# version: 7.19.3 (stable) # factory-software: 7.0.4 # total-memory: 4096.0MiB # cpu: ARM64 # cpu-count: 4 # total-hdd-space: 128.0MiB # architecture-name: arm64 # board-name: CCR2004-16G-2S+ # platform: MikroTik # installed-version: 7.19.3 # Flags: U - UNDOABLE # Columns: ACTION, BY, POLICY, TIME # ACTION BY POLICY TIME # U filter rule changed admin write 2025-12-05 21:31:38 # U filter rule changed admin write 2025-12-05 21:31:37 # U filter rule changed admin write 2025-12-05 21:31:27 # U filter rule changed admin write 2025-12-05 21:31:26 # U dhcp lease changed admin write 2025-12-04 23:06:46 # U dhcp lease added admin write 2025-12-04 23:06:46 # U dhcp lease changed admin write 2025-12-03 11:41:15 # U dhcp lease changed admin write 2025-12-01 09:04:32 # U dhcp lease added admin write 2025-12-01 09:04:31 # U dhcp lease added admin write 2025-11-30 17:44:55 # U dhcp lease removed admin write 2025-11-27 21:31:08 # U dhcp lease changed admin write 2025-11-27 21:30:36 # U dhcp lease changed admin write 2025-11-27 21:30:35 # U dhcp lease changed admin write 2025-11-27 21:30:25 # U dhcp lease changed admin write 2025-11-27 21:30:13 # U dhcp lease changed admin write 2025-11-27 21:30:12 # U dhcp lease changed admin write 2025-11-27 21:27:39 # U dhcp lease changed admin write 2025-11-27 21:27:38 # U dhcp option pihole changed admin write 2025-11-27 21:27:27 # U dhcp option pihole added admin write 2025-11-27 21:27:26 # U dhcp lease removed admin write 2025-11-27 18:05:43 # U dhcp lease removed admin write 2025-11-27 18:05:43 # U dhcp lease removed admin write 2025-11-27 18:05:43 # U dhcp lease changed admin write 2025-11-27 18:05:36 # U dhcp lease changed admin write 2025-11-27 18:05:36 # U dhcp lease changed admin write 2025-11-27 18:05:34 # U dhcp lease changed admin write 2025-11-27 17:19:22 # U dhcp lease changed admin write 2025-11-27 17:19:08 # U dhcp lease changed admin write 2025-11-27 17:18:59 # U dhcp lease changed admin write 2025-11-27 17:18:35 # U dhcp lease changed admin write 2025-11-27 17:17:28 # U dhcp lease changed admin write 2025-11-27 17:17:28 # U dhcp lease changed admin write 2025-11-27 17:01:46 # U dhcp lease changed admin write 2025-11-27 16:59:53 # U dhcp lease changed admin write 2025-11-27 16:59:53 # U dhcp lease changed admin write 2025-11-27 16:56:37 # U dhcp lease added admin write 2025-11-27 16:56:23 # U dhcp lease changed admin write 2025-11-25 22:03:06 # U dhcp lease changed admin write 2025-11-25 22:03:05 # U dhcp lease changed admin write 2025-11-25 21:52:36 # U dhcp lease changed admin write 2025-11-25 21:52:35 # U dhcp lease changed admin write 2025-11-25 21:51:40 # U dhcp lease changed admin write 2025-11-25 21:51:39 # U dhcp lease changed admin write 2025-11-25 21:50:33 # U dhcp lease changed admin write 2025-11-25 17:30:06 # U dhcp lease removed admin write 2025-11-25 17:28:39 # U dhcp lease changed admin write 2025-11-24 22:16:42 # U dhcp lease changed admin write 2025-11-24 22:16:30 # U dhcp lease changed admin write 2025-11-24 18:23:55 # U dhcp lease changed admin write 2025-11-24 13:50:35 # U dhcp lease changed admin write 2025-11-24 13:47:52 # U dhcp lease changed admin write 2025-11-23 21:28:29 # U dhcp lease changed admin write 2025-11-23 21:18:01 # U dhcp lease changed admin write 2025-10-02 17:29:55 # U dhcp lease changed admin write 2025-10-02 17:29:54 # U dhcp lease removed admin write 2025-10-02 16:30:24 # U dhcp lease removed admin write 2025-10-02 16:30:24 # U dhcp lease removed admin write 2025-10-02 16:30:24 # U dhcp lease removed admin write 2025-10-02 16:29:50 # U dhcp lease removed admin write 2025-10-02 16:29:50 # U dhcp lease removed admin write 2025-10-02 16:29:10 # U dhcp lease removed admin write 2025-10-02 16:29:10 # U dhcp lease removed admin write 2025-10-02 16:29:10 # U dhcp lease removed admin write 2025-10-02 16:29:10 # U dhcp lease removed admin write 2025-10-02 16:29:10 # U dhcp lease removed admin write 2025-10-02 16:28:56 # U dhcp lease removed admin write 2025-10-02 16:28:56 # U dhcp lease removed admin write 2025-10-02 16:28:56 # U dhcp lease removed admin write 2025-10-02 16:28:56 # U dhcp lease removed admin write 2025-10-02 16:28:45 # U dhcp lease removed admin write 2025-10-02 16:28:39 # U dhcp lease changed admin write 2025-10-02 16:28:22 # U dhcp lease changed admin write 2025-10-02 16:28:22 # U dhcp lease changed admin write 2025-10-02 16:28:14 # U wireguard peer entry changed admin write 2025-08-19 17:50:45 # U wireguard peer entry added admin write 2025-08-19 17:49:19 # U wireguard peer entry changed admin write 2025-08-19 17:39:56 # U wireguard peer entry changed admin write 2025-08-19 17:39:54 # U wireguard peer entry added admin write 2025-08-19 17:39:49 # U address changed admin write 2025-08-19 17:36:48 # U address changed admin write 2025-08-19 17:36:48 # U filter rule changed admin write 2025-08-19 17:35:15 # U filter rule changed admin write 2025-08-19 17:35:15 # U interface list member changed admin write 2025-08-19 17:34:54 # U interface list member added admin write 2025-08-19 17:34:53 # U nat rule changed admin write 2025-08-19 17:33:44 # U nat rule changed admin write 2025-08-19 17:33:42 # U nat rule changed admin write 2025-08-19 17:32:52 # U nat rule changed admin write 2025-08-19 17:32:50 # U filter rule moved admin write 2025-08-19 17:29:29 # U device changed admin write 2025-08-19 17:28:15 # U device changed admin write 2025-08-19 17:28:14 # U device changed admin write 2025-08-19 17:28:11 # U filter rule changed admin write 2025-08-19 17:23:13 # U filter rule changed admin write 2025-08-19 17:23:13 # U filter rule changed admin write 2025-08-19 17:22:44 # U wireguard peer entry changed admin write 2025-08-19 17:21:55 # U wireguard peer entry changed admin write 2025-08-19 17:21:49 # U device changed admin write 2025-08-19 17:21:39 # U device changed admin write 2025-08-19 17:21:18 # # software id = UAA8-I3JX # # model = CCR2004-16G-2S+ # serial number = HBJ07W7TF23 /interface bridge add fast-forward=no name=loopback0 port-cost-mode=short /interface ethernet set [ find default-name=ether1 ] comment="Admin setup" name=ether1-admin set [ find default-name=ether2 ] comment="Zen FTTP PPPoE Uplink" mtu=1508 set [ find default-name=ether9 ] comment="Osiris downlink 1" name=ether9-downlink-1 set [ find default-name=ether10 ] comment="Osiris downlink 2" name=ether10-downlink-2 /interface pppoe-client add add-default-route=yes allow=chap comment="Normal MTU 1480" default-route-distance=2 disabled=no interface=ether2 max-mru=1492 max-mtu=1492 name=zen password=4VVmSHAz user=zen429326@zen /interface eoip add allow-fast-path=no disabled=yes ipsec-secret="captain fellow explanation appropriate" local-address=82.69.87.199 mac-address=FE:BE:9A:EC:C9:C1 mtu=1500 name=fanty-eoip remote-address=51.255.130.132 tunnel-id=2 /interface wireguard add listen-port=51282 mtu=1412 name=gsa-loo private-key="+KwN5fcqhNJEYaR4R8Jze4LJpR0YCbtDeT3YNxGAjn8=" add listen-port=51281 mtu=1412 name=gsa-los private-key="cI77BAWwAOPv+mIYrxACoO251E9uy0XDbyrfqSrM2FU=" add listen-port=51280 mtu=1412 name=gsa-loy