MikroTik RouterOS 6.45.1 (c) 1999-2019
http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > /export compact
# oct/18/2020 14:36:31 by RouterOS 6.45.1
# software id = B7TE-D471
#
# model = 951G-2HnD
# serial number = 965009215CCA
/interface bridge
add arp=proxy-arp name=LAN_Bridge
add name=WiFi_bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
name=WLAN ssid=Wi-Fi_shop
/interface ethernet
set [ find default-name=ether2 ] name=LAN1
set [ find default-name=ether3 ] name=LAN2
set [ find default-name=ether4 ] name=LAN3
set [ find default-name=ether5 ] name=LAN4
set [ find default-name=ether1 ] name=WAN
/interface list
add name=Internet
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=40034410
/ip ipsec policy group
add name=policy_group1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool0 ranges=192.168.0.115-192.168.0.190
add name=vpn_pool ranges=77.88.1.1-77.88.1.199
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN_Bridge name=dhcp1
/ppp profile
add bridge=LAN_Bridge change-tcp-mss=yes dns-server=192.168.0.1 local-address=\
vpn_pool name=l2tp_profile remote-address=vpn_pool
/interface bridge port
add bridge=LAN_Bridge interface=LAN1
add bridge=LAN_Bridge interface=LAN2
add bridge=LAN_Bridge interface=LAN3
add bridge=LAN_Bridge interface=LAN4
add bridge=LAN_Bridge interface=WLAN
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile enabled=yes \
ipsec-secret=l2tp_secret use-ipsec=yes
/interface list member
add interface=WAN list=Internet
add interface=LAN1 list=LAN
add interface=LAN2 list=LAN
add interface=LAN3 list=LAN
add interface=LAN4 list=LAN
add interface=LAN_Bridge list=LAN
/ip address
add address=192.168.0.1/24 interface=LAN_Bridge network=192.168.0.0
add address=194.28.213.153/24 interface=WAN network=194.28.213.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.106 name=SERVER6
/ip firewall filter
add action=accept chain=input src-address=77.88.1.0/24
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=output connection-state=invalid
add action=accept chain=input comment="Ping allow for any" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=output protocol=icmp
add action=accept chain=input comment=\
"Established and Related connections for any" connection-state=\
established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=output connection-state=established,related
add action=accept chain=input comment="For VPN" port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward comment="allow vpn to lan" disabled=yes \
in-interface=!WAN out-interface=LAN_Bridge src-address=192.168.0.0/24
add action=accept chain=forward comment="allow vpn to lan" in-interface=!WAN \
out-interface=LAN_Bridge src-address=77.88.1.0/24
add action=accept chain=input comment="allow winbox from inet" disabled=yes \
dst-port=8291 protocol=tcp
add action=accept chain=input comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \EF\EE\E4\EA\
\EB\FE\F7\E0\F2\FC\F1\FF \E8\E7 \EB\EE\EA\E0\EB\FC\ED\EE\E9 \F1\E5\F2\E8" \
in-interface=!WAN src-address=192.168.0.0/24
add action=accept chain=forward comment="\D0\E0\E7\F0\E5\F8\E0\E5\EC \EF\F0\EE\
\F5\EE\E6\E4\E5\ED\E8\E5 \F2\F0\E0\F4\E8\EA\E0 \E8\E7 \EB\EE\EA\E0\EB\EA\E8 \
\E2 \E8\ED\F2\E5\F0\ED\E5\F2" in-interface=!WAN out-interface=WAN
add action=accept chain=forward comment="allow dvr to inet" dst-port=37892 \
protocol=tcp
add action=accept chain=forward comment="for 1c web" disabled=yes dst-port=80 \
protocol=tcp
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
add action=drop chain=output
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquarade out-interface=WAN
add action=dst-nat chain=dstnat comment="for video server" dst-port=37892 \
protocol=tcp to-addresses=192.168.0.66 to-ports=37892
add action=dst-nat chain=dstnat comment="for 1c web" disabled=yes dst-port=80 \
protocol=tcp to-addresses=192.168.0.106 to-ports=80
/ip route
add distance=1 gateway=194.28.213.1
add distance=1 dst-address=77.88.1.0/24 gateway=LAN_Bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow