Dual WAN

Обсуждение ПО и его настройки
Ответить
andrey.vysochinenko
Сообщения: 2
Зарегистрирован: 24 май 2019, 10:23

Здравствуйте!
Настроил Dual WAN. Но, к сожалению, инернет работает только через ростелеком. Не могу понять, что я сделал не так.
Mikrotik CCR1009-7G-1C
6.44.1

Код: Выделить всё

/interface bridge
add arp=proxy-arp name=bridge-local protocol-mode=none
/interface ethernet
set [ find default-name=combo1 ] comment=RT
set [ find default-name=ether1 ] comment=BAZANET speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
/interface pppoe-client
add disabled=no interface=combo1 name=pppoe-rt password=szt use-peer-dns=yes \
    user=szt
/interface list
add name=WAN
add name=LAN
/ip ipsec policy group
add name=group-main
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=modp1024 name=LDK2
add dh-group=modp2048 hash-algorithm=sha256 name=PVH nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-128 name=compgroup
/ip ipsec peer
add address=58.25.165.181/32 disabled=yes exchange-mode=ike2 name=compgroupMG \
    profile=compgroup
add address=65.98.246.143/32 exchange-mode=ike2 name=compgroupRT profile=compgroup
add address=66.88.199.65/32 exchange-mode=ike2 name=PVH profile=PVH
add address=66.88.198.44/32 disabled=yes exchange-mode=ike2 name=compgroupBAZA \
    profile=compgroup
add address=53.96.169.8/32 exchange-mode=ike2 name=LDK2 profile=LDK2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ipsec-tunnel-sa
/system logging action
set 0 memory-lines=10000
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
/interface list member
add interface=pppoe-rt list=WAN
add interface=ether1 list=WAN
add interface=bridge-local list=LAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.52.2/24 interface=bridge-local network=192.168.52.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
    interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=58.25.165.182 disabled=yes name=jabber.compname.ru
add address=172.17.0.5 name=jabber.compname.ru
add address=192.168.51.2 disabled=yes name=compnamesrv0.compname.local
add address=192.168.51.3 disabled=yes name=compnamesrv1.compname.local
add address=172.17.0.8 disabled=yes name=1csrv.compgroup.local
/ip firewall address-list
add address=172.16.0.0/16 list=compgroup
add address=172.17.0.0/16 list=compgroup
add address=172.19.0.0/16 list=compgroup
add address=172.20.0.0/16 list=compgroup
add address=172.25.0.0/16 list=compgroup
add address=192.168.1.0/24 list=LDK2
add address=192.168.6.0/24 list=PVH
add address=192.168.4.0/24 list=compname
add address=192.168.10.0/24 list=compname
add address=192.168.50.0/24 list=compname
add address=192.168.51.0/24 list=compname
add address=192.168.52.0/24 list=compname
add address=192.168.53.0/24 list=compname
add address=192.168.55.0/24 list=compname
add address=192.168.56.0/24 list=compname
add address=192.168.100.0/24 list=compname
add address=192.168.8.0/24 list=compname
add address=vk.com list=BlockedSites
add address=ok.ru list=BlockedSites
add address=mamba.ru list=BlockedSites
add address=odnoklassniki.ru list=BlockedSites
add address=love.mail.ru list=BlockedSites
add address=facebook.com list=BlockedSites
add address=instagram.com list=BlockedSites
add address=badoo.com list=BlockedSites
add address=flickr.com list=BlockedSites
add address=coub.com list=BlockedSites
add address=192.168.10.20 comment=Energetik list=AllowIP
add address=192.168.0.0/16 list=Internal
add address=172.16.0.0/16 list=Internal
add address=172.17.0.0/16 list=Internal
add address=172.19.0.0/16 list=Internal
add address=172.20.0.0/16 list=Internal
add address=172.25.0.0/16 list=Internal
add address=10.10.16.0/24 list=Internal
add address=192.168.5.0/24 list=compname
add address=10.10.16.0/24 list=compname
add address=192.168.54.0/24 list=compname
add address=detmir.ru list=BlockedSites
add address=vkuseraudio.ru list=BlockedSites
add address=vkontakte.ru list=BlockedSites
add address=192.168.50.147 comment=OIT list=AllowIP
add address=192.168.77.0/24 list=compname
add address=bonprix.ru list=BlockedSites
add address=iloveyou.ru list=BlockedSites
add address=razlozhi.ru list=BlockedSites
add address=youravon.com list=BlockedSites
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=100.64.0.0/10 comment=RFC6890 list=bogons
add address=192.0.0.0/24 comment=RFC6890 list=bogons
add address=240.0.0.0/4 comment=RFC6890 list=bogons
add address=192.168.52.0/24 list=local
add address=192.168.5.0/24 list=local
add address=bugaga.ru list=BlockedSites