private-key="EAzY0a9hLbZiUN8+nlH43tjHOT6JT0kXkGnEpv9+eHA=" add listen-port=13231 mtu=1420 name=sihnon-clients private-key="+FYKxI3/IDAqZGdhdiv2X3yuVtgQsodit+5SIz2Gdko=" add listen-port=13232 mtu=1420 name=sihnon-highgate private-key="MBhQNW1J33Fq1eFfD+2bUxuuHeKypP+SgATxrOPbll0=" /interface bonding add comment="Osiris Downlink" mode=802.3ad name=internal-lag slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-3-and-4 /interface vlan add interface=internal-lag name=gsa-vlan vlan-id=210 add interface=internal-lag name=internal-vlan vlan-id=11 add interface=internal-lag name=iot-vlan vlan-id=12 add interface=internal-lag name=sihnon-alternate vlan-id=14 /interface list add name=gsa add exclude=dynamic,gsa include=all name=discovery add name=internal-trusted-interfaces add name=sihnon-wireguard-peers /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-server add authoritative=after-10sec-delay interface=sihnon-alternate lease-time=8h name=sihnon-alternative server-address=81.187.21.241 /ip dhcp-server option add code=66 name=foreman-next-server-1.2.3.4 value="'10.0.0.1'" add code=67 name=foreman-tftp-file-pxelinux.0 value="'pxelinux.0'" add code=150 name=otl-cucm-tftp value="'82.150.110.115''82.150.115.115'" add code=150 name=gsa-cucm-tftp value="'10.210.34.132''10.210.2.37'" add code=43 name=unifi-controller value="'81.187.154.182'" add code=6 comment="Override DNS to use pihole" name=pihole value="'81.187.154.146''81.187.21.245''8.8.8.8'" /ip pool add name=guest ranges=10.0.0.50-10.0.0.200 add name=iot-pool ranges=10.0.2.10-10.0.2.200 add name=gsa-vpn ranges=10.210.125.11-10.210.125.14 add name=unifi-mgmt ranges=10.0.3.10-10.0.3.250 /ip dhcp-server add address-pool=guest authoritative=after-10sec-delay interface=internal-vlan lease-time=3d name=lan server-address=81.187.154.190 add address-pool=iot-pool interface=iot-vlan lease-time=8h name=iot server-address=10.0.2.254 add address-pool=gsa-vpn interface=gsa-vlan lease-time=1h name=gsa-vpn server-address=10.210.125.9 add address-pool=unifi-mgmt interface=internal-lag lease-time=1w name=unifi-mgmt server-address=10.0.3.254 /ip smb users set [ find default=yes ] disabled=yes /port set 0 name=serial0 set 1 name=serial1 /ppp profile add dns-server=8.8.8.8,1.1.1.1 local-address=192.168.2.1 name=bt-simulator remote-address=192.168.2.2 use-encryption=no use-ipv6=no use-mpls=no /interface l2tp-client add comment="Normal MTU 1462" connect-to=90.155.53.19 disabled=no max-mru=1452 max-mtu=1452 name=aa-l2tp password=EVQ34GGZ4WLN profile=default src-address=82.69.87.199 user=br3@a.1 /routing bgp template add as=64810 disabled=no name=sihnon output.redistribute=connected router-id=10.0.255.1 /routing pimsm instance add disabled=yes name=internal vrf=main /routing table add disabled=no fib name=aa add disabled=no fib name=zen /routing bgp template add as=64619 disabled=no hold-time=9s input.filter=bgp-gsa-in keepalive-time=3s name=gsa-wireguard output.filter-chain=bgp-gsa-out .keep-sent-attributes=yes .redistribute=connected router-id=10.210.125.9 routing-table=main use-bfd=no /snmp community set [ find default=yes ] addresses=81.187.154.128/26,81.187.21.240/28 name=jellybean /user group add name=letsencrypt policy="ssh,ftp,read,write,!local,!telnet,!reboot,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api" /certificate settings set builtin-trust-anchors=not-trusted /ip firewall connection tracking set udp-timeout=10s /ip neighbor discovery-settings set discover-interface-list=discovery lldp-med-net-policy-vlan=1 /ip settings set max-neighbor-entries=8192 /ipv6 settings set max-neighbor-entries=8192 soft-max-neighbor-entries=8191 /interface list member add interface=gsa-los list=gsa add interface=gsa-loy list=gsa add interface=internal-vlan list=internal-trusted-interfaces add interface=internal-lag list=internal-trusted-interfaces add interface=sihnon-alternate list=internal-trusted-interfaces add interface=gsa-loo list=gsa add interface=sihnon-highgate list=sihnon-wireguard-peers add interface=sihnon-clients list=sihnon-wireguard-peers /interface ovpn-server server add auth=sha1,md5 mac-address=FE:B7:74:71:63:28 name=ovpn-server1 /interface pppoe-server server add default-profile=bt-simulator disabled=no interface=ether16 service-name=bt-simulator /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=185.137.0.50 endpoint-port=51281 interface=gsa-loy name=loynopnsense1 persistent-keepalive=5s preshared-key="ATnkx9indvyiH8zpFiCtr0g9rNPC6Z/D/wKXcNONjVs=" public-key="pEfUNCMG1mJMYLRFEmLNleCXYXYjEWZJHry2MKy1CT4=" add allowed-address=0.0.0.0/0 endpoint-address=185.137.2.50 endpoint-port=51281 interface=gsa-los name=losnopnsense1 persistent-keepalive=5s preshared-key="VV/qvQ0qMN9Rya9qkfbhS83Cwbc7j6CxyoSp7ydITPA=" public-key="ZrlNgX/qWGmqsXEOHbQkwza98iG/Jtzb1XK3FG+/QAE=" add allowed-address=0.0.0.0/0 endpoint-address=88.98.194.2 endpoint-port=51281 interface=gsa-loo name=loonopnsense1 persistent-keepalive=5s preshared-key="6Lu7pg8yvhU0FPcts2YsAHBrQXZmZts7WTIakyKJbwQ=" public-key="SgX8jq/+h9xlvgXPMo+TiIiRxiPhYsGC6eXNaEhK+mw=" add allowed-address=0.0.0.0/0 client-address=10.0.5.2/32 endpoint-address=135.181.217.249 endpoint-port=13232 interface=sihnon-highgate name=highgate persistent-keepalive=5s preshared-key="2RLulmTnZf8IZrtNLCLAwp8vUV7d9MTyYQ+78RbR2e4=" public-key="8z9/2vYY7iBhjd5MxAL2L4fZPI2KyCgBlFSkkkddXUc=" add allowed-address=10.0.8.2/32 client-address=10.0.8.2/32 client-dns=81.187.21.244,81.187.21.245,8.8.8.8 comment=s21 interface=sihnon-clients name=s21 private-key="IA/DESQmKaGhuMkjrKsCPt+agaEjaqsa2TTAuwPQeFg=" public-key="ALgeyBfNBWU8gMhkGfCxs+miVQ+enlOucQQZDn4eShI=" responder=yes add allowed-address=10.0.8.3/32 client-address=10.0.8.3/32 client-dns=81.187.21.244,81.187.21.245,8.8.8.8 comment=laptop interface=sihnon-clients name=laptop public-key="PH7T+jNtdcD1twcG+su5dB7SlPX6rUQCngv5mpuymSI=" add allowed-address=10.0.8.4/32 client-address=10.0.8.4/32 client-dns=81.187.21.244,81.187.21.245,8.8.8.8 comment=Tablet interface=sihnon-clients name=tablet private-key="8PpWI5bGKhCEV2H3vSfzsrBzIwTsgCNpIpbYEE1Ng3k=" public-key="EBndvKZsdrud9XtnfOT2lZYiKg4yt4g9DhY5Yn7Txjk=" /ip address add address=81.187.154.190/26 comment="Public LAN" interface=internal-vlan network=81.187.154.128 add address=10.0.0.254/24 comment="Private LAN" interface=internal-vlan network=10.0.0.0 add address=10.0.255.1 comment="OSPF Router ID" interface=loopback0 network=10.0.255.1 add address=10.0.2.254/24 comment="IOT segregated vlan" interface=iot-vlan network=10.0.2.0 add address=81.187.21.241/28 comment=sihnon-alternate interface=sihnon-alternate network=81.187.21.240 add address=82.69.87.199 comment="Zen public IP" interface=zen network=82.69.87.199 add address=81.187.154.189/26 disabled=yes interface=internal-vlan network=81.187.154.128 add address=10.210.21.6/30 interface=gsa-loy network=10.210.21.4 add address=10.210.27.6/30 interface=gsa-los network=10.210.27.4 add address=10.210.125.9/29 interface=gsa-vlan network=10.210.125.8 add address=10.0.8.1/24 interface=sihnon-clients network=10.0.8.0 add address=10.210.73.214/30 comment=gsa-loo interface=gsa-loo