Request help! RouterOS Configuration screwed up. (2024)

Hello forum, first things first. I'm new to Mikrotik and the world of corporate / enterprise level networking. I have inherited my position, since the manager left the company, management informed me they will not replace him any time soon. I have been task to make sure the list below is in order and working properly asap. I have read a lot of forum posts and attempted a few things myself, but no success. I need some help understanding what is the proper / best practices to be followed in configuring, because something or multiple things are wrong since a simple task like port forwarding isn't working. I thank in advance anyone here who helps me understand how to properly configure my mess.

I'm willing to wipe everything and start over if that is what it takes to make the Mikrotik Router work flawlessly.

Here is what I am trying to do.
1. Configure WAN with inbound ISP
2. Configure Multiple LAN ports with both inbound / outbound traffic
3. Setup Router security (Firewall Hardening)
3. Setup VLAN (Guest, Employee, HR, Management, VPN, VoIP)
4. Several Internal Servers, need to enable proper internal redirection without having send/receive packet loss or NAT confusion
5. Configure Port Forwarding
6. Enable ability to monitor traffic (websites, protocols, IPs, MAC, etc)
7. Configure VPN remote access
8. Allows Active Directory to be the authentication for VPN users
9. Proper White listing of inbound server traffic to our network

Network Equipment
Router: CCR1036-8G-2s+
- Firmware: tilegx, 3.41
- RouterOS: 6.40.4 (Update to 6.42.1 is scheduled during maintenance this month.)
Network Switches HPE Pro Curve v1920
Aruba IAP-105

Network Topology
ISP (Fiber to RJ45) > Mikrotik (Port 1 = WAN) > Mikrotik (Port 2 = LAN) > HPE Pro Curve > Aruba IAP
- HPE Pro Curve are daisy chained to each floor
- Aruba IAP's are connected directly to the HPE Pro Curves on each floor