add address=spletnik.ru list=BlockedSites
add address=avito.ru disabled=yes list=BlockedSites
add address=auto.ru list=BlockedSites
add address=avto.ru list=BlockedSites
add address=ozon.ru list=BlockedSites
add address=kinoabc.ru list=BlockedSites
add address=kinoklub77.ru list=BlockedSites
/ip firewall filter
add action=drop chain=input src-address=185.202.67.13
add action=accept chain=input comment="Allow ICMP input local" disabled=yes \
    protocol=icmp
add action=accept chain=forward comment="Allow ICMP input local" disabled=yes \
    protocol=icmp
add action=reject chain=forward comment=BlockedSites dst-address-list=\
    !AllowIP log-prefix="Block sites" protocol=tcp reject-with=tcp-reset \
    src-address-list=BlockedSites
add action=drop chain=forward comment="drop comerc" dst-address=\
    !192.168.77.0/24 src-address=192.168.5.19
add action=accept chain=forward dst-address=66.88.198.44
add action=accept chain=input comment="Allow IKE" dst-port=500,4500 protocol=\
    udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="Allow established  input connections" \
    connection-state=established,related log-prefix="allow established"
add action=accept chain=forward comment="Allow established connections" \
    connection-state=established,related,untracked log-prefix=\
    "allow established"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="Vzliot Data collector forward" \
    dst-address=192.168.10.20 dst-port=2060 protocol=tcp
add action=accept chain=forward comment="Vzliot Data collector forward" \
    dst-port=2060 protocol=tcp src-address=192.168.10.20
add action=accept chain=input comment="PPTP Server" dst-port=1723 \
    in-interface=pppoe-rt protocol=tcp
add action=accept chain=input in-interface=pppoe-rt protocol=gre
add action=accept chain=forward comment="Allow forward pptp" log-prefix=\
    "accept pptp" out-interface=bridge-local src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow forward pptp" dst-address=\
    192.168.5.0/24 log-prefix="accept pptp"
add action=accept chain=input comment="Allow connection to winbox" dst-port=\
    8291,8728,80 protocol=tcp src-address=58.25.165.182
add action=accept chain=input comment="Allow connection to winbox" dst-port=\
    8291,8728,80 protocol=tcp src-address=65.98.227.148
add action=accept chain=input comment="allow connection from local networks"
add action=accept chain=forward comment="Allow DNS request forward" disabled=\
    yes dst-address-list=compname protocol=udp src-port=53
add action=accept chain=forward disabled=yes protocol=udp src-address-list=\
    compname src-port=53
add action=accept chain=input comment="Allow ICMP input local" in-interface=\
    bridge-local protocol=icmp
add action=accept chain=forward comment="Allow forward from local network" \
    in-interface=bridge-local out-interface=pppoe-rt
add action=accept chain=forward comment="Allow forward from local network" \
    in-interface=bridge-local out-interface=ether1
add action=accept chain=forward comment="Allow PVH" dst-address-list=compname \
    log-prefix="Allow PVH" src-address-list=PVH
add action=accept chain=forward comment="Allow PVH" dst-address-list=PVH \
    src-address-list=compname
add action=accept chain=forward comment="Allow compgroup" dst-address-list=compname \
    src-address-list=compgroup
add action=accept chain=forward comment="Allow compgroup" dst-address-list=compgroup \
    src-address-list=compname
add action=accept chain=forward comment="Allow forward between UCM compname LDK" \
    dst-address=192.168.1.15 src-address=192.168.55.2
add action=accept chain=forward comment="Allow forward between UCM compname LDK" \
    dst-address=192.168.55.2 src-address=192.168.1.15
add action=accept chain=forward comment=\
    "Allow forward 192.168.10.32 to LDK2 " dst-address-list=LDK2 src-address=\
    192.168.10.32
add action=accept chain=input comment="Allow ICMP input" disabled=yes \
    log-prefix=ping protocol=icmp
add action=accept chain=forward comment="Allow ICMP forward" disabled=yes \
    protocol=icmp
add action=drop chain=forward comment="Drop forward to LDK2" \
    dst-address-list=LDK2 log-prefix=LDK2
add action=drop chain=forward comment="Drop forward between out iface" \
    in-interface=pppoe-rt out-interface=pppoe-rt
add action=drop chain=forward comment="Drop forward between out iface" \
    in-interface=ether1 out-interface=ether1
add action=drop chain=forward comment="Drop forward between out iface" \
    in-interface=ether1 out-interface=pppoe-rt