network=10.210.73.212 add address=10.0.5.2/24 interface=sihnon-highgate network=10.0.5.0 add address=192.168.1.1/24 comment="Unifi recovery" interface=internal-vlan network=192.168.1.0 add address=10.0.3.254/24 interface=internal-lag network=10.0.3.0 /ip dhcp-client # Interface not active add interface=ether1-admin /ip dhcp-server lease add address=10.0.0.202 comment="crow.sihnon.net raid2" mac-address=00:1B:4D:10:4C:38 add address=10.0.0.203 comment="crow.sihnon.net raid1" mac-address=00:1B:4D:40:DC:CB add address=81.187.154.158 always-broadcast=yes comment="Chromecast Audio" mac-address=54:60:09:DD:9E:B6 add address=81.187.154.182 comment=regan.jellybean.sihnon.net mac-address=18:E8:29:4D:37:D9 add address=81.187.154.148 comment=canaan.jellybean.sihnon.net mac-address=BC:24:11:BD:EF:13 add address=81.187.154.152 address-lists=internal-web-server comment=newhall.jellybean.sihnon.net mac-address=00:0C:29:99:AF:E0 add address=81.187.154.174 client-id=1:0:e:8:ce:6b:d7 comment=pelorum.sihnon.net disabled=yes mac-address=00:0E:08:CE:6B:D7 server=lan add address=81.187.154.167 client-id=1:7C:ED:8D:E8:AE:D3 comment="xbox-lr.sihnon.net (Ben's Xbox 360 S - Living Room)" mac-address=7C:ED:8D:E8:AE:D3 server=lan add address=81.187.154.165 comment=xbox-series-x mac-address=E4:2A:AC:3C:F2:E8 server=lan add address=81.187.154.140 address-lists=linux-server,web-server always-broadcast=yes comment=newhope.jellybean.sihnon.net mac-address=BC:24:11:6F:F9:AC server=lan add address=81.187.154.179 comment=dyton.sihnon.net mac-address=30:CD:A7:ED:DD:CC server=lan add address=81.187.154.154 comment="acer revo" disabled=yes mac-address=D0:27:88:22:F9:89 server=lan add address=10.0.0.99 address-lists=always-zen client-id=1:0:16:e6:80:e7:4c comment=yolanda.sihnon.net mac-address=00:16:E6:80:E7:4C server=lan add address=10.0.0.174 always-broadcast=yes client-id=1:0:d:c5:d6:aa:20 comment="IP Cam (Driveway)" mac-address=00:0D:C5:D6:AA:20 server=lan add address=81.187.154.151 comment=tracey.jellybean.sihnon.net mac-address=B8:AE:ED:EA:07:20 server=lan add address=10.0.0.201 client-id=1:0:25:90:1:e2:56 comment="crow.sihnon.net ILO" mac-address=00:25:90:01:E2:56 server=lan add address=81.187.154.156 client-id=1:0:c:6c:5:3:c5 comment="kalidasa.shadow.sihnon.net - elgato netstream 4sat" disabled=yes mac-address=00:0C:6C:05:03:C5 server=lan add address=81.187.154.159 always-broadcast=yes comment="Living Room Chromecast Audio" mac-address=54:60:09:ED:B7:92 server=lan add address=81.187.154.160 always-broadcast=yes comment="Bedroom chromecast" mac-address=54:60:09:ED:B7:08 server=lan add address=10.0.0.127 address-lists=always-zen always-broadcast=yes client-id=1:28:18:78:8e:6f:3d mac-address=28:18:78:8E:6F:3D server=lan add address=10.0.0.120 client-id=1:3c:cd:93:f1:c6:f0 mac-address=3C:CD:93:F1:C6:F0 server=lan add address=81.187.154.168 always-broadcast=yes client-id=1:3c:15:c2:2c:92:d6 comment="Frankie's iPad" mac-address=3C:15:C2:2C:92:D6 server=lan add address=10.0.0.145 client-id=1:0:23:54:84:c4:f3 comment="Frankie old PC" mac-address=00:23:54:84:C4:F3 server=lan add address=81.187.154.164 client-id=1:0:18:56:2e:64:37 comment="EyeFi Scanner" mac-address=00:18:56:2E:64:37 server=lan add address=81.187.154.157 comment="Salisbury chromecast" mac-address=6C:AD:F8:BF:4A:5F server=lan add address=81.187.154.161 always-broadcast=yes comment="Chromecast Audio" mac-address=54:60:09:DD:9E:EA server=lan add address=81.187.154.180 client-id=1:0:c:42:52:a1:d5 comment=boros.jellybean.sihnon.net disabled=yes mac-address=00:0C:42:52:A1:D5 server=lan add address=10.0.0.109 client-id=1:0:4:20:f6:a1:d6 mac-address=00:04:20:F6:A1:D6 server=lan add address=81.187.154.163 comment="Harvest2 (Kitchen Chromecast)" mac-address=F4:F5:D8:20:81:26 server=lan add address=10.0.0.102 client-id=1:80:2a:a8:4e:b:b7 comment="camera1 (uvc-g3)" mac-address=80:2A:A8:4E:0B:B7 server=lan add address=10.0.0.103 client-id=1:80:2a:a8:cc:7f:92 mac-address=80:2A:A8:CC:7F:92 server=lan add address=81.187.154.155 comment="Bedroom TV chromecast" mac-address=F4:F5:D8:9D:5D:CC server=lan add address=81.187.154.183 always-broadcast=yes client-id=1:d4:ae:5:f:8:7 comment="Galaxy Tab S3" mac-address=D4:AE:05:0F:08:07 server=lan add address=81.187.154.169 comment=XboxOneX mac-address=F0:6E:0B:39:65:33 server=lan add address=10.0.0.83 client-id=ff:11:1c:c:ba:0:1:0:e:11:1c:c:ba comment="Tape library" mac-address=00:0E:11:1C:0C:BA server=lan add address=81.187.154.184 comment="bester.sihnon.net (UPS)" mac-address=00:0C:15:01:AC:17 server=lan add address=10.0.0.80 always-broadcast=yes client-id=1:0:9c:2:9e:75:2a comment=multiverse1-oba.shadow.sihnon.net mac-address=00:9C:02:9E:75:2A server=lan add address=81.187.154.134 address-lists=web-server,linux-server,plex-server comment=cortex.jellybean.sihnon.net mac-address=00:50:56:B9:06:A9 server=lan add address=81.187.154.162 client-id=1:0:4:4b:b4:c0:6d comment="nvidia shield" dhcp-option=pihole mac-address=00:04:4B:B4:C0:6D server=lan add address=81.187.154.177 client-id=1:f6:d0:1:19:37:8 comment="Frankie's phone" mac-address=F6:D0:01:19:37:08 server=lan add address=81.187.154.154 comment="Jubal.jellybean.sihnon.net (nuc) " mac-address=1C:69:7A:00:0D:62 server=lan add address=81.187.154.186 client-id=1:c4:ad:34:4e:e3:9a comment="bourne.jellybean.sihnon.net (GSA RB951G-2HnD)" mac-address=C4:AD:34:4E:E3:9A server=lan add address=10.0.0.119 client-id=1:90:1b:e:a7:31:a1 comment=multiverse-oba.shadow.sihnon.net mac-address=90:1B:0E:A7:31:A1 server=lan add address=81.187.154.132 client-id=1:90:1b:e:ad:84:70 comment=multiverse.jellybean.sihnon.net mac-address=90:1B:0E:AD:84:70 server=lan add address=81.187.154.153 client-id=1:a0:48:1c:86:d:49 comment=louwbrobert1 mac-address=A0:48:1C:86:0D:49 server=lan add address=81.187.154.178 comment=S21 dhcp-option=pihole mac-address=28:C2:1F:88:44:FA server=lan add address=10.0.0.114 address-lists=abode comment="Abode Gateway" mac-address=B0:C5:CA:3D:49:3A server=lan add address=10.0.2.194 address-lists=abode client-id=1:34:75:63:6f:c7:91 comment="Abode Doorbell" mac-address=34:75:63:6F:C7:91 server=iot add address=81.187.154.154 comment="usb-c dock" disabled=yes mac-address=A0:CE:C8:D7:0D:E7 add address=81.187.154.175 client-id=1:0:50:56:6:4c:ac comment=highgate.sihnon.net mac-address=00:50:56:06:4C:AC server=lan add address=10.0.2.198 comment="Chromecast Audio - Living Room Speakers" mac-address=54:60:09:ED:B7:92 server=iot add address=81.187.154.170 client-id=1:8c:b8:7e:a0:23:aa comment=xps17 dhcp-option=pihole mac-address=8C:B8:7E:A0:23:AA server=lan add address=10.0.0.57 client-id=1:44:d9:e7:2:23:f3 comment="Garage AP" mac-address=44:D9:E7:02:23:F3 server=lan add address=81.187.21.245 comment="ariel.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:BB:23 add address=81.187.21.243 comment="alma9-canary.jellybean.sihnon.net (terraform)" disabled=yes mac-address=00:50:56:9A:77:55 add address=81.187.154.139 comment="alexandria.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:6F:88 add address=81.187.154.143 comment="deadwood.