# version: 7.20.5 (stable) # factory-software: 7.12 # total-memory: 512.0MiB # cpu: ARM # cpu-count: 2 # total-hdd-space: 128.0MiB # architecture-name: arm # board-name: L009UiGS # platform: MikroTik # installed-version: 7.20.5 # # software id = UW36-WKW4 # # model = L009UiGS # serial number = HHC0ABK4QJZ /interface bridge add name=br_lan protocol-mode=none vlan-filtering=yes /interface wireguard add listen-port=51820 mtu=1420 name=wg_einsle private-key="2FkCyjc5Il2ci6t4pPKRPVueMhQOD3gm2UHEtzAzhng=" /interface vlan add interface=br_lan name=vlan10 vlan-id=10 add interface=br_lan name=vlan15 vlan-id=15 /ip dhcp-server option add code=3 name=option_3_local value="'127.0.0.1'" /ip dhcp-server option sets add name=set_local options=option_3_local /ip pool add name=dhcp_pool_10 ranges=172.26.10.201-172.26.10.254 add name=dhcp_pool_15 ranges=172.26.15.201-172.26.15.254 add name=dhcp_pool_1 ranges=172.26.1.201-172.26.1.254 /ip dhcp-server add address-pool=dhcp_pool_10 interface=vlan10 name=dhcp_10 add address-pool=dhcp_pool_15 interface=vlan15 name=dhcp_15 add address-pool=dhcp_pool_1 interface=br_lan name=dhcp_1 /port set 0 name=serial0 /zerotier set zt1 disabled=no disabled=no identity="f5ad9c5d94:0:44c094d9d214573043f049ad44b8307a26d5fe35279694cf550a7f9157c18a09e78aa0a510f7115c969217132d86b4759c398c174b77a4a6befca6ad6f419866:bdee2ea61f3ff4ccfd681f938ac6f10f69e9e8c6d373b70dfd12d269514dfc7146467db5d537642f6e3b9ecc61f5ac14d4476e8baded3b7cbe7ba48f4c4f63f5" interfaces=br_lan /zerotier interface add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 name=zerotier1 network=abfd31bd476a99d9 /interface bridge port add bridge=br_lan interface=ether2 add bridge=br_lan interface=ether3 add bridge=br_lan interface=ether4 add bridge=br_lan interface=ether5 add bridge=br_lan interface=ether6 add bridge=br_lan interface=ether7 add bridge=br_lan interface=ether8 /interface bridge vlan add bridge=br_lan untagged=br_lan,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=1 add bridge=br_lan tagged=br_lan,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10 add bridge=br_lan tagged=br_lan,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=15 /interface wireguard peers add allowed-address=172.21.5.1/24,172.24.0.0/16,172.21.1.0/24 endpoint-address=cfw.einsle.de endpoint-port=51825 interface=wg_einsle name=cfw.einsle.de persistent-keepalive=6s public-key="pBMKbv7PaDlE997FGvbsShb/l1P3ds6+ArO/0Tqr/lQ=" /ip address add address=172.26.10.1/24 interface=vlan10 network=172.26.10.0 add address=172.26.15.1/24 interface=vlan15 network=172.26.15.0 add address=172.21.5.26/24 interface=wg_einsle network=172.21.5.0 add address=172.26.1.1/24 disabled=yes interface=br_lan network=172.26.1.0 add address=172.26.1.1/24 interface=br_lan network=172.26.1.0 /ip cloud set ddns-update-interval=3m /ip dhcp-client add default-route-tables=main interface=ether1 /ip dhcp-server lease add address=172.26.15.11 comment=docker mac-address=BC:24:11:BD:52:C5 server=dhcp_15 add address=172.26.15.35 comment="mdt knx ip interface" mac-address=00:05:26:82:56:00 server=dhcp_15 add address=172.26.15.33 comment="Gira X1" mac-address=00:0A:B3:37:FD:78 server=dhcp_15 add address=172.26.15.36 comment=dali20 mac-address=00:05:26:A0:9B:5B server=dhcp_15 add address=172.26.15.37 comment=dali21 