Trying to figure out how they had this setup, this config dump is really the only info I have. There are 2 key subnets, 192.168.193.0 & 192.168.1.0 /24 (both). They both have a mix of Dynamic and Statically addressed hosts, with the MikroTik acting as the DHCP server for both (I think). Everything was fed on one LAN port of the mikrotik - trying to mirror but I'm not understanding how this was setup, I figured a RoaS setup but I don't see any sort of VLAN or .1q info in the config. Time-crunch, this just got dumped in my lap. Halp.
RouterOS 6.7
#
/interface bridge
add admin-mac=D4:CA:6D:xx:xx:x5 auto-mac=no disabled=yes name=bridge-local \
protocol-mode=rstp
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether3 ] auto-negotiation=no master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway speed=100Mbps
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.90
add name=dhcp_pool2 ranges=192.168.193.20-192.168.193.90
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
add address-pool=dhcp_pool2 interface=ether3 name=dhcp2
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes \
interface=bridge-local network=192.168.88.0
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
add address=192.168.193.1/24 interface=ether2 network=192.168.193.0
add address=9.x.x.x/29 interface=ether1-gateway network=9.x.x.x
/ip dhcp-server lease
add address=192.168.1.53 mac-address=00:24:E8:11:11:11
add address=192.168.1.62 client-id=1:0:18:a:11:11:11 mac-address=\
00:18:0A:11:11:77 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.193.0/24 gateway=192.168.193.1
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=10.47.72.0/22 list=Company
add address=10.57.0.0/22 list=Company
add address=208.0.0.0 list=Person
add address=192.168.193.0/24 list="Local Subnet"
add address=192.168.1.0/24 list="Local Subnet"
/ip firewall filter
add action=drop chain=input comment="Block External DNS Requests" dst-port=53 \
in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="Block External DNS Requests" dst-port=53 \
in-interface=ether1-gateway protocol=udp
add chain=input protocol=gre
add chain=input dst-port=500 protocol=tcp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Forward to AP 1" dst-port=8292 \
protocol=tcp to-addresses=192.168.193.10 to-ports=8291
add action=dst-nat chain=dstnat comment="Port Forward to AP2" dst-port=8293 \
protocol=tcp to-addresses=192.168.193.11 to-ports=8291
add action=dst-nat chain=dstnat dst-port=33976 in-interface=ether1-gateway \
protocol=tcp to-addresses=192.168.193.235
add action=src-nat chain=srcnat dst-address=136.0.0.0/16 src-address=\
192.168.193.0/24 to-addresses=192.168.1.1
add action=masquerade chain=srcnat disabled=yes dst-address-list=Company \
src-address=192.168.193.0/24
add chain=srcnat dst-address-list=Company src-address=192.168.193.0/24
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-gateway \
protocol=tcp src-address-list=!Company to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=RDP disabled=yes dst-port=3389 \
protocol=tcp src-address=10.47.72.0/22 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=RDP disabled=yes dst-port=3389 \
protocol=tcp src-address=10.57.0.0/16 to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment=RDP2 dst-port=3390 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=Vertical dst-port=5103 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=DVR1 dst-port=80 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=DVR3 dst-port=18004 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=DVR2 dst-port=9000 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=Vertical3 dst-port=9777 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=dst-nat chain=dstnat comment=Vertical1 dst-port=5002 in-interface=\
ether1-gateway protocol=tcp src-address-list=!Company to-addresses=\
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip route
add distance=1 gateway=1.0.0.0
add distance=1 dst-address=10.0.0.0/8 gateway=192.168.1.62
add distance=1 dst-address=19.0.0.0/8 gateway=192.168.1.254
add distance=1 dst-address=136.0.0.0/16 gateway=192.168.1.254
add distance=1 dst-address=192.28.0.0/16 gateway=192.168.1.254
add distance=1 dst-address=192.168.55.0/24 gateway=192.168.1.62
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4Q
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
No comments:
Post a Comment