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:9A:8A add address=81.187.154.129 comment="athens.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:58:2C add address=81.187.154.145 comment="box.jellybean.sihnon.net (terraform)" mac-address=00:50:56:B9:CD:E0 add address=81.187.154.144 comment="conrad.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:0A:76 add address=81.187.154.149 comment="branson.jellybean.sihnon.net (terraform)" mac-address=00:50:56:B9:FA:59 add address=81.187.21.244 comment="ares.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:C4:42 add address=81.187.154.150 comment="bullet.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:F6:2A add address=81.187.21.253 comment="alma-canary.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:FC:8A add address=81.187.154.141 comment="whitefall.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:9F:35 add address=81.187.154.176 comment="mathias.jellybean.sihnon.net (terraform)" mac-address=00:0E:08:3B:4A:24 add address=81.187.154.188 comment="paquin.jellybean.sihnon.net (terraform)" mac-address=F0:9F:C2:09:87:57 add address=10.0.3.246 comment="miranda.jellybean.sihnon.net (terraform)" mac-address=18:E8:29:AD:F5:C6 server=unifi-mgmt add address=10.0.0.58 comment="Hue Bridge (terraform)" mac-address=00:17:88:29:20:17 add address=81.187.154.185 comment="osiris.jellybean.sihnon.net (terraform)" mac-address=F0:9F:C2:09:89:2B add address=10.0.3.247 comment="verbena.jellybean.sihnon.net (terraform)" mac-address=F0:9F:C2:0D:66:05 server=unifi-mgmt add address=81.187.154.166 comment="HDHomeRun (terraform)" mac-address=00:18:DD:25:0F:9E add address=81.187.21.242 comment="ormuzd.jellybean.sihnon.net (terraform)" mac-address=00:50:56:9A:59:CD add address=10.210.125.10 comment="GSA IP8861 Desk Phone" dhcp-option=gsa-cucm-tftp mac-address=24:7E:12:67:64:DC server=gsa-vpn add address=10.0.0.123 comment="Xmas Tree Kasa smartplug" mac-address=1C:61:B4:53:06:6B server=lan add address=81.187.154.171 comment="Kitchen Display (Google Home Hub Max)" mac-address=14:C1:4E:0E:EC:72 server=lan add address=10.0.2.188 comment=Dehumidifier mac-address=C4:39:60:E1:C5:42 server=iot add address=10.0.2.185 comment=hass-proxy-1 mac-address=30:C6:F7:F8:D6:DB server=iot add address=10.0.2.184 comment=Kitchen-shelly-1 mac-address=34:94:54:7C:03:C7 server=iot add address=10.0.0.185 disabled=yes mac-address=30:C6:F7:F7:1B:B3 server=lan add address=10.0.2.180 comment="Emporia Vue 2 Energy Monitor" mac-address=A4:E5:7C:FC:0F:B8 server=iot add address=10.0.2.179 comment="AC: Kitchen" mac-address=B8:8C:29:5A:EB:88 server=iot add address=10.0.2.178 comment=ac-livingroom mac-address=9C:C1:2D:28:DD:16 server=iot add address=10.0.2.177 comment=ac-bedroom1 mac-address=9C:C1:2D:10:C8:DE server=iot add address=10.0.2.176 comment=ac-bedroom2 mac-address=9C:C1:2D:29:24:02 server=iot add address=10.0.2.175 comment=ac-nursery mac-address=9C:C1:2D:1C:8F:08 server=iot add address=10.0.2.174 comment=ac-spareroom mac-address=9C:C1:2D:12:41:80 server=iot add address=10.0.2.173 comment=ac-office mac-address=9C:C1:2D:1C:8E:C0 server=iot add address=10.0.2.171 comment="Electric Blanket Kasa smartplug" mac-address=30:DE:4B:D0:DE:32 server=iot add address=10.0.2.170 comment="Office Servers" mac-address=30:DE:4B:D0:DD:D5 server=iot add address=10.0.2.168 comment=Awair1 mac-address=70:88:6B:16:39:B1 server=iot add address=10.0.2.167 comment="Awair Office" mac-address=70:88:6B:16:3E:EC server=iot add address=10.0.2.164 client-id=1:94:e6:86:fa:52:38 comment="MyEnergi Eddi" mac-address=94:E6:86:FA:52:38 server=iot add address=10.0.2.163 client-id=1:0:1d:c0:7c:e3:8f comment="Enphase Envoy" mac-address=00:1D:C0:7C:E3:8F server=iot add address=10.0.2.162 comment="Office Desk KP115" mac-address=30:DE:4B:D0:D7:D9 server=iot add address=10.0.2.161 client-id=1:e8:ee:cc:35:4:89 comment="Ankermake M5" mac-address=E8:EE:CC:35:04:89 server=iot add address=10.0.2.156 comment="Tesla Energy Gateway" mac-address=98:ED:5C:01:E9:00 server=iot add address=81.187.154.172 comment="Office Display" mac-address=1C:53:F9:7C:B0:2E server=lan add address=81.187.154.173 client-id=1:44:bb:3b:22:41:f1 comment="Nest Doorbell" mac-address=44:BB:3B:22:41:F1 add address=81.187.154.133 comment="derrial.jellybean (public LAN)" mac-address=00:50:56:B9:14:BD add address=10.0.0.81 client-id=1:78:e3:6d:e3:ff:f7 comment="higgins (zigbee coordinator)" mac-address=78:E3:6D:E3:FF:F7 server=lan add address=10.0.0.67 client-id=1:0:6:78:d4:eb:b4 comment="Denon AVR-X1800H Living Room" mac-address=00:06:78:D4:EB:B4 server=lan add address=10.0.2.142 comment="Office Servers (Tapo P110 smart plug)" mac-address=7C:F1:7E:21:AE:F0 server=iot add address=81.187.154.130 comment=multiverse1.jellybean.sihnon.net mac-address=2C:76:8A:51:F6:24 server=lan add address=10.0.0.87 comment="Nintendo Switch" mac-address=74:84:69:AE:3F:54 server=lan add address=10.0.3.248 client-id=1:84:78:48:1c:b4:91 mac-address=84:78:48:1C:B4:91 server=unifi-mgmt add address=10.0.3.250 client-id=1:9c:5:d6:e2:92:7a mac-address=9C:05:D6:E2:92:7A server=unifi-mgmt add address=10.0.3.249 client-id=1:c:ea:14:b7:b9:91 mac-address=0C:EA:14:B7:B9:91 server=unifi-mgmt add address=10.0.3.239 client-id=1:44:d9:e7:2:23:f3 mac-address=44:D9:E7:02:23:F3 server=unifi-mgmt add address=10.0.3.237 client-id=1:18:e8:29:e0:fd:9f comment="Living Room AP" mac-address=18:E8:29:E0:FD:9F server=unifi-mgmt add address=10.0.3.251 client-id=1:1c:b:8b:c6:2b:d comment=osiris.shadow.sihnon.net mac-address=1C:0B:8B:C6:2B:0D server=unifi-mgmt add address=10.0.3.231 client-id=1:1c:6a:1b:1e:9c:a9 comment="Living Room AP" mac-address=1C:6A:1B:1E:9C:A9 server=unifi-mgmt add address=81.187.154.135 client-id=1:10:b6:76:50:ca:df comment=louwbrobert2 dhcp-option=pihole mac-address=10:B6:76:50:CA:DF server=lan add address=10.0.0.115 client-id=1:94:83:c4:be:75:82 comment=monty-kvm mac-address=94:83:C4:BE:75:82 server=lan add address=10.0.0.116 client-id=1:94:83:c4:be:76:8d comment=meadow-kvm mac-address=94:83:C4:BE:76:8D server=lan add address=81.187.154.136 client-id=1:D2:89:5B:98:28:33 comment="meadow (MS-A2)" mac-address=D2:89:5B:98:28:33 server=lan add address=81.187.154.137 client-id=1:8A:BE:59:EE:DB:3F comment="monty (MS-A2)" mac-address=8A:BE:59:EE:DB:3F server=lan add address=10.0.3.229 client-id=1:f4:e2:c6:5f:6c:5a comment=perdido mac-address=F4:E2:C6:5F:6C:5A server=unifi-mgmt add address=10.0.0.124 client-id=1:94:83:c4:be:76:5b comment=murphy-kvm mac-address=94:83:C4:BE:76:5B server=lan add address=81.187.154.138 client-id=1:22:fb:45:b2:3a:5d comment="murphy (MS-A2)" mac-address=22:FB:45:B2:3A:5D server=lan add address=81.187.154.131 comment="aphrodite.jellybean.sihnon.net (truenas)" mac-address=BC:24:11:C6:15:19 server=lan add address=10.0.0.117 comment=jubal-kvm mac-address=94:83:C4:BE:75:8B server=lan add address=10.0.0.133 client-id=1:88:57:21:6a:79:df comment="hill.jellybean.sihnon.net (Matter Coordinator)" mac-address=88:57:21:6A:79:DF server=lan add address=81.187.154.142 comment="sweethome.jellybean.sihnon.net (hass)" mac-address=BC:24:11:89:91:92 /ip dhcp-server network add address=10.0.0.0/24 