mac-address=00:05:26:A0:9A:D8 server=dhcp_15 add address=172.26.15.41 comment=Homeassistant mac-address=02:B0:16:96:DE:71 server=dhcp_15 add address=172.26.15.42 comment=OpenDTU mac-address=DC:54:75:C9:93:C4 server=dhcp_15 add address=172.26.15.44 comment="Smart Micro Solar" mac-address=34:B7:DA:5E:7F:A0 server=dhcp_15 add address=172.26.15.43 comment=OpenDTU-Sunlit mac-address=78:42:1C:1A:2B:6C server=dhcp_15 add address=172.26.15.45 comment="Sunlit Speicher" mac-address=DC:BD:CC:BF:FF:A1 server=dhcp_15 add address=172.26.15.60 comment="Shelly 3EM Pro SDunlit WLAN" mac-address=34:98:7A:45:D8:A3 server=dhcp_15 add address=172.26.15.61 comment="Shelly 3EM Pro SDunlit LAN" mac-address=34:98:7A:45:D8:A0 server=dhcp_15 add address=172.26.15.62 comment="Shelly 3EM Pro Allgemein LAN" mac-address=3C:E9:0E:6F:87:73 server=dhcp_15 add address=172.26.15.64 comment="Shelly 3EM Pro DG" mac-address=E0:5A:1B:33:3E:1B server=dhcp_15 add address=172.26.15.65 comment="Shelly 3EM Pro PV" mac-address=C8:F0:9E:89:4B:77 server=dhcp_15 add address=172.26.15.66 comment="Shelly 2PM Heizung" mac-address=D4:8A:FC:76:23:A0 server=dhcp_15 add address=172.26.15.67 comment="Shelly Plus 2PM K\FCche" mac-address=8C:BF:EA:96:CE:CC server=dhcp_15 add address=172.26.15.68 comment="Shelly Plus 2PM Wohn" mac-address=8C:BF:EA:96:BF:34 server=dhcp_15 add address=172.26.15.81 mac-address=C8:C9:A3:0D:CD:AE server=dhcp_15 add address=172.26.15.82 mac-address=C8:C9:A3:0D:CD:AF server=dhcp_15 add address=172.26.15.21 comment="ubiquiti wlan rifu" mac-address=FC:EC:DA:9A:20:F8 server=dhcp_15 add address=172.26.15.31 comment="Enertex IP Router" mac-address=18:C3:F4:10:08:18 server=dhcp_15 add address=172.26.15.32 comment="Weinzierl KNX Modbus GW" mac-address=00:24:6D:03:8C:CA server=dhcp_15 add address=172.26.15.69 comment="Shelly Plug PV Sunlit" mac-address=C8:C9:A3:AB:03:A0 server=dhcp_15 add address=172.26.15.34 comment="IP1.8.2 KNX Interface" mac-address=50:4B:5B:91:43:2F server=dhcp_15 add address=172.26.15.46 comment="Homeassistant Green" mac-address=20:F8:3B:01:D5:C8 server=dhcp_15 add address=172.26.15.51 comment=nanoKVM1 mac-address=48:DA:35:6F:EA:69 server=dhcp_15 add address=172.26.1.21 comment="KG SW Vertteilung" mac-address=A8:52:D4:9C:15:9F server=dhcp_1 add address=172.26.1.22 comment="DG SW Network" mac-address=88:25:10:93:9B:F4 server=dhcp_1 add address=172.26.1.23 comment="DG SW Treppe" mac-address=38:BD:7A:FA:E9:43 server=dhcp_1 add address=172.26.1.31 comment="KG AP Verteilung" mac-address=48:B4:C3:CA:56:F8 server=dhcp_1 add address=172.26.1.32 comment="DG AP Treppe" mac-address=48:B4:C3:CA:5C:A0 server=dhcp_1 add address=172.26.1.33 comment="DG AP Network" mac-address=B0:1F:8C:C7:D8:40 server=dhcp_1 add address=172.26.1.34 comment="DG AP Balkon" mac-address=98:8F:00:C2:48:0C server=dhcp_1 add address=172.26.15.91 comment="Velux KLF 200" mac-address=00:11:22:33:44:55 server=dhcp_15 add address=172.26.15.52 comment=nanoKVM2 mac-address=48:DA:35:6F:5E:4A server=dhcp_15 add address=172.26.1.35 comment="DG AP Wohnen" mac-address=50:E4:E0:C9:DA:32 server=dhcp_1 add address=172.26.15.131 comment="Pa Handy" mac-address=5E:F9:F0:9E:0B:40 server=dhcp_15 add address=172.26.15.101 comment="Ro Handy" mac-address=E8:98:47:5F:FC:A1 server=dhcp_15 add address=172.26.15.47 