add action=drop chain=forward comment="Drop forward between out iface" \
    in-interface=pppoe-rt out-interface=ether1
add action=drop chain=input comment="Drop invalid connection input" \
    connection-state=invalid
add action=drop chain=forward comment="Drop invalid connection forward" \
    connection-state=invalid
add action=drop chain=input comment="Drop all input" log-prefix="all drop"
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all forward" log-prefix=\
    "all drop"
/ip firewall mangle
add action=mark-connection chain=input comment="Mark IPSEC INRT" \
    ipsec-policy=in,ipsec log-prefix="Mark IPSEC" new-connection-mark=INRT \
    passthrough=yes
add action=mark-connection chain=input comment="Mark IPSEC INBAZA" \
    ipsec-policy=in,ipsec log-prefix="Mark IPSEC" new-connection-mark=INBAZA \
    passthrough=yes
add action=mark-connection chain=input comment="Mark input INRT" \
    in-interface=pppoe-rt new-connection-mark=INRT passthrough=yes
add action=mark-routing chain=output comment="Mark output routeRT" \
    connection-mark=INRT new-routing-mark=routeRT passthrough=no
add action=mark-connection chain=input comment="Mark input INBAZA " \
    in-interface=ether1 new-connection-mark=INBAZA passthrough=yes
add action=mark-routing chain=output comment="Mark output routeBAZA" \
    connection-mark=INBAZA new-routing-mark=routeBAZA passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Mark forward RT ForwardRT" in-interface=pppoe-rt new-connection-mark=\
    ForwardRT passthrough=yes
add action=mark-routing chain=prerouting comment=\
    "Mark routing ForwardRT routeRT" connection-mark=ForwardRT in-interface=\
    !pppoe-rt new-routing-mark=routeRT passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Mark forward BAZA ForwardBAZA" in-interface=ether1 new-connection-mark=\
    ForwardBAZA passthrough=yes
add action=mark-routing chain=prerouting comment=\
    "Mark routing ForwardBAZA routeBAZA" connection-mark=ForwardBAZA \
    in-interface=!ether1 new-routing-mark=routeBAZA passthrough=no
add action=mark-routing chain=output dst-address-list=!bogons log-prefix=\
    "Mark BAZA" new-routing-mark=routeBAZA passthrough=yes src-address=\
    66.88.199.205
add action=mark-routing chain=output dst-address-list=!bogons log-prefix=\
    "Mark RT" new-routing-mark=routeRT passthrough=yes src-address=\
    25.99.224.234
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT WAN" ipsec-policy=out,none \
    log-prefix="NAT RT" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Vzliot Data collector" dst-port=2060 \
    in-interface-list=WAN log-prefix="vzliot nat" protocol=tcp to-addresses=\
    192.168.10.20 to-ports=2060
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.4.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.10.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.50.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.51.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.52.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.53.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.54.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.55.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=192.168.56.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.6.0/24 \
    src-address=10.10.16.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.4.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.10.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.50.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.51.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.52.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.53.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.54.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.55.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=192.168.56.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.0/24 \
    src-address=10.10.16.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer=PVH policy-template-group=group-main secret=\
    df3w4f
add peer=LDK2 policy-template-group=group-main secret=\
    "dsfsdef"
add peer=compgroupRT policy-template-group=group-main secret=23D6bg
add peer=compgroupBAZA policy-template-group=group-main secret=23D6bg
/ip ipsec policy
set 0 comment=Template group=group-main
add comment=compgroupRT16compnameRT4 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.4.0/24 tunnel=yes
add comment=compgroupRT16compnameRT10 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.10.0/24 tunnel=yes
