# 2024-03-04 23:47:44 by RouterOS 7.14###/interface ethernetset [ find

1. # 2024-03-04 23:47:44 by RouterOS 7.14
2. #
3. #
4. #
5. /interface ethernet
6. set [ find default-name=ether1 ] comment="to ISP1"
7. set [ find default-name=ether2 ] comment="to ISP2"
8. set [ find default-name=ether3 ] comment="to ISP3"
9. set [ find default-name=ether4 ] comment="to LAN1"
10. set [ find default-name=ether5 ] comment="to LAN2"
11. set [ find default-name=sfp-sfpplus1 ] disabled=yes
12. /interface wifi
13. set [ find default-name=wifi1 ] channel.band=5ghz-ac .frequency=5280-5380 \
14.     .skip-dfs-channels=disabled .width=20/40/80/160mhz \
15.     configuration.antenna-gain=3 .beacon-interval=100ms .chains=0,1,2,3 \
16.     .country=Russia .manager=local .mode=ap .ssid=26 .tx-chains=0,1,2,3 \
17.     security.authentication-types=wpa2-psk,wpa3-psk .management-protection=\
18.     required .wps=disable
19. /interface list
20. add comment="For Internet" name=WAN
21. add comment="For Local Area" name=LAN
22. /interface wifi channel
23. add band=5ghz-ax disabled=yes frequency=5280-5500 name=channel1 \
24.     skip-dfs-channels=disabled width=20/40/80/160mhz
25. /interface wifi security
26. add authentication-types=wpa2-psk,wpa3-psk disabled=no management-protection=\
27.     required name=sec1 wps=disable
28. /interface wifi configuration
29. add beacon-interval=100ms chains=0,1,2,3 channel=channel1 channel.band=\
30.     5ghz-ax .frequency=5100-5500 .skip-dfs-channels=disabled .width=\
31.     20/40/80/160mhz country=Russia disabled=yes manager=local mode=ap name=\
32.     cfg1 security=sec1 security.authentication-types=wpa3-psk,owe,wpa3-eap \
33.     .disable-pmkid=no .ft=no .management-protection=required .wps=disable \
34.     ssid=26 tx-chains=0,1,2,3
35. /ip smb users
36. set [ find default=yes ] disabled=yes
37. /port
38. set 0 name=serial0
39. set 1 name=serial1
40. /routing table
41. add disabled=no fib name=to_isp1
42. add disabled=no fib name=to_isp2
43. add disabled=no fib name=to_isp3
44. /ip firewall connection tracking
45. set udp-timeout=10s
46. /ip neighbor discovery-settings
47. set discover-interface-list=!WAN
48. /interface list member
49. add comment=ISP1 interface=ether1 list=WAN
50. add comment=ISP2 interface=ether2 list=WAN
51. add comment=ISP3 interface=ether3 list=WAN
52. add comment=LAN1 interface=ether4 list=LAN
53. add comment=LAN2 interface=ether5 list=LAN
54. add interface=ether6 list=LAN
55. /ip address
56. add address=192.168.88.254/24 comment="LAN1 IP" interface=ether4 network=\
57.     192.168.88.0
58. add address=172.16.1.0/23 comment="LAN2 IP" interface=ether5 network=\
59.     172.16.0.0
60. /ip dhcp-client
61. add add-default-route=no dhcp-options=clientid,clientid interface=ether2 \
62.     script=":if (\$bound=1) do={\r\
63.    \n   /ip route remove [ find gateway=\"4.2.2.2\" ]; /ip route remove [ fin\
64.    d where dst-address ~\"4.2.2.2\" ]\r\
65.    \n   /ip route add check-gateway=ping comment=\"For recursion via ISP2\" d\
66.    istance=1 dst-address=4.2.2.2/32 gateway=\$\"gateway-address\" scope=11\r\
67.    \n   /ip route add check-gateway=ping comment=\"Unmarked via ISP2\" distan\
68.    ce=2 gateway=4.2.2.2 target-scope=11\r\
69.    \n   /ip route add comment=\"Marked via ISP2 Main\" distance=1 gateway=4.2\
70.    .2.2 routing-table=to_isp2 target-scope=11\r\
71.    \n   /ip route add comment=\"Marked via ISP1 Backup2\" distance=2 gateway=\
72.    4.2.2.2 routing-table=to_isp1 target-scope=11\r\
73.    \n   /ip route add comment=\"Marked via ISP3 Backup2\" distance=2 gateway=\
74.    4.2.2.2 routing-table=to_isp3 target-scope=11\r\
75.    \n   :if [:tobool ([/ip firewall/nat/ find comment=\"NAT via ISP2\"])] do=\
76.    {\r\
77.    \n   /ip firewall nat set [find comment=\"NAT via ISP2\"] action=src-nat c\
78.    hain=srcnat ipsec-policy=out,none out-interface=\$\"interface\" to-address\