comment=" CMI" mac-address=3C:CD:5A:01:68:E1 server=dhcp_15 add address=172.26.1.51 comment=dg-bu-ap-01 lease-time=6m mac-address=B8:37:B2:CF:62:78 server=dhcp_1 add address=172.26.1.56 comment=kg-vt-ap-01 lease-time=6m mac-address=A0:25:D7:C7:55:E4 server=dhcp_1 add address=172.26.1.53 comment=dg-es-ap-01 lease-time=6m mac-address=B0:1F:8C:C6:69:3C server=dhcp_1 add address=172.26.1.52 comment=dg-es-ap-01 lease-time=6m mac-address=48:00:20:C0:E9:FA server=dhcp_1 add address=172.26.1.57 comment=tn-ap-01 mac-address=D0:15:A6:C7:AC:B0 server=dhcp_1 /ip dhcp-server network add address=172.26.1.0/24 dns-server=172.26.15.11,172.26.1.1,192.168.178.1 domain=k13.einsle.intranet gateway=172.26.1.1 ntp-server=192.168.178.1 add address=172.26.10.0/24 dns-server=172.26.15.11,172.26.10.1,192.168.178.1 domain=k13.einsle.intranet gateway=172.26.10.1 ntp-server=192.168.178.1 add address=172.26.15.0/24 dns-server=172.26.15.11,172.26.15.1,1.1.1.1 domain=k13.einsle.intranet gateway=172.26.15.1 ntp-server=192.168.178.1 /ip dns set allow-remote-requests=yes mdns-repeat-ifaces=br_lan,vlan10,vlan15 servers=192.168.178.1,8.8.8.8 /ip dns static add address=172.26.15.11 name=docker.k13.einsle.intranet type=A add address=172.26.15.35 name=knx.k13.einsle.intranet type=A add address=172.26.15.33 name=x1.k13.einsle.intranet type=A add address=172.26.15.36 name=dali20.k13.einsle.intranet type=A add address=172.26.15.37 name=dali21.k13.einsle.intranet type=A add address=172.26.15.41 name=ha.k13.einsle.intranet type=A add address=172.26.15.42 name=dtu.k13.einsle.intranet type=A add address=172.26.15.43 name=dtu-sunlit.k13.einsle.intranet type=A add address=172.26.15.44 name=sms.k13.einsle.intranet type=A add address=172.26.15.45 name=sunlit.k13.einsle.intranet type=A add address=172.26.15.60 name=shellypro3em-sunlit.k13.einsle.intranet type=A add address=172.26.15.61 name=shellypro3em-k13.k13.einsle.intranet type=A add address=172.26.15.62 name=shellypro3em-allgem.k13.einsle.intranet type=A add address=172.26.15.64 name=shellypro3em-dg.k13.einsle.intranet type=A add address=172.26.15.65 name=shellypro3em-pv.k13.einsle.intranet type=A add address=172.26.15.66 name=shellyplus2pm-heizung.k13.einsle.intranet type=A add address=172.26.15.67 name=shellyemg3-egkueche.k13.einsle.intranet type=A add address=172.26.15.68 name=shellyemg3-egwohn.k13.einsle.intranet type=A add address=172.26.15.81 name=tasmota-allg.k13.einsle.intranet type=A add address=172.26.15.82 name=tasmota-pv.k13.einsle.intranet type=A add address=172.26.15.21 name=ubi-1.k13.einsle.intranet type=A add address=172.26.15.31 name=knx-ipr.k13.einsle.intranet type=A add address=172.26.15.32 name=knx-modbus.k13.einsle.intranet type=A add address=172.26.15.69 name=shellyplug-pv.k13.einsle.intranet type=A add address=172.26.15.10 name=pve.k13.einsle.intranet type=A add address=172.26.15.46 name=ha-green.k13.einsle.intranet type=A add address=172.26.15.9 name=nanokvm-1.k13.einsle.intranet type=A /ip firewall address-list add address=10.0.0.0/8 list=NET_PRIVATE add address=172.16.0.0/12 list=NET_PRIVATE add address=192.168.0.0/16 list=NET_PRIVATE add address=169.254.0.0/16 list=NET_PRIVATE add address=100.64.0.0/10 list=NET_PRIVATE add address=100.64.0.0/10 list=NET_CGN add address=169.254.0.0/15 list=NET_ZEROCONF