add comment=compgroupRT16compnameRT50 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.50.0/24 tunnel=yes
add comment=compgroupRT16compnameRT51 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.51.0/24 tunnel=yes
add comment=compgroupRT16compnameRT52 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.52.0/24 tunnel=yes
add comment=compgroupRT16compnameRT53 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.53.0/24 tunnel=yes
add comment=compgroupRT16compnameRT54 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.54.0/24 tunnel=yes
add comment=compgroupRT16compnameRT55 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.55.0/24 tunnel=yes
add comment=compgroupRT16compnameRT56 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.56.0/24 tunnel=yes
add comment=compgroupRT16compnameRT77 dst-address=172.16.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.77.0/24 tunnel=yes
add comment=compgroupRT17compnameRT5 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    10.10.16.0/24 tunnel=yes
add comment=compgroupRT17compnameRT4 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.4.0/24 tunnel=yes
add comment=compgroupRT17compnameRT10 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.10.0/24 tunnel=yes
add comment=compgroupRT17compnameRT50 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.50.0/24 tunnel=yes
add comment=compgroupRT17compnameRT51 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.51.0/24 tunnel=yes
add comment=compgroupRT17compnameRT52 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.52.0/24 tunnel=yes
add comment=compgroupRT17compnameRT53 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.53.0/24 tunnel=yes
add comment=compgroupRT17compnameRT54 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.54.0/24 tunnel=yes
add comment=compgroupRT17compnameRT55 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.55.0/24 tunnel=yes
add comment=compgroupRT17compnameRT56 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.56.0/24 tunnel=yes
add comment=compgroupRT17compnameRT77 dst-address=172.17.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.77.0/24 tunnel=yes
add comment=compgroupRT19compnameRT5 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    10.10.16.0/24 tunnel=yes
add comment=compgroupRT19compnameRT4 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.4.0/24 tunnel=yes
add comment=compgroupRT19compnameRT10 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.10.0/24 tunnel=yes
add comment=compgroupRT19compnameRT50 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.50.0/24 tunnel=yes
add comment=compgroupRT19compnameRT51 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.51.0/24 tunnel=yes
add comment=compgroupRT19compnameRT52 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.52.0/24 tunnel=yes
add comment=compgroupRT19compnameRT53 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.53.0/24 tunnel=yes
add comment=compgroupRT19compnameRT54 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.54.0/24 tunnel=yes
add comment=compgroupRT19compnameRT55 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.55.0/24 tunnel=yes
add comment=compgroupRT19compnameRT56 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.56.0/24 tunnel=yes
add comment=compgroupRT19compnameRT77 dst-address=172.19.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.77.0/24 tunnel=yes
add comment=compgroupRT20compnameRT5 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    10.10.16.0/24 tunnel=yes
add comment=compgroupRT20compnameRT4 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.4.0/24 tunnel=yes
add comment=compgroupRT20compnameRT10 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.10.0/24 tunnel=yes
add comment=compgroupRT20compnameRT50 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.50.0/24 tunnel=yes
add comment=compgroupRT20compnameRT51 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.51.0/24 tunnel=yes
add comment=compgroupRT20compnameRT52 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.52.0/24 tunnel=yes
add comment=compgroupRT20compnameRT53 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.53.0/24 tunnel=yes
add comment=compgroupRT20compnameRT54 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.54.0/24 tunnel=yes
add comment=compgroupRT20compnameRT55 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.55.0/24 tunnel=yes
add comment=compgroupRT20compnameRT56 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.56.0/24 tunnel=yes