boot-file-name=pxelinux.0 comment="Guest Subnet" dns-server=81.187.21.245,81.187.21.244,8.8.8.8 domain=sihnon.net gateway=10.0.0.254 netmask=24 next-server=81.187.154.133 ntp-server=81.187.154.190 add address=10.0.2.0/24 comment=IOT dns-server=8.8.8.8,8.8.4.4 gateway=10.0.2.254 ntp-server=10.0.2.254 add address=10.0.3.0/24 comment=unifi-mgmt dhcp-option=unifi-controller dns-server=81.187.21.245,81.187.21.244,8.8.8.8 domain=shadow.sihnon.net gateway=10.0.3.254 ntp-server=10.0.3.254 add address=10.210.125.8/29 comment="GSA VPN" dns-server=10.210.254.10,10.210.254.100 domain=intra.gsacapital.com gateway=10.210.125.9 ntp-server=10.210.125.9 add address=81.187.21.240/28 boot-file-name=pxelinux.0 dns-server=81.187.21.245,81.187.21.244,8.8.8.8 domain=jellybean.sihnon.net gateway=81.187.21.241 netmask=28 next-server=81.187.154.141 ntp-server=81.187.154.190 add address=81.187.154.128/26 boot-file-name=pxelinux.0 comment="AA Public" dns-server=81.187.21.245,81.187.21.244,8.8.8.8 domain=sihnon.net gateway=81.187.154.190 netmask=26 next-server=81.187.154.141 ntp-server=81.187.154.190 /ip dns set allow-remote-requests=yes mdns-repeat-ifaces=internal-vlan,iot-vlan,sihnon-alternate servers=81.187.21.244,81.187.21.245,8.8.8.8 /ip firewall address-list add address=10.0.0.0/8 list=local-addresses add address=81.187.154.128/26 comment=southwater-aa list=local-addresses add address=81.187.154.188 comment="Addresses used by routers for VRRP" list=router-vrrp add address=81.187.154.128/26 list=fail2ban-trusted add address=10.0.0.0/8 list=fail2ban-trusted add address=213.52.196.70 comment="GSA OY Internet" list=fail2ban-trusted add address=81.187.21.240/28 comment=fail2ban-trusted list=fail2ban-trusted add address=81.187.30.110-81.187.30.119 list=aaisp-voip-gateways add address=90.155.3.0/24 list=aaisp-voip-gateways add address=90.155.103.0/24 list=aaisp-voip-gateways add address=81.187.154.154 comment=jubal list=gsa-vpn-whitelist add address=81.187.154.135 comment=serenity list=gsa-vpn-whitelist add address=213.52.196.70 comment="GSA OY NAT" list=remote-management add address=81.187.154.128/26 list=remote-management add address=81.187.21.240/28 comment=southwater-el list=local-addresses add address=81.187.154.176 comment=mathias.jellybean.sihnon.net list=gsa-vpn-whitelist add address=81.187.154.132 comment=crow disabled=yes list=gsa-vpn-whitelist add address=90.155.91.64/26 comment="Andrew's house" list=remote-management add address=178.32.51.204 comment=highgate list=ipsec-destinations add address=185.137.0.0/22 comment="GSA Public Internet" list=remote-management add address=51.255.130.132 comment=Fanty list=trusted-internet add address=51.255.130.132/30 comment=Fanty list=local-addresses add address=51.255.130.132 comment=Fanty list=ipsec-destinations add address=185.137.2.35 list=gsa-vpn-gateways add address=213.52.196.69 list=gsa-vpn-gateways add address=91.121.231.112/29 comment="fanty public hosts" list=local-addresses add address=91.121.231.112/29 list=fail2ban-trusted add address=91.121.231.112/29 list=offsite-trusted add address=81.187.154.186 comment=bourne list=router add address=81.187.154.189 comment=beylix list=router add address=81.187.154.190 comment=router list=router add address=81.187.21.240/28 list=bonding-sources add address=81.187.154.128/26 list=bonding-sources add address=81.187.221.120 disabled=yes list=bonding-sources add address=90.155.91.64/26 comment=Andrew list=fail2ban-trusted add address=91.121.231.112/29 comment=sys list=remote-management add address=148.251.78.152 comment="slow mirror" list=outbound-blacklist add address=51.254.241.210 comment=dispatcher.sabayon.org list=sabayon-servers add address=51.254.241.209 comment=scrinfra.sabayon.org list=sabayon-servers add address=91.121.231.114 comment="georgia (ns5)" list=name-server add address=81.187.154.186 list=always-zen add address=81.187.154.135 list=always-zen add address=81.187.154.128/26 disabled=yes list=always-aa add address=81.187.154.129 list=always-aa add address=81.187.154.134 list=always-aa add address=81.187.154.138 list=always-aa add address=81.187.154.137 list=always-aa add address=81.187.154.151 list=always-aa add address=81.187.154.146 list=always-aa add address=81.187.154.147 list=always-aa add address=81.187.154.148 list=always-aa add address=81.187.154.149 list=always-aa add address=81.187.154.150 list=always-aa add address=81.187.154.169 list=always-aa add address=81.187.154.176 list=always-aa add address=81.187.154.135 disabled=yes list=always-aa add address=81.187.154.140 list=always-aa add address=93.41.32.175 comment=mudler list=remote-management add address=81.2.95.182 disabled=yes list=always-aa-destinations add address=45.67.124.188 comment=geaaru list=remote-management add address=45.67.124.188 comment=geaaru list=fail2ban-trusted add address=86.147.134.65 comment="Linden House" list=remote-management add address=86.147.134.65 comment="Linden House" list=fail2ban-trusted add address=188.165.192.126 list=offsite-trusted add address=81.187.21.240/28 list=remote-management add address=81.187.154.144 list=linux-server add address=81.187.154.134 comment=cortex.jellybean.sihnon.net list=plex-server add address=81.187.154.145 list=name-server add address=81.187.154.149 list=name-server add address=81.187.154.150 list=name-server add address=81.187.154.145 list=always-aa add address=81.187.154.144 list=always-aa add address=81.187.154.143 list=always-aa add address=81.187.154.142 list=always-aa add address=82.69.87.199 comment=Zen list=remote-management add address=81.187.154.152 list=always-aa add address=81.187.154.144 list=web-server add address=81.187.21.245 list=internal-web-server add address=81.187.21.244 list=internal-web-server add address=81.187.21.244 list=always-aa add address=81.187.21.245 list=always-aa add address=51.254.241.208/28 comment=SYS-EL list=local-addresses add address=51.254.241.208/28 comment=SYS-EL list=fail2ban-trusted add address=81.187.154.141 list=always-aa add address=37.187.140.108 comment=mingo.sihnon.net list=esxi-servers add address=81.187.154.152 comment=newhall.jellybean.sihnon.net list=vcenter-servers add address=81.187.21.244 comment=ares.jellybean.sihnon.net list=name-server add address=81.187.21.245 comment=ariel.jellybean.sihnon.net list=name-server add address=81.187.154.178 comment=s21 disabled=yes list=always-aa add address=81.187.154.162 disabled=yes list=always-aa add address=81.187.154.152 comment=newhall list=internal-web-server add address=185.137.0.50 comment=loypopnsense1 list=gsa-wireguard add address=185.137.2.50 comment=lospopnsense1 list=gsa-wireguard add address=10.210.21.5 comment=loynopnsense1 list=gsa-wireguard-bgp add address=10.210.27.5 comment=losnopnsense1 list=gsa-wireguard-bgp add address=10.210.125.8.29 list=local-addresses add address=10.210.125.8/29 list=fail2ban-trusted add address=10.210.125.8/29 list=remote-management add address=10.210.21.4/30 list=gsa-vpn-sources add address=10.210.27.4/30 list=gsa-vpn-sources add address=10.210.125.8/29 list=gsa-vpn-sources add address=10.0.0.0/8 list=remote-management add address=81.187.21.242 