add address=10.0.0.0/8 list=NET_PRIVATE_10 add address=172.16.0.0/12 list=NET_PRIVATE_172 add address=192.168.0.0/16 list=NET_PRIVATE_192 add address=172.24.0.0/16 list=NET_EIINSLE_W3 add address=172.26.0.0/16 list=NET_EINSLE_K13 add address=172.26.15.11 list=HOSTS_DNS_SERVER add address=172.26.15.1 list=HOSTS_DNS_SERVER add address=172.26.10.1 list=HOSTS_DNS_SERVER add address=172.26.1.1 list=HOSTS_DNS_SERVER add address=172.24.10.11 list=HOSTS_DNS_SERVER add address=172.24.10.12 list=HOSTS_DNS_SERVER add address=172.21.5.1 list=HOSTS_DNS_SERVER add address=192.168.178.1 list=HOSTS_DNS_SERVER /ip firewall filter add action=accept chain=output comment="OUT: allow output" add action=accept chain=input comment="INP: allow established" connection-state=established,related add action=accept chain=input comment="INP: allow tcp ssh,dns.http,https,winbox" connection-state=new dst-port=22,53,80,443,8291 protocol=tcp src-address-list=NET_PRIVATE add action=accept chain=input comment="INP: allow udp dns,discover" dst-port=53,5678,7979,20561 protocol=udp src-address-list=NET_PRIVATE add action=accept chain=input comment="accept mdns repeater" dst-port=5353 protocol=udp add action=accept chain=input comment="INP: allow icmp" protocol=icmp add action=drop chain=input comment="INP: drop TCP 3490" dst-port=3490 protocol=tcp add action=drop chain=input comment="INP: drop UDP 1900" dst-port=137-139,1900,3490 protocol=udp add action=drop chain=input comment="INP: drop igmp" protocol=igmp add action=drop chain=input comment="INP: drop default " log-prefix="INP: " add action=accept chain=forward comment="FWD: allow established" connection-state=established,related add action=drop chain=forward comment="FWD: drop invalid" connection-state=invalid log=yes log-prefix="FWD INV: " add action=accept chain=forward comment="FWD: allow icmp from any to any" protocol=icmp add action=accept chain=forward comment="FWD: allow ssh from any to any" dst-port=22 protocol=tcp src-address-list=NET_PRIVATE add action=accept chain=forward comment="FWD: allow udp dns,ntp from lan to DNS_SERVER" dst-address-list=HOSTS_DNS_SERVER dst-port=53,123,853 protocol=udp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow tcp dns,ntp from lan to DNS_SERVER" dst-address-list=HOSTS_DNS_SERVER dst-port=53,853 protocol=tcp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow udp dns,ntp from lan to wan" dst-address-list=!NET_PRIVATE dst-port=53,123,853 out-interface=ether1 protocol=udp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow tcp dns from lan to wan" connection-state=new dst-address-list=!NET_PRIVATE dst-port=53,853 out-interface=ether1 protocol=tcp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow tcp http(s) from lan to fritzbox" connection-state=new dst-address=192.168.178.1 dst-port=80,443 protocol=tcp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow zabbix from lan to wan" connection-state=new dst-address-list=!NET_PRIVATE dst-port=10050,10051 out-interface=ether1 protocol=tcp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow tcp http / https from any to any" connection-state=new dst-port=80,443 protocol=tcp add action=accept chain=forward comment="FWD: allow udp http / https from any to any" dst-address-list=!NET_PRIVATE dst-port=80,443 