add comment=compgroupRT20compnameRT77 dst-address=172.20.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.77.0/24 tunnel=yes
add comment=compgroupRT25compnameRT5 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    10.10.16.0/24 tunnel=yes
add comment=compgroupRT25compnameRT4 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.4.0/24 tunnel=yes
add comment=compgroupRT25compnameRT10 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.10.0/24 tunnel=yes
add comment=compgroupRT25compnameRT50 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.50.0/24 tunnel=yes
add comment=compgroupRT25compnameRT51 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.51.0/24 tunnel=yes
add comment=compgroupRT25compnameRT52 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.52.0/24 tunnel=yes
add comment=compgroupRT25compnameRT53 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.53.0/24 tunnel=yes
add comment=compgroupRT25compnameRT54 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.54.0/24 tunnel=yes
add comment=compgroupRT25compnameRT55 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.55.0/24 tunnel=yes
add comment=compgroupRT25compnameRT56 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.56.0/24 tunnel=yes
add comment=compgroupRT25compnameRT77 dst-address=172.25.0.0/16 level=unique \
    sa-dst-address=65.98.246.143 sa-src-address=25.99.224.234 src-address=\
    192.168.77.0/24 tunnel=yes
add comment=PVHcompnameRT5 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=10.10.16.0/24 tunnel=yes
add comment=PVHcompnameRT4 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.4.0/24 tunnel=yes
add comment=PVHcompnameRTVPN dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.5.0/24 tunnel=yes
add comment=PVHcompnameRT10 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.10.0/24 tunnel=yes
add comment=PVHcompnameRT50 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.50.0/24 tunnel=yes
add comment=PVHcompnameRT51 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.51.0/24 tunnel=yes
add comment=PVHcompnameRT52 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.52.0/24 tunnel=yes
add comment=PVHcompnameRT53 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.53.0/24 tunnel=yes
add comment=PVHcompnameRT54 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.54.0/24 tunnel=yes
add comment=PVHcompnameRT55 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.55.0/24 tunnel=yes
add comment=PVHcompnameRT56 dst-address=192.168.6.0/24 level=unique proposal=\
    ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    25.99.224.234 src-address=192.168.56.0/24 tunnel=yes
add comment=LDK2compname5 disabled=yes dst-address=192.168.1.0/24 level=unique \
    sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
    10.10.16.0/24 tunnel=yes
add comment=LDK2compname4 disabled=yes dst-address=192.168.1.0/24 level=unique \
    sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
    192.168.4.0/24 tunnel=yes
add comment=LDK2compname10 dst-address=192.168.1.0/24 level=unique sa-dst-address=\
    53.96.169.8 sa-src-address=25.99.224.234 src-address=192.168.10.0/24 \
    tunnel=yes
add comment=LDK2compname50 disabled=yes dst-address=192.168.1.0/24 level=unique \
    sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
    192.168.50.0/24 tunnel=yes
add comment=LDK2compname51 disabled=yes dst-address=192.168.1.0/24 level=unique \
    sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
    192.168.51.0/24 tunnel=yes
add comment=LDK2compname52 dst-address=192.168.1.0/24 level=unique sa-dst-address=\
    53.96.169.8 sa-src-address=25.99.224.234 src-address=192.168.52.0/24 \
    tunnel=yes
add comment=LDK2compname53 disabled=yes dst-address=192.168.1.0/24 level=unique \
    sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
    192.168.53.0/24 tunnel=yes
add comment=LDK2compname54 disabled=yes dst-address=192.168.1.0/24 level=unique \
    sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
    192.168.54.0/24 tunnel=yes
add comment=LDK2compname55 dst-address=192.168.1.0/24 level=unique sa-dst-address=\
    53.96.169.8 sa-src-address=25.99.224.234 src-address=192.168.55.0/24 \
    tunnel=yes
add comment=LDK2compname56 disabled=yes dst-address=192.168.1.0/24 level=unique \
    sa-dst-address=53.96.169.8 sa-src-address=25.99.224.234 src-address=\
