=51.254.241.218 list=dns-servers add address=51.255.130.134 list=bgp-networks add address=51.254.241.208/28 comment=SYS-EL list=bgp-networks add address=10.0.9.0/24 list=local-networks add address=192.168.0.0/16 list=nat-outbound add address=172.16.0.0/12 list=nat-outbound add address=10.0.9.0/24 comment=Wireguard list=remote-management add address=193.32.126.66 list=mullvard add address=81.187.154.128/26 list=local-networks add address=10.0.0.0/8 list=local-networks add address=51.254.241.208/28 list=local-networks add address=82.69.87.199 list=local-networks add address=81.187.154.128/26 comment=sihnon list=trusted-networks add address=135.181.217.252 comment=muir.sihnon.net list=trusted-networks add address=95.216.253.32/28 comment=HEL1-DC3 list=local-networks /ip firewall filter add action=drop chain=input comment="Drop all from blacklisted hosts" src-address-list=blacklist add action=drop chain=forward comment="Drop all from blacklisted hosts" src-address-list=blacklist add action=accept chain=input comment="Allow established connections" connection-state=established,related add action=accept chain=forward comment="Allow established connections" connection-state=established,related add action=accept chain=output comment="Allow established connections" connection-state=established,related add action=accept chain=input comment="Allow SNMP from trusted networks" dst-port=161 protocol=udp src-address-list=trusted-networks add action=accept chain=input comment="Allow GRE tunnels" protocol=gre src-address-list=ipsec-peers add action=accept chain=input comment=IPSec dst-port=500,4500 protocol=udp add action=accept chain=input in-interface=sihnon-wg add action=accept chain=forward comment="Wireguard client traffic" in-interface=sihnon-wg add action=accept chain=input in-interface=sihnon-highgate add action=accept chain=forward in-interface=sihnon-highgate add action=accept chain=input comment=Wireguard dst-port=13231 log=yes protocol=udp add action=accept chain=input comment="Allow mullvard wireguard" protocol=udp src-address-list=mullvard src-port=51820 add action=accept chain=forward comment="Accept anything from local networks" src-address-list=local-networks add action=accept chain=input comment="Allow everything from internal lan" in-interface=internal add action=accept chain=forward comment="Allow everything from internal lan" in-interface=internal add action=accept chain=input comment="Accept all inbound from sys-el" in-interface=sys-el add action=accept chain=forward comment="Accept all forward traffic from sys-el" in-interface=sys-el add action=accept chain=forward comment="Allow everything from UKVPN" src-address=10.2.0.0/24 add action=accept chain=input comment="Allow everything from trusted external networks" src-address-list=trusted-networks add action=accept chain=forward comment="Allow all forward traffic from trusted external networks" src-address-list=trusted-networks add action=accept chain=input comment="Allow all ICMP" protocol=icmp add action=accept chain=forward comment="Allow all ICMP" protocol=icmp add action=add-src-to-address-list address-list=remote-management address-list-timeout=1h chain=input comment="Port Knocking, temporarily add src address to remote-management list" connection-state=new dst-port=31337 log=yes log-prefix="Temporarily added to remote management: " protocol=tcp add action=accept chain=input comment="Allow access to fanty management" dst-port=22,80,443 protocol=tcp src-address-list=remote-management add action=accept chain=input comment="Permit UDP traceroute" dst-port=33434-33523 protocol=udp add action=accept chain=forward comment="Permit UDP traceroute" dst-port=33434-33523 protocol=udp add action=accept chain=forward comment="Permit SSH to Linux servers" dst-address-list=linux-servers dst-port=22 protocol=tcp src-address-list=remote-management add action=accept chain=forward comment="Permit RDP to Windows servers" dst-address-list=windows-servers dst-port=3389 protocol=tcp src-address-list=remote-management add action=accept chain=input comment="Permit OpenVPN" dst-port=1194-1195,1723,4443 protocol=tcp add action=accept chain=input comment="Permit whitelisted connections to Web proxy" dst-address=178.32.51.204 dst-port=8088 protocol=tcp src-address-list=proxy-whitelist add