79.    es=\$\"lease-address\" \r\
80.    \n    } else={/ip firewall nat add action=src-nat chain=srcnat ipsec-polic\
81.    y=out,none out-interface=\$\"interface\" to-addresses=\$\"lease-address\" \
82.    comment=\"NAT via ISP2\"}\r\
83.    \n    :if [:tobool ([/routing/rule find comment=\"From ISP2 IP to Inet\"])\
84.    ] do={\r\
85.    \n      /routing/rule/set [find comment=\"From ISP2 IP to Inet\"] action=l\
86.    ookup src-address=\$\"lease-address\" table=to_isp2\r\
87.    \n    } else={/routing/rule/add action=lookup comment=\"From ISP2 IP to In\
88.    et\" src-address=\$\"lease-address\" table=to_isp2 }\r\
89.    \n} else={\r\
90.    \n   /ip route remove [find gateway=\"4.2.2.2\"]; /ip route remove [find w\
91.    here dst-address ~\"4.2.2.2\"]\r\
92.    \n   /ip firewall nat remove  [find comment=\"NAT via ISP2\"]\r\
93.    \n   /routing/rule/remove [find comment=\"From ISP2 IP to Inet\"]\r\
94.    \n}\r\
95.    \n" use-peer-ntp=no
96. add add-default-route=no dhcp-options=clientid,clientid disabled=yes \
97.     interface=ether3 script=":if (\$bound=1) do={\r\
98.    \n   /ip route remove [ find gateway=\"4.2.2.3\" ]; /ip route remove [ fin\
99.    d where dst-address ~\"4.2.2.3\" ]\r\
100.    \n   /ip route add check-gateway=ping comment=\"For recursion via ISP3\" d\
101.    istance=1 dst-address=4.2.2.3/32 gateway=\$\"gateway-address\" scope=11\r\
102.    \n   /ip route add check-gateway=ping comment=\"Unmarked via ISP3\" distan\
103.    ce=3 gateway=4.2.2.3 target-scope=11\r\
104.    \n   /ip route add comment=\"Marked via ISP3 Main\" distance=1 gateway=4.2\
105.    .2.3 routing-table=to_isp3 target-scope=11\r\
106.    \n   /ip route add comment=\"Marked via ISP1 Backup3\" distance=3 gateway=\
107.    4.2.2.3 routing-table=to_isp1 target-scope=11\r\
108.    \n   /ip route add comment=\"Marked via ISP2 Backup3\" distance=3 gateway=\
109.    4.2.2.3 routing-table=to_isp2 target-scope=11\r\
110.    \n   :if [:tobool ([/ip firewall/nat/ find comment=\"NAT via ISP3\"])] do=\
111.    {\r\
112.    \n   /ip firewall nat set [find comment=\"NAT via ISP3\"] action=src-nat c\
113.    hain=srcnat ipsec-policy=out,none out-interface=\$\"interface\" to-address\
114.    es=\$\"lease-address\" \r\
115.    \n    } else={/ip firewall nat add action=src-nat chain=srcnat ipsec-polic\
116.    y=out,none out-interface=\$\"interface\" to-addresses=\$\"lease-address\" \
117.    comment=\"NAT via ISP3\"}\r\
118.    \n    :if [:tobool ([/routing/rule find comment=\"From ISP3 IP to Inet\"])\
119.    ] do={\r\
120.    \n      /routing/rule/set [find comment=\"From ISP3 IP to Inet\"] action=l\
121.    ookup src-address=\$\"lease-address\" table=to_isp3\r\
122.    \n    } else={/routing/rule/add action=lookup comment=\"From ISP3 IP to In\
123.    et\" src-address=\$\"lease-address\" table=to_isp3 }\r\
124.    \n} else={\r\
125.    \n   /ip route remove [find gateway=\"4.2.2.3\"]; /ip route remove [find w\
126.    here dst-address ~\"4.2.2.3\"]\r\
127.    \n   /ip firewall nat remove  [find comment=\"NAT via ISP3\"]\r\
128.    \n   /routing/rule/remove [find comment=\"From ISP3 IP to Inet\"]\r\
129.    \n}\r\
130.    \n" use-peer-ntp=no
131. add add-default-route=no dhcp-options=clientid,clientid disabled=yes \
132.     interface=ether1 script=":if (\$bound=1) do={\r\
133.    \n   /ip route remove [ find gateway=\"4.2.2.1\" ]; /ip route remove [ fin\
134.    d where dst-address ~\"4.2.2.1\" ]\r\
135.    \n   /ip route add check-gateway=ping comment=\"For recursion via ISP1\" d\
136.    istance=1 dst-address=4.2.2.1/32 gateway=\$\"gateway-address\" scope=11\r\
137.    \n   /ip route add check-gateway=ping comment=\"Unmarked via ISP1\" distan\
138.    ce=1 gateway=4.2.2.1 target-scope=11\r\
139.    \n   /ip route add comment=\"Marked via ISP1 Main\" distance=1 gateway=4.2\
140.    .2.1 routing-table=to_isp1 target-scope=11\r\