    192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA4 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA10 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA50 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA51 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA52 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA53 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA54 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA55 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA56 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA16compnameBAZA77 disabled=yes dst-address=172.16.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.77.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA5 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=10.10.16.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA4 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA10 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA50 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA51 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA52 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA53 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA54 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA55 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA56 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA17compnameBAZA77 disabled=yes dst-address=172.17.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.77.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA5 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=10.10.16.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA4 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA10 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA50 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA51 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA52 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA53 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA54 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA55 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA56 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA5 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=10.10.16.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA4 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA10 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA50 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA51 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA52 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA53 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA54 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA55 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA56 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA20compnameBAZA77 disabled=yes dst-address=172.20.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.77.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA5 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=10.10.16.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA4 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.4.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA10 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.10.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA50 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.50.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA51 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.51.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA52 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.52.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA53 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.53.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA54 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.54.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA55 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.55.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA56 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.56.0/24 tunnel=yes
add comment=compgroupBAZA19compnameBAZA77 disabled=yes dst-address=172.19.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.77.0/24 tunnel=yes
add comment=compgroupBAZA25compnameBAZA77 disabled=yes dst-address=172.25.0.0/16 level=\
    unique sa-dst-address=66.88.198.44 sa-src-address=66.88.199.65 \
    src-address=192.168.77.0/24 tunnel=yes
add comment=PVHcompnameBAZA5 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=10.10.16.0/24 tunnel=yes
add comment=PVHcompnameBAZA4 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.4.0/24 tunnel=yes