comment=ormuzd.jellybean.sihnon.net list=always-aa add address=81.187.21.249 list=web-server add address=88.98.194.2 comment=loonopnsense1 list=gsa-wireguard add address=10.210.73.213 comment=loonopnsense1 list=gsa-wireguard-bgp add address=81.187.154.134 comment=cortex.jellybean.sihnon.net list=web-server add address=10.210.73.212/30 list=gsa-vpn-sources add address=135.181.217.252 comment=muir.sihnon.net list=offsite-trusted add address=135.181.217.249 comment=highgate list=trusted-internet /ip firewall filter add action=accept chain=input comment="Emergency access, allow all via ether1" in-interface=ether1-admin add action=add-src-to-address-list address-list=inbound-blacklist address-list-timeout=1d chain=forward comment="Drop inbound ssh brute force attempts (whitelist using fail2ban-whitelist)" connection-state=new dst-port=22 limit=3/1m,2:packet protocol=tcp src-address-list=!remote-management add action=add-src-to-address-list address-list=inbound-blacklist address-list-timeout=1d chain=input comment="Drop inbound ssh brute force attempts (whitelist using fail2ban-whitelist)" connection-state=new disabled=yes dst-port=22 limit=3/1m,2:packet protocol=tcp src-address-list=!fail2ban-trusted add action=drop chain=input comment="Drop traffic from known blacklist addresses" src-address-list=inbound-blacklist add action=drop chain=forward comment="Drop traffic from known blacklist addresses" src-address-list=inbound-blacklist add action=log chain=input comment="Dynamically add addresses to the blacklist" dst-address-list=!local-addresses dst-port=31337 log-prefix="fail2ban blacklisting:" protocol=tcp add action=reject chain=forward comment="Drop outbound blacklist traffic" dst-address-list=outbound-blacklist reject-with=icmp-network-unreachable add action=reject chain=forward comment="Special address for blocking adverts on the local network (BIND serves 240.0.0.1 for all known ad domains)" dst-address=240.0.0.1 protocol=tcp reject-with=tcp-reset add action=accept chain=input comment="Accept all related/established connections" connection-state=established,related add action=fasttrack-connection chain=forward comment="Fasttrack packets in existing connections" connection-mark=no-mark connection-state=established,related hw-offload=yes add action=accept chain=forward comment="Accept all related/established connections" connection-state=established,related add action=accept chain=output comment="Accept all related/established connections" connection-state=established,related add action=add-src-to-address-list address-list=remote-management address-list-timeout=1h chain=input comment="Port Knocking: Temporarily add src address to remote-management list" dst-port=31337 log=yes log-prefix="Temporarily granting remote management" protocol=tcp add action=reject chain=forward comment="Prevent all connections out using the\_special ports to prevent unnoticeable side-effects." dst-address-list=!local-addresses dst-port=31337 protocol=tcp reject-with=icmp-host-prohibited add action=add-dst-to-address-list address-list=inbound-blacklist address-list-timeout=1d chain=forward comment="Port Knocking: permit remote management" dst-address-list=!fail2ban-trusted dst-port=31337 protocol=tcp add action=accept chain=input comment="Accept all ICMP traffic (TODO: lock this down)" protocol=icmp add action=accept chain=output comment="Accept all ICMP traffic (TODO: lock this down)" protocol=icmp add action=accept chain=input comment="UDP Traceroute traffic" connection-state=new dst-port=33434-33523 protocol=udp add action=accept chain=forward comment="UDP Traceroute traffic" connection-state=new dst-port=33434-33523 protocol=udp add action=accept chain=input comment="Accept all traffic from local trusted devices" in-interface-list=internal-trusted-interfaces add action=accept chain=forward comment="Accept all traffic from local trusted devices" in-interface-list=internal-trusted-interfaces add action=accept chain=input comment="wireguard sihnon-clients" dst-port=13231 log=yes protocol=udp add action=accept chain=input comment="Allow DHCP on IOT" dst-port=67-68 in-interface=iot-vlan protocol=udp add action=accept chain=input comment="Allow mDNS from iot VLAN" dst-address=224.0.0.251 dst-port=5353 in-interface=iot-vlan protocol=udp add action=accept chain=forward comment="Allow ESPHome devices to contact the dashboard" dst-address=81.187.154.134 dst-port=6123,6052 in-interface=iot-vlan protocol=tcp add action=accept chain=forward comment="Allow smarthings to publish to MQTT" dst-address=81.187.154.151 dst-port=8081 in-interface=iot-vlan protocol=tcp add action=accept chain=forward comment="Allow IOT to publish to MQTT" dst-port=1883 in-interface=iot-vlan protocol=tcp add action=accept chain=forward comment="Allow IOT traffic outbound towards the internet" in-interface=iot-vlan out-interface=zen add action=accept chain=forward comment="Permit shelly from iot to hass colot" dst-address=81.187.21.240/28 dst-port=5683 in-interface=iot-vlan protocol=udp add action=accept chain=forward comment="Allow communication between Abode devices" dst-address-list=abode in-interface=iot-vlan add action=accept chain=forward out-interface-list=gsa add action=accept chain=input disabled=yes in-interface=sihnon-clients add action=accept chain=forward disabled=yes in-interface=sihnon-clients add action=accept chain=input in-interface-list=sihnon-wireguard-peers add action=accept chain=forward in-interface-list=sihnon-wireguard-peers add action=accept chain=input comment="IPSec VPN from fanty LAN" src-address=10.1.0.0/24 add action=accept chain=forward comment="IPSec VPN from fanty LAN" src-address=10.1.0.0/24 add action=accept chain=input comment="Allow EoIP from peer routers" protocol=gre src-address-list=ipsec-destinations add action=accept chain=input comment="Allow IPSec from peers" dst-port=500,4500 protocol=udp src-address-list=ipsec-destinations add action=accept chain=input comment="Allow all traffic from fanty ipsec" in-interface=fanty-eoip add action=accept chain=forward comment="Allow all traffic from fanty ipsec" in-interface=fanty-eoip add action=accept chain=input comment="Allow BFD from gsa-los wg peer" dst-port=3784-3785 in-interface=gsa-los protocol=udp add action=accept chain=input comment="Allow BFD from gsa-loo wg peer" dst-port=3784-3785 in-interface=gsa-loo protocol=udp add action=accept chain=input comment="Allow BFD from gsa-loy wg peer" dst-port=3784-3785 in-interface=gsa-loy protocol=udp add action=accept chain=input comment="GSA wireguard VPN" in-interface=zen protocol=udp src-address-list=gsa-wireguard add action=accept chain=input comment="GSA wireguard ICMP" protocol=icmp src-address-list=gsa-wireguard-bgp add action=accept chain=input comment="GSA Wireguard BGP" dst-port=179 protocol=tcp src-address-list=gsa-wireguard-bgp add action=accept chain=forward comment=Plex dst-address-list=plex-server dst-port=32400 protocol=tcp add action=accept chain=forward comment="Syslog from AAISP VoIP" dst-port=514 log-prefix=Syslog: protocol=udp src-address=81.187.30.119 src-port=5060 add