# mar/17/2020 21:40:40 by RouterOS 6.46.3
# software id = GD9L-D99A
#
# model = RBD52G-5HacD2HnD
# serial number = B4A00AB0008A
/interface bridge add admin-mac=74:4D:28:90:E4:7C arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment=private country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=elysion-2 wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce comment=private country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=elysion-2 wireless-protocol=802.11
/interface wireless manual-tx-power-table set wlan1 comment=private
/interface wireless manual-tx-power-table set wlan2 comment=private
/interface wireless nstreme set wlan1 comment=private
/interface wireless nstreme set wlan2 comment=private
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless channels add band=2ghz-b/g/n extension-channel=eC frequency=2437 list=2GHzChannels name=ch_6 width=20
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment=private group-ciphers=tkip mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile set [ find default=yes ] dh-group=ecp256,modp1024 dpd-interval=30s enc-algorithm=aes-256,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=3des
/ip pool add name=dhcp ranges=10.10.168.10-10.10.168.254
/ip pool add comment=private name=vpn-dhcp-pool ranges=10.10.168.225-10.10.168.254
/ip pool add comment=private name=dhcp-dynamic ranges=10.10.168.50-10.10.168.224
/ip pool add name=default-dhcp ranges=10.10.168.10-10.10.168.254
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge lease-script=dhcp.lease.script name=defconf
/ip ipsec mode-config add address-pool=vpn-dhcp-pool name=l2tp-vpn-mode-config split-include=10.10.168.0/24
/ppp profile set *0 change-tcp-mss=no dns-server=10.10.168.1 local-address=10.10.168.1 remote-address=vpn-dhcp-pool use-compression=no use-encryption=no use-mpls=no use-upnp=no
/ppp profile add bridge=bridge comment=private dns-server=10.10.168.1 local-address=10.10.168.1 name=pptp.profile remote-address=vpn-dhcp-pool
/ppp profile add dns-server=10.10.168.1 local-address=10.10.168.1 name=ipsec_WinTestProfile
/ppp profile add bridge=bridge change-tcp-mss=no comment=private dns-server=10.10.168.1 local-address=10.10.168.1 name=myvpnprofile remote-address=vpn-dhcp-pool use-compression=no use-encryption=no use-mpls=no use-upnp=no
/system logging action set 3 bsd-syslog=yes remote=10.10.168.22 src-address=10.10.168.1 syslog-facility=syslog syslog-severity=error
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings set discover-interface-list=none
/interface detect-internet set detect-interface-list=all
/interface l2tp-server server set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=myvpnprofile enabled=yes use-ipsec=required
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface pptp-server server set authentication=pap,chap,mschap1,mschap2 default-profile=pptp.profile enabled=yes
/ip address add address=10.10.168.1/24 comment=defconf interface=ether2 network=10.10.168.0
/ip dhcp-client add comment=defconf disabled=no interface=ether1
/ip dhcp-server network add address=10.10.168.0/24 comment=defconf dhcp-option=domain,router,netmask,timeserver dhcp-option-set=mydomain.intra dns-server=10.10.168.1 domain=mydomain.intra gateway=10.10.168.1 netmask=24 ntp-server=10.10.168.1
/ip dns set allow-remote-requests=yes servers=10.10.168.1,208.67.222.222,208.67.220.220
/ip firewall address-list add address=10.10.168.10-10.10.168.224 list=local-dhcp
/ip firewall filter add action=drop chain=input comment="private: block.inbound" log=yes log-prefix=drop.inbound src-address-list=drop.inbound
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="private: pptp vpn" connection-state=established,related,new dst-port=1723 in-interface=ether1 protocol=tcp
/ip firewall filter add action=accept chain=input comment="private: pptp/gre" in-interface=ether1 protocol=gre src-address=0.0.0.0
/ip firewall filter add action=accept chain=input comment="private: vpn" connection-state=new dst-port=500,1701,4500 in-interface=ether1 protocol=udp
/ip firewall filter add action=accept chain=input comment="private: vpn" in-interface=ether1 protocol=ipsec-esp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
/ip firewall filter add action=drop chain=input comment="private: instead drop !lan" disabled=yes log-prefix="drop (15) ==>" src-address-list=!mydomain.local
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related in-interface=!all-ppp out-interface=!all-ppp
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle add action=mark-routing chain=prerouting comment="private: direct connection - no vpn" dst-address=!10.10.0.0/16 new-routing-mark=direct passthrough=no src-address-list=out.direct
/ip firewall mangle add action=change-mss chain=forward disabled=yes new-mss=1392 out-interface=all-ppp passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1393-65535
/ip firewall mangle add action=mark-routing chain=prerouting comment="private: default via VPN-DE" dst-address=!10.10.0.0/16 new-routing-mark=VPN-DE passthrough=no src-address=10.10.168.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" dst-address=10.10.0.0/16 ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat dst-address=!10.10.0.0/16 out-interface-list=WAN routing-mark=direct
/ip firewall raw add action=notrack chain=prerouting disabled=yes protocol=gre
/ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ppp secret add comment=private name=ipsec.iOS profile=myvpnprofile service=l2tp
/ppp secret add comment=private name=pptp.vpn profile=pptp.profile service=pptp
/ppp secret add comment=private name=ipsec.Win32 profile=myvpnprofile service=l2tp
/ppp secret add comment=private name=ipsec.Nicole profile=myvpnprofile service=l2tp
/ppp secret add comment=private name=ipsec.Alina profile=myvpnprofile service=l2tp
/ppp secret add comment=private name=ipsec.Frank profile=myvpnprofile service=l2tp
/system clock set time-zone-name=Europe/Berlin
/system identity set name=mikrotik
/system logging set 0 action=remote disabled=yes
/system logging set 1 action=remote
/system logging set 2 disabled=yes
/system logging set 3 action=remote
/system logging add action=echo disabled=yes prefix="pptp: ===>" topics=pptp,ppp
/system logging add disabled=yes prefix="fw ==>" topics=firewall
/system logging add disabled=yes prefix="dns ==>" topics=dns
/system logging add disabled=yes prefix="ovpn ==>" topics=ovpn
/system logging add action=echo disabled=yes topics=ipsec,!packet
/system logging add action=remote disabled=yes topics=l2tp
/system logging add disabled=yes topics=script
/system logging add action=remote disabled=yes topics=firewall
/system logging add action=echo disabled=yes topics=ipsec
/system logging add action=echo disabled=yes topics=l2tp
/system logging add action=remote topics=account
/system logging add action=echo disabled=yes topics=ppp
/system logging add action=echo disabled=yes topics=wireless,debug
/system logging add disabled=yes topics=hotspot
/system logging add disabled=yes topics=interface
/system logging add action=echo disabled=yes topics=dhcp
/system logging add action=echo topics=error
/system logging add action=echo disabled=yes topics=dhcp
/system ntp client set enabled=yes primary-ntp=10.10.178.1 server-dns-names=0.de.pool.ntp.org,1.de.pool.ntp.org
/system scheduler add disabled=yes interval=1d name=reboot-daily on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/07/2019 start-time=06:00:00
/tool bandwidth-server set enabled=no
/tool e-mail set address=charon-2.mydomain.intra from=root@mikrotik.mydomain.intra
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool mac-server ping set enabled=no