add comment=PVHcompnameBAZAVPN disabled=yes dst-address=192.168.6.0/24 level=\
    unique proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 \
    sa-src-address=66.88.199.205 src-address=192.168.5.0/24 tunnel=yes
add comment=PVHcompnameBAZA10 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.10.0/24 tunnel=yes
add comment=PVHcompnameBAZA50 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.50.0/24 tunnel=yes
add comment=PVHcompnameBAZA51 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.51.0/24 tunnel=yes
add comment=PVHcompnameBAZA52 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.52.0/24 tunnel=yes
add comment=PVHcompnameBAZA53 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.53.0/24 tunnel=yes
add comment=PVHcompnameBAZA54 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.54.0/24 tunnel=yes
add comment=PVHcompnameBAZA55 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.55.0/24 tunnel=yes
add comment=PVHcompnameBAZA56 disabled=yes dst-address=192.168.6.0/24 level=unique \
    proposal=ipsec-tunnel-sa sa-dst-address=66.88.199.65 sa-src-address=\
    66.88.199.205 src-address=192.168.56.0/24 tunnel=yes
/ip route
add distance=1 gateway=pppoe-rt routing-mark=routeRT
add distance=1 gateway=66.88.199.1 routing-mark=routeBAZA
add check-gateway=ping distance=10 gateway=8.8.8.8 target-scope=30
add check-gateway=ping distance=20 gateway=8.8.4.4 target-scope=30
add distance=1 dst-address=8.8.4.4/32 gateway=66.88.199.1
add distance=1 dst-address=8.8.8.8/32 gateway=25.99.132.1
add distance=1 dst-address=10.10.16.0/24 gateway=192.168.52.1
add comment="to LDK2 from RT" distance=1 dst-address=53.96.169.8/32 gateway=\
    pppoe-rt
add comment="DNS RT" distance=1 dst-address=53.96.171.200/32 gateway=pppoe-rt
add comment="DNS BAZA" distance=1 dst-address=66.88.196.1/32 gateway=ether1
add comment="DNS BAZA" distance=1 dst-address=66.88.196.2/32 gateway=ether1
add comment=compgroup_BAZA_IP disabled=yes distance=1 dst-address=66.88.198.44/32 \
    gateway=pppoe-rt
add comment="to PVH from RT" distance=1 dst-address=66.88.199.65/32 gateway=\
    pppoe-rt
add comment="to PVH from BAZA" disabled=yes distance=1 dst-address=\
    66.88.199.65/32 gateway=66.88.199.1
add comment="to compgroupRT from RT" distance=1 dst-address=65.98.246.143/32 \
    gateway=pppoe-rt
add distance=1 dst-address=172.16.0.0/16 gateway=bridge-local
add distance=1 dst-address=172.17.0.0/16 gateway=bridge-local
add distance=1 dst-address=172.19.0.0/16 gateway=bridge-local
add distance=1 dst-address=172.20.0.0/16 gateway=bridge-local
add distance=1 dst-address=172.25.0.0/16 gateway=bridge-local
add distance=1 dst-address=192.168.1.0/24 gateway=bridge-local
add distance=1 dst-address=192.168.4.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.6.0/24 gateway=bridge-local
add distance=1 dst-address=192.168.8.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.50.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.51.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.53.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.54.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.55.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.56.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.77.0/24 gateway=192.168.52.1
add distance=1 dst-address=192.168.100.0/24 gateway=192.168.52.1
add comment="DNS RT" distance=1 dst-address=212.48.197.77/32 gateway=pppoe-rt
/ip route rule
add action=lookup-only-in-table routing-mark=routeRT table=routeRT
add action=lookup-only-in-table routing-mark=routeBAZA table=routeBAZA
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes

set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=compname.local

/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTikKcompname
/system logging
add disabled=yes topics=ipsec,!debug
add topics=pptp,!packet,!debug
/system ntp client
set enabled=yes primary-ntp=192.168.51.2
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Backup on-event="/system script run backup" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2019 start-time=23:00:00
add disabled=yes interval=1m name=SwitchIPsec on-event=\
    "/system script run SwitchPVHIPSec" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2019 start-time=13:06:17
/system script
add dont-require-permissions=no name=backup owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    log info message=\"Starting backup script...\"\r\
    \n:local name [/system identity get name]\r\
    \n:local date [/system clock get date]\r\