action=accept chain=input comment="Remote access to routers" dst-address-list=router dst-port=80,443 protocol=tcp src-address-list=remote-management add action=accept chain=forward comment="Remote access to routers" dst-address-list=router dst-port=22,443 protocol=tcp src-address-list=remote-management add action=accept chain=input comment="VRRP partner traffic" dst-address=224.0.0.18 protocol=vrrp src-address-list=router-vrrp add action=accept chain=forward comment="SSH from remote-management" dst-address-list=linux-server dst-port=22 protocol=tcp src-address-list=remote-management add action=accept chain=forward comment="DNS (TCP)" dst-address-list=name-server dst-port=53 protocol=tcp add action=accept chain=forward comment="DNS (UDP)" dst-address-list=name-server dst-port=53 protocol=udp add action=accept chain=forward comment="Web Server" dst-address-list=web-server dst-port=80,443 protocol=tcp add action=accept chain=forward comment="Allow inbound from muir.sihnon.net" src-address=135.181.217.252 add action=accept chain=forward comment="Permit access to internal web servers from trusted remote locations" dst-address-list=internal-web-server dst-port=80,443 protocol=tcp src-address-list=remote-management add action=reject chain=internal-only comment="Reject connections to hosts not designed to be reachable from outside" reject-with=icmp-admin-prohibited add action=reject chain=input comment="Reject all outstanding connections" reject-with=icmp-host-prohibited add action=reject chain=forward comment="Reject all outstanding connections" reject-with=icmp-host-prohibited add action=accept chain=output comment="Allow all outstanding outgoing traffic" add action=accept chain=input comment="Allow wireguard to sihnon-clients" dst-port=13231 protocol=udp /ip firewall mangle add action=change-mss chain=forward disabled=yes new-mss=1360 out-interface=gsa-loy protocol=tcp tcp-flags=syn tcp-mss=1361-65535 add action=change-mss chain=forward disabled=yes new-mss=1360 out-interface=gsa-los protocol=tcp tcp-flags=syn tcp-mss=1361-65535 add action=change-mss chain=forward disabled=yes in-interface=gsa-los new-mss=1360 protocol=tcp tcp-flags=syn,ack tcp-mss=1361-65535 add action=change-mss chain=forward disabled=yes in-interface=gsa-loy new-mss=1360 protocol=tcp tcp-flags=syn,ack tcp-mss=1361-65535 add action=accept chain=prerouting connection-mark=no-mark connection-state=established,related add action=accept chain=prerouting connection-state=established,related in-interface=zen add action=mark-routing chain=prerouting connection-mark=aa new-routing-mark=aa passthrough=no add action=mark-connection chain=prerouting comment="Return any traffic received via AA back via AA" connection-mark=no-mark connection-state=new in-interface=aa-l2tp new-connection-mark=aa add action=mark-connection chain=prerouting comment="Mark connections from AA address space to remote destinations to use AA routing" connection-mark=no-mark connection-state=new dst-address-list=!local-addresses new-connection-mark=aa src-address-list=always-aa add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-list=always-aa-destinations new-connection-mark=aa add action=mark-connection chain=prerouting comment="Mark connections from always-zen IPs to always use Zen" connection-mark=no-mark connection-state=new new-connection-mark=zen src-address-list=always-zen add action=mark-routing chain=prerouting connection-mark=aa new-routing-mark=aa /ip firewall nat add action=src-nat chain=srcnat out-interface=gsa-loy src-address-list=!gsa-vpn-sources to-addresses=10.210.125.9 add action=src-nat chain=srcnat out-interface=gsa-loo src-address-list=!gsa-vpn-sources to-addresses=10.210.125.9 add action=src-nat chain=srcnat out-interface=gsa-los src-address-list=!gsa-vpn-sources to-addresses=10.210.125.9 add action=src-nat chain=srcnat comment="NAT all outbound traffic via Zen" out-interface=zen to-addresses=82.69.87.199 add action=masquerade chain=srcnat disabled=yes out-interface=aa-l2tp add action=dst-nat chain=dstnat comment="zen inbound NAT to plex" dst-port=32400 in-interface=zen protocol=tcp to-addresses=81.187.21.249 add action=dst-nat chain=dstnat comment="plex nat" disabled=yes dst-address=81.187.154.185 dst-port=443 protocol=tcp to-addresses=81.187.154.134 to-ports=32400 add action=masquerade chain=srcnat comment="Masquerade traffic to powerwall energy gateway from other subnets" dst-address=10.0.2.156 out-interface=iot-vlan src-address=!10.0.2.0/24 src-address-list=local-addresses /ip firewall service-port set tftp disabled=yes /ip ipsec policy set 0 disabled=yes /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip route add comment="Always route AA L2TP via Zen" distance=1 dst-address=90.155.53.19/32 gateway=zen add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=aa-l2tp pref-src="" routing-table=aa suppress-hw-offload=no add distance=1 gateway=zen routing-table=zen add disabled=no distance=1 dst-address=81.187.154.128/26 gateway=internal-vlan pref-src="" routing-table=aa suppress-hw-offload=no add disabled=no distance=1 dst-address=81.187.21.240/28 gateway=sihnon-alternate pref-src=0.0.0.0 routing-table=aa scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=192.168.1.0/24 gateway="" pref-src="" routing-table=main suppress-hw-offload=no /ipv6 route add distance=1 dst-address=::/0 gateway=%aa-l2tp /ip service set telnet disabled=yes set www-ssl certificate=letsencrypt disabled=no /ip smb shares set [ find default=yes ] directory=/pub /ip ssh set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=remote /ip upnp set enabled=yes /ip upnp interfaces add interface=internal-vlan type=internal add interface=zen type=external /ipv6 address add address=2001:8b0:3b3:0:dc2c:6eff:fe89:ee6 interface=internal-vlan add address=2001:8b0:3b3:1:dc2c:6eff:fe89:ee6 interface=sihnon-alternate /ipv6 firewall address-list add address=2001:8b0:3b3:0:7c53:7426:91a6:33c/128 comment=ns1.sihnon.net list=name-servers add address=2001:8b0:3b3:0:d047:d94f:2196:ef8c/128 comment=ns2.sihnon.net list=name-servers add address=2a02:8010:60b7:0:4b76:8075:cc74:35c8/128 comment=santo.sihnon.net list=name-servers add address=2001:8b0:3b3:0:10ea:d789:58c4:e677/128 comment=tracey.sihnon.net list=name-servers add address=2a01:4f8:202:43af::2/128 comment="slow mirror" list=outbound-blacklist add address=2001:8b0:3b3:1:250:56ff:fe9a:bb23/128 comment="ns3.sihnon.net (ariel)" list=name-servers add address=2001:8b0:3b3:1:250:56ff:fe9a:c442/128 comment="ns4.sihnon.net (ares)" list=name-servers /ipv6 firewall filter add action=reject chain=forward dst-address-list=outbound-blacklist reject-with=icmp-admin-prohibited add action=accept chain=forward connection-state=established,related add action=accept chain=input connection-state=established,related add action=accept chain=output connection-state=established,related add action=accept chain=forward protocol=icmpv6 add action=accept chain=input protocol=icmpv6 add action=accept chain=forward in-interface=internal-vlan add action=accept chain=input in-interface=internal-vlan add action=accept chain=forward