action=accept chain=forward comment=Deluge dst-address=10.1.0.11 dst-port=52414-52513 protocol=tcp add action=accept chain=forward comment=Deluge dst-address=10.1.0.11 dst-port=52414-52513 protocol=udp add action=accept chain=forward comment="DNS (UDP)" dst-address-list=dns-servers dst-port=53 protocol=udp add action=accept chain=forward comment="DNS (TCP)" dst-address-list=dns-servers dst-port=53 protocol=tcp add action=accept chain=forward comment="Permit NAT'd services to Hat (TCP)" dst-address=10.1.0.21 dst-port=22,25,80,443,873,6881,42300,52010 protocol=tcp add action=accept chain=forward comment="Permit NAT'd services to Hat (UDP)" dst-address=10.1.0.21 dst-port=6881 protocol=udp add action=accept chain=forward comment="Allow web traffic to `web-servers`" dst-address-list=web-servers dst-port=80,443 protocol=tcp add action=accept chain=forward comment="Permit HTTPS to vcenter servers" dst-address-list=vcenter-servers dst-port=443 protocol=tcp add action=accept chain=forward comment="GitLab SSH" dst-address-list=gitlab-servers dst-port=9922 protocol=tcp add action=accept chain=forward comment=Quassel dst-address-list=quassel-servers dst-port=4242 protocol=tcp add action=accept chain=input comment="Allow everything via beylix ipsec tunnel" in-interface=beylix-eoip add action=accept chain=forward comment="Allow everything via beylix ipsec tunnel" in-interface=beylix-eoip add action=accept chain=forward comment="vCenter ports" dst-address-list=vcenter-servers dst-port=80,443,902,5988,8000-8001,9000-9100 protocol=tcp src-address-list=esx-servers add action=accept chain=forward comment="vCenter ports" dst-address-list=vcenter-servers dst-port=902 protocol=udp src-address-list=esx-servers add action=log chain=input comment="Log traffic that would be dropped" disabled=yes log-prefix="HAT\?" add action=reject chain=input comment="Reject all other unspecified input from the Net" reject-with=icmp-admin-prohibited add action=reject chain=forward comment="Reject all other unspecified input from the Net" reject-with=icmp-admin-prohibited /ip firewall mangle add action=mark-connection chain=prerouting connection-state=new in-interface=sihnon-wg new-connection-mark=wg-nat passthrough=yes add action=mark-routing chain=prerouting dst-address-list=!local-networks new-routing-mark=mullvard passthrough=yes src-address=51.254.241.215 /ip firewall nat add action=dst-nat chain=dstnat comment=Deluge disabled=yes dst-address=51.255.130.132 dst-port=52413-52513 protocol=tcp to-addresses=10.1.0.11 add action=dst-nat chain=dstnat comment=Deluge disabled=yes dst-address=51.255.130.132 dst-port=52413-52513 protocol=udp to-addresses=10.1.0.11 add action=dst-nat chain=dstnat comment="ssh/sftp to Haven" disabled=yes dst-address=51.255.130.132 dst-port=20222 protocol=tcp to-addresses=10.1.0.11 to-ports=22 add action=dst-nat chain=dstnat comment="Andrew's rsyncd to Haven" disabled=yes dst-address=51.255.130.132 dst-port=2345 protocol=tcp to-addresses=10.1.0.11 to-ports=2345 add action=masquerade chain=srcnat comment="Mullvard NAT" out-interface=mullvard add action=src-nat chain=srcnat comment="Hat outbound NAT" out-interface=external src-address=10.1.0.21 to-addresses=94.23.147.66 add action=src-nat chain=srcnat comment="Default NAT" out-interface=external src-address-list=nat-outbound to-addresses=51.255.130.132 add action=dst-nat chain=dstnat comment="Hat HTTP (Direct)" dst-address=94.23.147.66 dst-port=80 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat SMTP (Direct)" dst-address=94.23.147.66 dst-port=25 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat SSH (Direct)" dst-address=94.23.147.66 dst-port=22 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat SSH (Direct)" dst-address=94.23.147.66 dst-port=20322 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat SSH (Direct)" dst-address=94.23.147.66 dst-port=20222 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat HTTPS (Direct)" dst-address=94.23.147.66 dst-port=443 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat Plex (NAT)" dst-address=178.32.51.204 dst-port=32400 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat uTorrent (Direct)" dst-address=94.23.147.66 dst-port=6881 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat uTorrent (Direct)" dst-address=94.23.147.66 