    \n:local time [/system clock get time]\r\
    \n:local day [ :pick \$date 4 6 ]\r\
    \n:local month [ :pick \$date 0 3 ]\r\
    \n:local year [ :pick \$date 7 11 ]\r\
    \n:local hours [ :pick \$time 0 2]\r\
    \n:local mins [ :pick \$time 3 5]\r\
    \n:local sec [ :pick \$time 6 8]\r\
    \n:local backupNameSCR (\$name.\"_\".\$day.\"-\".\$month.\"-\".\$year.\"_\
    \".\$hours.\"-\".\$mins.\"-\".\$sec.\".scr\")\r\
    \n:local backupNameBackup (\$name.\"_\".\$day.\"-\".\$month.\"-\".\$year.\
    \"_\".\$hours.\"-\".\$mins.\"-\".\$sec.\".backup\")\r\
    \n\r\
    \n:local ftpIP \"192.168.51.6\"\r\
    \n:local ftpPath \"/Automation/Backups/Mikrotik/\"\r\
    \n:local ftpLogin \"mi\"\r\
    \n:local ftpPassword \"mi\"\r\
    \n\r\
    \n/log info message=\"Saving backup file\"\r\
    \n/system backup save name=\$name dont-encrypt=yes\r\
    \ndelay 10\r\
    \n\r\
    \n/log info message=\"Saving backup script file\"\r\
    \n/export file=\$name\r\
    \ndelay 10\r\
    \n\r\
    \n/log info message=\"Sending to ftp\"\r\
    \n\r\
    \n/tool fetch address=\$ftpIP src-path=(\$name.\".rsc\") mode=ftp user=\$f\
    tpLogin password=\$ftpPassword upload=yes dst-path=(\$ftpPath.\$backupName\
    SCR)\r\
    \n/log info message=(\"System Backup \".\$backupNameSCR)\r\
    \n\r\
    \n/tool fetch address=(\$ftpIP) src-path=(\$name.\".backup\") mode=ftp use\
    r=(\$ftpLogin)  password=(\$ftpPassword) upload=yes dst-path=(\$ftpPath.\$\
    backupNameBackup)\r\
    \n/log info message=(\"System Backup\".\$backupNameBackup)\r\
    \n"
add dont-require-permissions=no name=SwitchPVHIPSec owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local PingCount 3\r\
    \n\r\
    \n\r\
    \n:local PeerNamePVHBAZA PVH\r\
    \n\r\
    \n \r\
    \n#Destinations\r\
    \n:local KcompnameIPRT\t25.99.224.234\r\
    \n:local KcompnameIPBAZA\t66.88.199.205\r\
    \n:local PVHIPBAZA 66.88.199.65\r\
    \n\r\
    \n:local StatusPVHIPBAZA 66.88.199.205\r\
    \n\r\
    \n:local RouteNamePVHBAZA \"to PVH from BAZA\"\r\
    \n:local RouteNamePVHRT \"to PVH from RT\"\r\
    \n \r\
    \n####\r\
    \n#      Ping:\r\
    \n:local StatusPVHBAZAfromBAZA [/ping \$StatusPVHIPBAZA count=\$PingCount \
    src-address=\$KcompnameIPRT]\r\
    \n:local StatusPVHBAZAfromBAZA [/ping \$StatusPVHIPBAZA count=\$PingCount \
    src-address=\$KcompnameIPBAZA]\r\
    \n\r\
    \n# :local StatusPVHBAZAfromRT [/ping \$StatusPVHIPBAZA count=\$PingCount]\
    \r\
    \n# :local StatusPVHBAZAfromRT [/ping \$StatusPVHIPBAZA count=\$PingCount]\
    \r\
    \n###\r\
    \n \r\
    \n \r\
    \n####\r\
    \n# Templates\r\
    \n####\r\
    \n:local EnablePVHBAZAfromBAZA [:parse (\"{/ip ipsec policy set [find sa-s\
    rc-address=\$KcompnameIPBAZA sa-dst-address=\$PVHIPBAZA disabled=yes] disabled=\
    no; /ip ipsec peer set [find name=\$PeerNamePVHBAZA disabled=yes] disabled\
    =no; /ip route set [find comment=\$RouteNamePVHBAZA disabled=yes] disabled\
    =no}\")];\r\
    \n:local DisablePVHBAZAfromBAZA [:parse (\"{/ip ipsec policy set [find sa-\
    src-address=\$KcompnameIPBAZA sa-dst-address=\$PVHIPBAZA] disabled=yes; /ip ips\
    ec peer set [find name=\$PeerNamePVHBAZA disabled=no] disabled=yes; /ip ro\
    ute set [find comment=\$RouteNamePVHBAZA disabled=no] disabled=yes}\")];\r\
    \n####\r\
    \n:local EnablePVHBAZAfromRT [:parse (\"{/ip ipsec policy set [find sa-src\
    -address=\$KcompnameIPRT sa-dst-address=\$PVHIPBAZA] disabled=no; /ip ipsec pee\
    r set [find name=\$PeerNamePVHBAZA disabled=yes] disabled=no; /ip route se\
    t [find comment=\$RouteNamePVHRT disabled=yes] disabled=no}\")];\r\
    \n:local DisablePVHBAZAfromRT [:parse (\"{/ip ipsec policy set [find sa-sr\
    c-address=\$KcompnameIPRT sa-dst-address=\$PVHIPBAZA] disabled=yes; /ip ipsec p\
    eer set [find name=\$PeerNamePVHBAZA disabled=no] disabled=yes; /ip route \
    set [find comment=\$RouteNamePVHRT disabled=no] disabled=yes}\")];\r\
    \n \r\
    \n\r\
    \n####\r\
    \n############################## IPsec ######\r\
    \n:if (\$StatusPVHBAZAfromRT>0)  do={\r\
    \n\$DisablePVHBAZAfromBAZA;\r\
    \n# \$DisablePVHOtherfromBaza;\r\
    \n# \$DisablePVHOtherfromRT;\r\
    \ndelay 2;\r\
    \n\$EnablePVHBAZAfromRT;\r\
    \n}\r\
    \n\r\
    \n:if ((\$StatusPVHBAZAfromRT=0)&&(\$StatusPVHBAZAfromBAZA>0)) do={\r\
    \n\$DisablePVHBAZAfromRT;\r\
    \n# \$DisablePVHOtherfromBaza;\r\
    \n# \$DisablePVHOtherfromRT;\r\
    \ndelay 2;\r\
    \n\$EnablePVHBAZAfromBAZA;\r\
    \n}"


Ответить