141.    \n   /ip route add comment=\"Marked via ISP2 Backup1\" distance=3 gateway=\
142.    4.2.2.1 routing-table=to_isp2 target-scope=11\r\
143.    \n   /ip route add comment=\"Marked via ISP3 Backup1\" distance=3 gateway=\
144.    4.2.2.1 routing-table=to_isp3 target-scope=11\r\
145.    \n   :if [:tobool ([/ip firewall/nat/ find comment=\"NAT via ISP1\"])] do=\
146.    {\r\
147.    \n   /ip firewall nat set [find comment=\"NAT via ISP1\"] action=src-nat c\
148.    hain=srcnat ipsec-policy=out,none out-interface=\$\"interface\" to-address\
149.    es=\$\"lease-address\" \r\
150.    \n    } else={/ip firewall nat add action=src-nat chain=srcnat ipsec-polic\
151.    y=out,none out-interface=\$\"interface\" to-addresses=\$\"lease-address\" \
152.    comment=\"NAT via ISP1\"}\r\
153.    \n    :if [:tobool ([/routing/rule find comment=\"From ISP1 IP to Inet\"])\
154.    ] do={\r\
155.    \n      /routing/rule/set [find comment=\"From ISP1 IP to Inet\"] action=l\
156.    ookup src-address=\$\"lease-address\" table=to_isp1\r\
157.    \n    } else={/routing/rule/add action=lookup comment=\"From ISP1 IP to In\
158.    et\" src-address=\$\"lease-address\" table=to_isp1 }\r\
159.    \n} else={\r\
160.    \n   /ip route remove [find gateway=\"4.2.2.1\"]; /ip route remove [find w\
161.    here dst-address ~\"4.2.2.1\"]\r\
162.    \n   /ip firewall nat remove  [find comment=\"NAT via ISP1\"]\r\
163.    \n   /routing/rule/remove [find comment=\"From ISP1 IP to Inet\"]\r\
164.    \n}\r\
165.    \n" use-peer-ntp=no
166. /ip dns
167. set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1 use-doh-server=\
168.     https://1.1.1.1/dns-query verify-doh-cert=yes
169. /ip firewall address-list
170. add address=0.0.0.0/8 comment="\"This\" Network" list=BOGONS
171. add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
172. add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=\
173.     BOGONS
174. add address=127.0.0.0/8 comment=Loopback list=BOGONS
175. add address=169.254.0.0/16 comment="Link Local" list=BOGONS
176. add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
177. add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
178. add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
179. add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
180. add address=198.18.0.0/15 comment=\
181.     "Network Interconnect Device Benchmark Testing" list=BOGONS
182. add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
183. add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
184. add address=224.0.0.0/4 comment=Multicast list=BOGONS
185. add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
186. add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
187. add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS
188. /ip firewall filter
189. add action=accept chain=input comment="Related Established Untracked Allow" \
190.     connection-state=established,related,untracked
191. add action=accept chain=input comment="ICMP from ALL" protocol=icmp
192. add action=drop chain=input comment="All other WAN Drop" in-interface-list=\
193.     WAN
194. add action=accept chain=forward comment=\
195.     "Established, Related, Untracked allow" connection-state=\
196.     established,related,untracked
197. add action=drop chain=forward comment="Invalid drop" connection-state=invalid
198. add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
199.     connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
200. /ip firewall mangle
201. add action=mark-connection chain=prerouting comment="Connmark in from ISP1" \
202.     connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 \
203.     passthrough=no
204. add action=mark-connection chain=prerouting comment="Connmark in from ISP2" \
205.     connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 \
206.     passthrough=no