comment="DNS (UDP)" dst-address-list=name-servers dst-port=53 protocol=udp add action=accept chain=forward comment="DNS (TCP fallback)" dst-address-list=name-servers dst-port=53 protocol=tcp add action=reject chain=forward reject-with=icmp-admin-prohibited add action=reject chain=input reject-with=icmp-admin-prohibited add action=accept chain=output /ipv6 nd set [ find default=yes ] advertise-dns=no /ppp secret add name=bthomehub@btbroadband.com password=bt profile=bt-simulator service=pppoe /routing bfd configuration add disabled=no interfaces=gsa-loo add disabled=no interfaces=gsa-los add disabled=no interfaces=gsa-loy /routing bgp connection add as=64810 connect=yes disabled=yes listen=yes local.address=10.3.0.9 .role=ebgp name=fanty output.filter-chain=bgp-local-out .redistribute=connected remote.address=10.3.0.10/32 .as=64811 router-id=10.0.255.1 routing-table=main templates=sihnon add as=64810 connect=yes disabled=yes listen=yes local.address=81.187.154.190 .role=ebgp name=bourne output.filter-chain=bgp-local-out .redistribute=connected remote.address=81.187.154.186/32 .as=64814 router-id=10.0.255.1 routing-table=main templates=sihnon add as=64810 connect=yes disabled=no listen=yes local.address=10.0.5.2 .role=ebgp name=highgate-wireguard output.filter-chain=bgp-local-out .redistribute=connected remote.address=10.0.5.1 .as=64812 router-id=10.0.255.1 routing-table=main templates=sihnon add as=64619 connect=yes disabled=no hold-time=9s input.filter=bgp-gsa-in keepalive-time=3s listen=yes local.address=10.210.21.6 .role=ebgp name=gsa-loy output.filter-chain=bgp-gsa-out .keep-sent-attributes=yes .redistribute=connected remote.address=10.210.21.5 .as=64558 router-id=10.210.125.9 routing-table=main templates=gsa-wireguard use-bfd=yes add as=64619 connect=yes disabled=no hold-time=9s input.filter=bgp-gsa-in keepalive-time=3s listen=yes local.role=ebgp name=gsa-los output.filter-chain=bgp-gsa-out .keep-sent-attributes=yes .redistribute=connected remote.address=10.210.27.5/32 .as=64559 router-id=10.210.125.9 routing-table=main templates=gsa-wireguard use-bfd=yes add afi=ip,ipv6 as=64810 connect=yes disabled=no listen=yes local.address=10.0.4.2 .role=ebgp name=fanty-wireguard output.filter-chain=bgp-local-out .redistribute=connected,static,vpn,dhcp remote.address=10.0.4.1 .as=64811 .port=179 router-id=10.0.255.1 routing-table=main templates=sihnon add as=64619 connect=yes disabled=no hold-time=9s input.filter=bgp-gsa-in keepalive-time=3s listen=yes local.address=10.210.73.214 .role=ebgp name=gsa-loo output.filter-chain=bgp-gsa-out .keep-sent-attributes=yes .redistribute=connected remote.address=10.210.73.213 .as=64561 router-id=10.210.125.9 routing-table=main templates=gsa-wireguard use-bfd=yes /routing filter rule add chain=bgp-local-out disabled=no rule="if (dst==81.187.154.128/26) { accept }" add chain=bgp-local-out disabled=no rule="if (dst==81.187.21.240/28) { accept }" add chain=bgp-local-out disabled=no rule="if (dst in 10.0.4.0/24 && dst-len>16) { reject}" add chain=bgp-local-out disabled=no rule="if (dst in 10.0.0.0/16 && dst-len>16) { accept }" add chain=bgp-local-out disabled=no rule="if (dst==10.210.124.32/29) { accept }" add chain=bgp-local-out disabled=no rule=reject add chain=bgp-gsa-in comment="Reduce preference for outbound traffic via loy peer" disabled=no rule="if (bgp-input-remote-addr == 10.210.21.5) { set bgp-local-pref 100 }" add chain=bgp-gsa-in comment="Increase preference for outbound traffic via los peer" disabled=no rule="if (bgp-input-remote-addr == 10.210.27.5) { set bgp-local-pref 200 }" add chain=bgp-gsa-in comment="Increase preference for outbound traffic via los peer" disabled=no rule="if (bgp-input-remote-addr == 10.210.73.213) { set bgp-local-pref 500 }" add chain=bgp-gsa-in disabled=no rule="if (dst in 10.210.0.0/16 && dst-len>=16) { accept }" add chain=bgp-gsa-in disabled=no rule="if (dst in 10.250.0.0/20 && dst-len>=20) { accept }" add chain=bgp-gsa-in disabled=no rule="if (dst in 82.150.0.0/16 && dst-len>=16) { accept }" add chain=bgp-gsa-in disabled=no rule=reject add chain=bgp-gsa-out disabled=no rule="if (bgp-output-remote-addr == 10.210.27.5) { set bgp-path-prepend 5 }" add chain=bgp-gsa-out disabled=no rule="if (bgp-output-remote-addr == 10.210.21.5) { set bgp-path-prepend 10 }" add chain=bgp-gsa-out disabled=no rule="if (dst == 10.210.125.8/29) { accept }" add chain=bgp-gsa-out disabled=no rule=reject /routing pimsm interface-template add disabled=no instance=internal interfaces=internal-vlan,sihnon-alternate,iot-vlan source-addresses="" /routing rule add action=lookup-only-in-table disabled=no routing-mark=*4000 table=*4000 add action=lookup-only-in-table disabled=no routing-mark=*4001 table=*4001 /snmp set contact=hostmaster@sihnon.net enabled=yes location="Southwater, UK" trap-generators=interfaces,start-trap,temp-exception trap-interfaces=all trap-version=2 /system clock set time-zone-name=Europe/London /system identity set name=beylix /system logging set 0 topics=info,!firewall add action=remote disabled=yes topics=firewall add topics=dhcp,!debug add action=remote topics=system add disabled=yes topics=ipsec,!packet add topics=firewall add disabled=yes topics=pppoe add topics=bgp,!debug add disabled=yes prefix="eoip debug: " topics=interface add disabled=yes topics=interface add disabled=yes topics=l2tp,debug,!packet add topics=bfd /system ntp client set enabled=yes /system ntp server set enabled=yes /system ntp client servers add address=178.79.145.244 add address=88.150.240.202 /system routerboard settings set auto-upgrade=yes /system scheduler add comment="Check Zen is passing traffic every 3min" interval=3m name=check-zen on-event="/system script run check-zen" policy=read,write,test start-date=2023-03-03 start-time=14:05:15 /system script add comment="Restart Zen if traffic drops" dont-require-permissions=no name=check-zen owner=admin policy=read,write,test source="# Don't forget, if you've multiple ISPs\n# HostPingA and HostPingB \n# must have the static routes.\n# example:\n# (if HostPingA=8.8.8.8; HostPingB=8.8.4.4;\n# and GW of ISP1=172.16.18.1 ) \n# \n# /ip route \n# add dst-address=8.8.8.8 gateway=172.16.18.1 scope=10\n# add dst-address=8.8.4.4 gateway=172.16.18.1 scope=10\n\n##### Script Settings #####\n:local WanName \"zen\"\n:local HostPingA \"8.8.8.8\"\n:local HostPingB \"8.8.4.4\"\n#####################\n\n:local PingCount \"5\"\n:local WanStat\n/interface pppoe-client monitor \$WanName once do={ :set WanStat \$status}\n:if (\$WanStat = \"connected\") do={\n :local pingresultA [/ping \$HostPingA count=\$PingCount];\n :if (\$pingresultA = 0) do={ \n :local pingresultB [/ping \$HostPingB count=\$PingCount]; \n :if (\$pingresultB = 0) do={ \n :log error message=\"Script can not ping thru <\$WanName>. Try to reconnect...\"; \n :interface pppoe-client disable \$WanName; \n :delay 5; \n :interface pppoe-client enable \$WanName; \n :log warning message=\"PPPoE has Reconnected by script\";\n }\n }\n}" /tool sniffer set file-limit=10000KiB file-name=bfd.pcap filter-interface=gsa-loo filter-ip-protocol=udp filter-port=3784