dst-port=6881 protocol=udp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat iperf3 (Direct)" dst-address=94.23.147.66 dst-port=52010 protocol=tcp to-addresses=10.1.0.21 add action=dst-nat chain=dstnat comment="Hat rsyncd (Direct)" dst-address=94.23.147.66 dst-port=873 protocol=tcp src-address=90.155.91.64/26 to-addresses=10.1.0.21 /ip route add disabled=no dst-address=0.0.0.0/0 gateway=37.187.140.254 add disabled=no dst-address=0.0.0.0/0 gateway=81.187.81.187 routing-table=aa add comment="nandi ip" disabled=no dst-address=51.255.130.133/32 gateway=internal add comment="melbourne ip" disabled=no dst-address=51.255.130.134/32 gateway=internal add disabled=no dst-address=0.0.0.0/0 gateway=mullvard routing-table=mullvard suppress-hw-offload=no /ipv6 route add disabled=no dst-address=::/0 gateway=external add disabled=no dst-address=2001:41d0:a:4aff:ff:ff:ff:ff/128 gateway=external /ip service set www-ssl certificate=letsencrypt disabled=no /ip smb shares set [ find default=yes ] directory=/pub /ip ssh set allow-none-crypto=yes forwarding-enabled=remote /ip upnp set enabled=yes /ip upnp interfaces add interface=sys-el type=internal add interface=external type=external /ipv6 address add address=2001:8b0:3b3:ffff:: interface=beylix-eoip /ipv6 firewall filter add action=accept chain=input connection-state=established,related add action=accept chain=forward connection-state=established,related add action=accept chain=output connection-state=established,related add action=accept chain=input protocol=icmpv6 add action=accept chain=input comment="Neighbour Discovery" dst-port=5678 in-interface=external protocol=udp add action=drop chain=forward comment="Catch all" in-interface=external add action=drop chain=input comment="Catch all" in-interface=external log=yes log-prefix="DROP: " add action=accept chain=output /ipv6 nd set [ find default=yes ] advertise-dns=no /routing bgp connection add address-families=ip,ipv6 as=64811 cisco-vpls-nlri-len-fmt=auto-bits connect=yes disabled=yes listen=yes local.address=10.3.0.10 .role=ebgp name=beylix output.filter-chain=bgp-local-out .network=bgp-networks .redistribute=connected,static,vpn,dhcp remote.address=10.3.0.9 .as=64810 .port=179 router-id=10.0.255.2 routing-table=main templates=default add address-families=ip,ipv6 as=64811 connect=yes disabled=no listen=yes local.address=10.0.4.1 .role=ebgp name=beylix-wireguard output.filter-chain=bgp-local-out .network=bgp-networks .redistribute=connected,static,vpn,dhcp remote.address=10.0.4.2 .as=64810 .port=179 router-id=10.0.255.2 routing-table=main templates=default add address-families=ip,ipv6 as=64811 connect=yes disabled=no listen=yes local.address=10.0.6.2 .role=ebgp name=highgate-wireguard output.filter-chain=bgp-local-out .network=bgp-networks .redistribute=connected,static,vpn,dhcp remote.address=10.0.6.1 .as=64812 .port=179 router-id=10.0.255.2 routing-table=main templates=default /routing filter rule add chain=bgp-local-out disabled=no rule="if (dst == 91.121.231.112/29) { accept; }" add chain=bgp-local-out disabled=no rule="if (dst == 51.254.241.208/28) { accept; }" add chain=bgp-local-out disabled=no rule="if (dst in 10.1.0.0/24 && dst-len in 16-24) { accept; }" add chain=bgp-local-out disabled=no rule="if (dst in 51.255.130.133 && dst-len == 32) { accept; }" add chain=bgp-local-out comment="Wireguard Peers" disabled=no rule="if (dst in 10.0.9.0/24 && dst-len in 24-32) { accept; }" add chain=bgp-local-out disabled=no rule="if (dst in 0.0.0.0/0 && dst-len > 0) { reject; }" /routing rule add action=lookup disabled=no routing-mark=mullvard src-address=51.254.241.215/32 table=mullvard /snmp set contact=hostmaster@sihnon.net enabled=yes location="Roubaix, FR" trap-version=2 /system clock set time-zone-name=Europe/London /system identity set name=fanty /system logging add disabled=yes topics=ospf,!debug add disabled=yes topics=ipsec,!packet add disabled=yes topics=wireguard /system note set show-at-login=no /system ntp client set enabled=yes /system ntp server set enabled=yes manycast=yes /system ntp client servers add address=129.250.35.251 add address=80.93.163.202 /system watchdog set watchdog-timer=no /user group add name=letsencrypt policy="ssh,ftp,read,write,!local,!telnet,!reboot,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"