207. add action=mark-connection chain=prerouting comment="Connmark in from ISP3" \
208.     connection-mark=no-mark in-interface=ether3 new-connection-mark=conn_isp3 \
209.     passthrough=no
210. add action=mark-routing chain=prerouting comment=\
211.     "Routemark transit out via ISP1" connection-mark=conn_isp1 \
212.     dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 \
213.     passthrough=no
214. add action=mark-routing chain=prerouting comment=\
215.     "Routemark transit out via ISP2" connection-mark=conn_isp2 \
216.     dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 \
217.     passthrough=no
218. add action=mark-routing chain=prerouting comment=\
219.     "Routemark transit out via ISP3" connection-mark=conn_isp3 \
220.     dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 \
221.     passthrough=no
222. add action=mark-routing chain=output comment="Routemark local out via ISP1" \
223.     connection-mark=conn_isp1 dst-address-type=!local new-routing-mark=\
224.     to_isp1 passthrough=no
225. add action=mark-routing chain=output comment="Routemark local out via ISP2" \
226.     connection-mark=conn_isp2 dst-address-type=!local new-routing-mark=\
227.     to_isp2 passthrough=no
228. add action=mark-routing chain=output comment="Routemark local out via ISP3" \
229.     connection-mark=conn_isp3 dst-address-type=!local new-routing-mark=\
230.     to_isp3 passthrough=no
231. add action=mark-routing chain=prerouting comment="Address List via ISP1" \
232.     dst-address-list=!BOGONS new-routing-mark=to_isp1 passthrough=no \
233.     src-address-list=Via_ISP1
234. add action=mark-routing chain=prerouting comment="Address List via ISP3" \
235.     dst-address-list=!BOGONS new-routing-mark=to_isp3 passthrough=no \
236.     src-address-list=Via_ISP3
237. add action=mark-routing chain=prerouting comment="Address List via ISP2" \
238.     dst-address-list=!BOGONS new-routing-mark=to_isp2 passthrough=no \
239.     src-address-list=Via_ISP2
240. /ip firewall nat
241. add action=src-nat chain=srcnat comment="Hairpin to LAN1" out-interface=\
242.     ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
243. add action=src-nat chain=srcnat comment="Hairpin to LAN2" out-interface=\
244.     ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0
245. add action=src-nat chain=srcnat comment="NAT via ISP2" ipsec-policy=out,none \
246.     out-interface=ether2 to-addresses=192.168.15.188
247. /ip route
248. add comment="Emergency route" distance=254 gateway=lo
249. add check-gateway=ping comment="For recursion via ISP2" distance=1 \
250.     dst-address=4.2.2.2/32 gateway=192.168.15.1 scope=11
251. add check-gateway=ping comment="Unmarked via ISP2" distance=2 gateway=4.2.2.2 \
252.     target-scope=11
253. add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2 routing-table=\
254.     to_isp2 target-scope=11
255. add comment="Marked via ISP1 Backup2" distance=2 gateway=4.2.2.2 \
256.     routing-table=to_isp1 target-scope=11
257. add comment="Marked via ISP3 Backup2" distance=2 gateway=4.2.2.2 \
258.     routing-table=to_isp3 target-scope=11
259. /ip smb shares
260. set [ find default=yes ] directory=/pub
261. /routing rule
262. add action=lookup comment="to LAN1" dst-address=192.168.88.0/24 table=main
263. add action=lookup comment="to LAN2" dst-address=172.16.0.0/23 table=main
264. add action=lookup comment="From ISP2 IP to Inet" src-address=192.168.15.188 \
265.     table=to_isp2
266. /system clock
267. set time-zone-name=Europe/Moscow
268. /system identity
269. set name=RB4011
270. /system note
271. set show-at-login=no
272. /system ntp client
273. set enabled=yes
274. /system ntp client servers
275. add address=0.pool.ntp.org
276. add address=1.pool.ntp.org
277. add address=2.pool.ntp.org
278. /tool mac-server
279. set allowed-interface-list=LAN
280. /tool mac-server mac-winbox
281. set allowed-interface-list=LAN
282.