protocol=udp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow email from lan to wan" connection-state=new dst-address-list=!NET_PRIVATE dst-port=25,110,143,465,587,993,995 out-interface=ether1 protocol=tcp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow tcp mqtt from lan to wan" dst-address-list=!NET_PRIVATE dst-port=1883 protocol=tcp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow tcp shelly from lan to wan" dst-address-list=!NET_PRIVATE dst-port=6011,6021,6022,8886 protocol=tcp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow sms communication from lan to wan ip" dst-address=135.181.241.188 dst-port=61745 protocol=tcp src-address=172.26.15.44 add action=accept chain=forward comment="FWD: allow tcp android from lan to wan" dst-address-list=!NET_PRIVATE dst-port=5222,5228 protocol=tcp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow udp android from lan to wan" dst-address-list=!NET_PRIVATE dst-port=500,4500 protocol=udp src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow zerotier from lan to wan" disabled=yes add action=accept chain=forward comment="FWD: allow zerotier from lan to wan" protocol=udp src-port=9993 add action=accept chain=forward comment="FWD: allow any from vpn to lan" dst-address=172.26.0.0/16 log-prefix="FWD: VPN to LAN" src-address=172.21.1.0/24 add action=accept chain=forward comment="FWD: allow any from w3 to k13" dst-address=172.26.0.0/16 src-address=172.24.0.0/16 add action=accept chain=forward comment="FWD: allow any from k13 to w3" dst-address=172.24.0.0/16 src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow any from lan to lan" dst-address=172.26.0.0/16 log=yes log-prefix="FWD: any_lan_lan" src-address=172.26.0.0/16 add action=accept chain=forward comment="FWD: allow any from lan to wan" dst-address-list=!NET_PRIVATE log=yes log-prefix="FWD: any_lan_wan" src-address=172.26.0.0/16 add action=drop chain=forward comment="FWD: drop default" log=yes log-prefix="FWD: DROP" /ip firewall nat add action=masquerade chain=srcnat comment="masq to fritzbox" dst-address=192.168.178.0/24 src-address=172.26.0.0/16 add action=accept chain=srcnat comment="dont masq to private networks" dst-address-list=NET_PRIVATE src-address=172.26.0.0/16 add action=masquerade chain=srcnat comment="masq to internet" dst-address=!172.26.0.0/16 src-address=172.26.0.0/16 add action=dst-nat chain=dstnat comment="dnat http" dst-address=192.168.178.10 dst-port=80 protocol=tcp to-addresses=172.26.15.11 to-ports=80 add action=dst-nat chain=dstnat comment="dnat https" dst-address=192.168.178.10 dst-port=443 protocol=tcp to-addresses=172.26.15.11 to-ports=443 /ip route add disabled=no distance=1 dst-address=172.24.0.0/16 gateway=172.21.5.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no dst-address=172.21.1.0/24 gateway=172.21.5.1 routing-table=main suppress-hw-offload=no /ip service set telnet disabled=yes /ip ssh set forwarding-enabled=both /system clock set time-zone-name=Europe/Berlin /system identity set name=mt-k13-kg-l009 /system ntp client set enabled=yes /system ntp client servers add address=ntp1.ptb.de add address=ntp2.ptb.de add address=192.168.178.1 /system routerboard settings set enter-setup-on=delete-key /tool sniffer set filter-dst-ip-address=172.26.15.52/32 filter-interface=br_lan