Request help! RouterOS Configuration screwed up. (2024)

Hello forum, first things first. I'm new to Mikrotik and the world of corporate / enterprise level networking. I have inherited my position, since the manager left the company, management informed me they will not replace him any time soon. I have been task to make sure the list below is in order and working properly asap. I have read a lot of forum posts and attempted a few things myself, but no success. I need some help understanding what is the proper / best practices to be followed in configuring, because something or multiple things are wrong since a simple task like port forwarding isn't working. I thank in advance anyone here who helps me understand how to properly configure my mess.

I'm willing to wipe everything and start over if that is what it takes to make the Mikrotik Router work flawlessly.

See Also
Team Fortress 2's long-running bot issue hits a historical low as recent Steam reviews hit 'Mostly Negative' for the first time in its 17-year history

Here is what I am trying to do.
1. Configure WAN with inbound ISP
2. Configure Multiple LAN ports with both inbound / outbound traffic
3. Setup Router security (Firewall Hardening)
3. Setup VLAN (Guest, Employee, HR, Management, VPN, VoIP)
4. Several Internal Servers, need to enable proper internal redirection without having send/receive packet loss or NAT confusion
5. Configure Port Forwarding
6. Enable ability to monitor traffic (websites, protocols, IPs, MAC, etc)
7. Configure VPN remote access
8. Allows Active Directory to be the authentication for VPN users
9. Proper White listing of inbound server traffic to our network

Network Equipment
Router: CCR1036-8G-2s+
- Firmware: tilegx, 3.41
- RouterOS: 6.40.4 (Update to 6.42.1 is scheduled during maintenance this month.)
Network Switches HPE Pro Curve v1920
Aruba IAP-105

Network Topology
ISP (Fiber to RJ45) > Mikrotik (Port 1 = WAN) > Mikrotik (Port 2 = LAN) > HPE Pro Curve > Aruba IAP
- HPE Pro Curve are daisy chained to each floor
- Aruba IAP's are connected directly to the HPE Pro Curves on each floor

Export of current configuration

Code: Select all

# may/14/2018 15:04:15 by RouterOS 6.40.4
# software id = 0SK2-94LN
#
# model = CCR1036-8G-2S+
# serial number = xxxxxxxxxxxxxx
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1590
set [ find default-name=ether2 ] l2mtu=1590 name=ether2-master-local
set [ find default-name=ether3 ] comment="Slave to 2" l2mtu=1590 name=ether3-slave
set [ find default-name=ether4 ] l2mtu=1590
set [ find default-name=ether5 ] l2mtu=1590 name=ether5-callcenter
set [ find default-name=ether6 ] l2mtu=1590
set [ find default-name=ether7 ] l2mtu=1590
set [ find default-name=ether8 ] l2mtu=1590
set [ find default-name=sfp-sfpplus1 ] l2mtu=1590 name=sfp-plus1
set [ find default-name=sfp-sfpplus2 ] l2mtu=1590 name=sfp-plus2
/interface vlan
add interface=ether2-master-local name=vlan300-VoIP vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RouterOS
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=10.10.10.50-10.10.11.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=ether2-master-local lease-time=1d name=dhcp1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address=10.10.10.1/23 interface=ether2-master-local network=10.10.10.0
add address=X.X.X.243/29 interface=ether1 network=X.X.X.240
/ip arp
add address=10.10.10.13 interface=ether3-slave mac-address=00:80:A3:93:3B:8A
add address=10.10.10.10 interface=ether2-master-local mac-address=00:25:90:9A:06:70
add address=10.10.10.18 interface=ether2-master-local mac-address=00:80:92:7B:03:D6
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.10.0/23 dns-server=64.58.254.2,64.58.255.2,8.8.8.8,4.2.2.2,8.8.4.4 gateway=10.10.10.1 netmask=23
/ip dns
set servers=8.8.8.8,8.8.4.4,4.2.2.2,64.58.254.2,64.58.255.2
/ip dns static
add address=10.10.10.3 name=files.level.agency
/ip firewall address-list
add address=199.7.172.123 list=OnSIP
add address=199.7.172.128 list="Boot Onsip.com"
add address=199.7.173.102 list=SIP.OnSIP.com
add address=199.7.175.92 list="OnSIP - Inbound"
add address=107.21.211.20 list="Velocify IP1"
add address=107.21.231.147 list="Velocify IP"
add address=54.236.81.101 list="Velocify IP2"
add address=54.236.96.128 list="Velocify IP3"
add address=54.236.97.29 list="Velocify IP4"
add address=54.236.97.135 list="Velocify IP5"
add address=54.172.60.0 list="Velocify IP6"
add address=54.172.60.1 list="Velocify IP7"
add address=54.172.60.2 list="Velocify IP8"
add address=54.172.60.3 list="Velocify IP9"
add address=54.244.51.0 list="Velocify IP10"
add address=54.244.51.1 list="Velocify IP11"
add address=54.244.51.2 list="Velocify IP12"
add address=54.244.51.3 list="Velocify IP13"
add address=69.95.58.227 list=KennyRoss
add address=54.208.27.23 list="CAKE IP1"
add address=52.203.126.205 list="CAKE IP2"
add address=52.203.126.249 list="CAKE IP3"
add address=52.71.71.132 list="CAKE IP4"
add address=54.218.28.138 list="CAKE IP5"
add address=52.39.178.150 list="CAKE IP6"
add address=52.38.248.157 list="CAKE IP7"
add address=52.11.253.146 list="CAKE IP8"
add address=54.229.59.241 list="CAKE IP9"
add address=52.16.198.7 list="CAKE IP10"
add address=54.194.229.129 list="CAKE IP11"
add address=52.50.194.143 list="CAKE IP12"
add address=54.93.189.97 list="CAKE IP13"
add address=52.29.89.77 list="CAKE IP14"
add address=52.29.230.146 list="CAKE IP15"
add address=54.255.163.189 list="CAKE IP16"
add address=52.74.19.248 list="CAKE IP17"
add address=52.77.151.31 list="CAKE IP18"
add address=52.68.11.84 list="CAKE IP19"
add address=52.192.124.43 list="CAKE IP20"
add address=52.196.119.37 list="CAKE IP21"
add address=54.232.198.22 list="CAKE IP22"
add address=52.67.3.239 list="CAKE IP23"
add address=52.67.18.10 list="CAKE IP24"
add address=52.67.18.32 list="CAKE IP25"
add address=52.67.47.102 list="CAKE IP26"
add address=52.67.149.245 list="CAKE IP27"
add address=52.67.77.69 list="CAKE IP28"
add address=50.57.10.52 list="CAKE IP29"
add address=50.57.10.53 list="CAKE IP30"
add address=72.3.174.17 list="CAKE IP31"
add address=72.3.174.16 list="CAKE IP32"
add address=66.133.109.36 comment="Free SSL Certificate Service" list=Lets-Encrypt
add address=0.0.0.0/8 comment=RFC6890 disabled=yes list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 disabled=yes list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 disabled=yes list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 disabled=yes list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 disabled=yes list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 disabled=yes list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 disabled=yes list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 disabled=yes list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 disabled=yes list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 disabled=yes list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 disabled=yes list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 disabled=yes list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 disabled=yes list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 disabled=yes list=NotPublic
add address=173.75.63.52 list=SDS-Home
add address=174.231.143.141 list=VZW-hotspot
/ip firewall filter
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related disabled=yes
add action=accept chain=input comment="Accept all connections from local network" disabled=yes in-interface=ether2-master-local
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related disabled=yes
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" disabled=yes in-interface=ether2-master-local src-address=!10.10.10.0/23
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related disabled=yes in-interface=ether1
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" disabled=yes dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" disabled=yes src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" disabled=yes in-interface=ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" disabled=yes in-interface=ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat comment="SKYNET - OSTicket" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.10.10.10 to-ports=80
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8088 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.3 to-ports=8088
add action=accept chain=dstnat comment="The Wilson Group SNMP Monitor" dst-port=161 in-interface=ether1 protocol=udp
add action=src-nat chain=srcnat comment="The Wilson Group SNMP send" out-interface=ether2-master-local protocol=udp src-port=161 to-ports=161
add action=masquerade chain=srcnat comment="Outbound traffic" out-interface=ether2-master-local src-address=10.10.10.0/23
add action=masquerade chain=srcnat comment=Loopback out-interface=ether2-master-local to-addresses=X.X.X.243
add action=masquerade chain=srcnat comment=Loopback disabled=yes out-interface=ether1
add action=dst-nat chain=dstnat comment=Loopback dst-address=X.X.X.243 to-addresses=10.10.10.3
add action=dst-nat chain=dstnat comment="Authentication Packets for Apps, Software, Websites, etc." dst-port=443 in-interface=ether1 protocol=tcp to-ports=443
add action=dst-nat chain=dstnat comment="RDP - SkyNet" dst-port=3389 in-interface=ether1 protocol=tcp to-addresses=10.10.10.10 to-ports=3389
add action=dst-nat chain=dstnat comment="SQL Broker Port" dst-port=1433 in-interface=ether1 protocol=tcp to-addresses=10.10.10.10 to-ports=1433
add action=dst-nat chain=dstnat comment="SQL Authentication SSL" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=10.10.10.10 to-ports=443
add action=dst-nat chain=dstnat comment="SQL Interface" dst-port=1434 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.10 to-ports=1434
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=25 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.5 to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=587 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.5 to-ports=587
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=25 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.5 to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=587 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.15 to-ports=587
add action=dst-nat chain=dstnat comment="OnSIP Communication Port" dst-address=X.X.X.243 dst-port=5060 in-interface=all-ethernet protocol=udp to-ports=5060
add action=dst-nat chain=dstnat comment="OnSIP RTP Audio Media Packets" dst-address=X.X.X.243 port=10000-20000 protocol=udp to-ports=10000-20000
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=1433 in-interface=all-ethernet protocol=tcp to-addresses=10.10.10.6 to-ports=1433
add action=redirect chain=dstnat comment="RDP into LVL-Base Server" dst-address=X.X.X.243 dst-port=4050 in-interface=all-ethernet protocol=tcp to-ports=3389
add action=dst-nat chain=dstnat in-interface=all-ethernet port=500 protocol=udp to-ports=500
add action=dst-nat chain=dstnat in-interface=all-ethernet port=50-51 protocol=udp to-ports=50-51
add action=dst-nat chain=dstnat in-interface=all-ethernet port=4500 protocol=udp to-ports=4500
add action=dst-nat chain=dstnat comment="IT RDP In" dst-port=4052 in-interface=ether1 protocol=tcp to-addresses=10.10.10.254 to-ports=3389
/ip firewall service-port
set sip disabled=yes
/ip proxy
set cache-path=disk1/web/proxy max-cache-object-size=4096KiB parent-proxy=0.0.0.0
/ip route
add check-gateway=ping distance=1 gateway=X.X.X.241
/ip service
set telnet address=10.10.10.0/24 disabled=yes
set ftp address=10.10.10.0/24 disabled=yes
set www address=10.10.10.0/23,71.182.231.41/32,54.204.152.194/32 port=51506
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2-master-local type=internal
/system clock
set time-zone-autodetect=no time-zone-name=EST5EDT
/system clock manual
set dst-end="nov/06/2016 02:00:00" dst-start="mar/13/2016 02:00:00" time-zone=+05:00
/system identity
set name=RouterOS
/system leds
set 0 interface=sfp-plus1
set 1 interface=sfp-plus1
set 2 interface=sfp-plus2
set 3 interface=sfp-plus2
/system ntp client
set enabled=yes primary-ntp=97.107.128.58 secondary-ntp=66.228.42.59
/system scheduler
add interval=1w name="auto backup" on-event="/system backup save name=October7 backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/09/2017 start-time=10:00:00
add comment="Auto backup send to IT@level.agency. This is also to have an off device backup." interval=1w name="autoback up send to email" on-event=\
"/tool email sent to=\"it@level.agency\" subject=(/system identity get name]\" backup\") file=today backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/09/2017 \
start-time=10:00:00
add disabled=yes interval=1d name=backup_MT1 on-event="/export file=configuration_MT1 hide-sensitive ;\r\
\n/system backup save name=backup_MT1 ;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/10/2017 start-time=11:16:00
/tool graphing interface
add interface=ether1
/tool graphing queue
add
/tool sniffer
set filter-interface=ether1 filter-port=587 filter-stream=yes only-headers=yes

Request help! RouterOS Configuration screwed up. (2024)
Top Articles
Canon 6000d Printer Ink - the-inkjet-depot
O Come To The Altar by Elevation Worship — The Worship Initiative
Why is the render distance so low on Aternos?
dit is milan Minecraft Servers Flavor — Minecraft Servers List
Best Private Elementary Schools In Virginia
SpongeBob SquarePants
Royal Cuts Kentlands
Skyrim Tewoba
Caribbean Mix Lake Ozark
Youravon Com Mi Cuenta
Unternehmen aus der Region laden in Schönwalde-Glien zum Agrarmarkt ein
Exploring the Charms of Breckie Hill: A Hidden Gem for Nature Enthusiasts - skelabs.com
Latest Posts
The 65 best Father’s Day gifts to shop on Amazon for every budget in 2024
Christ Priest, Altar And Victim In Preface V Of Easter
Article information

Author: Golda Nolan II

Last Updated:

Views: 6019

Rating: 4.8 / 5 (78 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Golda Nolan II

Birthday: 1998-05-14

Address: Suite 369 9754 Roberts Pines, West Benitaburgh, NM 69180-7958

Phone: +522993866487

Job: Sales Executive

Hobby: Worldbuilding, Shopping, Quilting, Cooking, Homebrewing, Leather crafting, Pet

Introduction: My name is Golda Nolan II, I am a thoughtful, clever, cute, jolly, brave, powerful, splendid person who loves writing and wants to share my knowledge and understanding with you.