Export of current configuration

Code: Select all

# may/14/2018 15:04:15 by RouterOS 6.40.4
# software id = 0SK2-94LN
# model = CCR1036-8G-2S+
# serial number = xxxxxxxxxxxxxx
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1590
set [ find default-name=ether2 ] l2mtu=1590 name=ether2-master-local
set [ find default-name=ether3 ] comment="Slave to 2" l2mtu=1590 name=ether3-slave
set [ find default-name=ether4 ] l2mtu=1590
set [ find default-name=ether5 ] l2mtu=1590 name=ether5-callcenter
set [ find default-name=ether6 ] l2mtu=1590
set [ find default-name=ether7 ] l2mtu=1590
set [ find default-name=ether8 ] l2mtu=1590
set [ find default-name=sfp-sfpplus1 ] l2mtu=1590 name=sfp-plus1
set [ find default-name=sfp-sfpplus2 ] l2mtu=1590 name=sfp-plus2
/interface vlan
add interface=ether2-master-local name=vlan300-VoIP vlan-id=300
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RouterOS
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=ether2-master-local lease-time=1d name=dhcp1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/ip address
add address= interface=ether2-master-local network=
add address=X.X.X.243/29 interface=ether1 network=X.X.X.240
/ip arp
add address= interface=ether3-slave mac-address=00:80:A3:93:3B:8A
add address= interface=ether2-master-local mac-address=00:25:90:9A:06:70
add address= interface=ether2-master-local mac-address=00:80:92:7B:03:D6
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address= dns-server=,,,, gateway= netmask=23
/ip dns
set servers=,,,,
/ip dns static
add address=
/ip firewall address-list
add address= list=OnSIP
add address= list="Boot"
add address=
add address= list="OnSIP - Inbound"
add address= list="Velocify IP1"
add address= list="Velocify IP"
add address= list="Velocify IP2"
add address= list="Velocify IP3"
add address= list="Velocify IP4"
add address= list="Velocify IP5"
add address= list="Velocify IP6"
add address= list="Velocify IP7"
add address= list="Velocify IP8"
add address= list="Velocify IP9"
add address= list="Velocify IP10"
add address= list="Velocify IP11"
add address= list="Velocify IP12"
add address= list="Velocify IP13"
add address= list=KennyRoss
add address= list="CAKE IP1"
add address= list="CAKE IP2"
add address= list="CAKE IP3"
add address= list="CAKE IP4"
add address= list="CAKE IP5"
add address= list="CAKE IP6"
add address= list="CAKE IP7"
add address= list="CAKE IP8"
add address= list="CAKE IP9"
add address= list="CAKE IP10"
add address= list="CAKE IP11"
add address= list="CAKE IP12"
add address= list="CAKE IP13"
add address= list="CAKE IP14"
add address= list="CAKE IP15"
add address= list="CAKE IP16"
add address= list="CAKE IP17"
add address= list="CAKE IP18"
add address= list="CAKE IP19"
add address= list="CAKE IP20"
add address= list="CAKE IP21"
add address= list="CAKE IP22"
add address= list="CAKE IP23"
add address= list="CAKE IP24"
add address= list="CAKE IP25"
add address= list="CAKE IP26"
add address= list="CAKE IP27"
add address= list="CAKE IP28"
add address= list="CAKE IP29"
add address= list="CAKE IP30"
add address= list="CAKE IP31"
add address= list="CAKE IP32"
add address= comment="Free SSL Certificate Service" list=Lets-Encrypt
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC3068 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= comment=RFC4601 disabled=yes list=NotPublic
add address= comment=RFC6890 disabled=yes list=NotPublic
add address= list=SDS-Home
add address= list=VZW-hotspot
/ip firewall filter
add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related disabled=yes
add action=accept chain=input comment="Accept all connections from local network" disabled=yes in-interface=ether2-master-local
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related disabled=yes
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" disabled=yes in-interface=ether2-master-local src-address=!
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related disabled=yes in-interface=ether1
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" disabled=yes dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" disabled=yes src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" disabled=yes in-interface=ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid disabled=yes
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" disabled=yes in-interface=ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat comment="SKYNET - OSTicket" dst-port=80 in-interface=ether1 protocol=tcp to-addresses= to-ports=80
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8088 in-interface=all-ethernet protocol=tcp to-addresses= to-ports=8088
add action=accept chain=dstnat comment="The Wilson Group SNMP Monitor" dst-port=161 in-interface=ether1 protocol=udp
add action=src-nat chain=srcnat comment="The Wilson Group SNMP send" out-interface=ether2-master-local protocol=udp src-port=161 to-ports=161
add action=masquerade chain=srcnat comment="Outbound traffic" out-interface=ether2-master-local src-address=
add action=masquerade chain=srcnat comment=Loopback out-interface=ether2-master-local to-addresses=X.X.X.243
add action=masquerade chain=srcnat comment=Loopback disabled=yes out-interface=ether1
add action=dst-nat chain=dstnat comment=Loopback dst-address=X.X.X.243 to-addresses=
add action=dst-nat chain=dstnat comment="Authentication Packets for Apps, Software, Websites, etc." dst-port=443 in-interface=ether1 protocol=tcp to-ports=443
add action=dst-nat chain=dstnat comment="RDP - SkyNet" dst-port=3389 in-interface=ether1 protocol=tcp to-addresses= to-ports=3389
add action=dst-nat chain=dstnat comment="SQL Broker Port" dst-port=1433 in-interface=ether1 protocol=tcp to-addresses= to-ports=1433
add action=dst-nat chain=dstnat comment="SQL Authentication SSL" dst-port=443 in-interface=ether1 protocol=tcp to-addresses= to-ports=443
add action=dst-nat chain=dstnat comment="SQL Interface" dst-port=1434 in-interface=all-ethernet protocol=tcp to-addresses= to-ports=1434
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=25 in-interface=all-ethernet protocol=tcp to-addresses= to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=587 in-interface=all-ethernet protocol=tcp to-addresses= to-ports=587
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=25 in-interface=all-ethernet protocol=tcp to-addresses= to-ports=25
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=587 in-interface=all-ethernet protocol=tcp to-addresses= to-ports=587
add action=dst-nat chain=dstnat comment="OnSIP Communication Port" dst-address=X.X.X.243 dst-port=5060 in-interface=all-ethernet protocol=udp to-ports=5060
add action=dst-nat chain=dstnat comment="OnSIP RTP Audio Media Packets" dst-address=X.X.X.243 port=10000-20000 protocol=udp to-ports=10000-20000
add action=dst-nat chain=dstnat dst-address=X.X.X.243 dst-port=1433 in-interface=all-ethernet protocol=tcp to-addresses= to-ports=1433
add action=redirect chain=dstnat comment="RDP into LVL-Base Server" dst-address=X.X.X.243 dst-port=4050 in-interface=all-ethernet protocol=tcp to-ports=3389
add action=dst-nat chain=dstnat in-interface=all-ethernet port=500 protocol=udp to-ports=500
add action=dst-nat chain=dstnat in-interface=all-ethernet port=50-51 protocol=udp to-ports=50-51
add action=dst-nat chain=dstnat in-interface=all-ethernet port=4500 protocol=udp to-ports=4500
add action=dst-nat chain=dstnat comment="IT RDP In" dst-port=4052 in-interface=ether1 protocol=tcp to-addresses= to-ports=3389
/ip firewall service-port
set sip disabled=yes
/ip proxy
set cache-path=disk1/web/proxy max-cache-object-size=4096KiB parent-proxy=
/ip route
add check-gateway=ping distance=1 gateway=X.X.X.241
/ip service
set telnet address= disabled=yes
set ftp address= disabled=yes
set www address=,, port=51506
set ssh disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2-master-local type=internal
/system clock
set time-zone-autodetect=no time-zone-name=EST5EDT
/system clock manual
set dst-end="nov/06/2016 02:00:00" dst-start="mar/13/2016 02:00:00" time-zone=+05:00
/system identity
set name=RouterOS
/system leds
set 0 interface=sfp-plus1
set 1 interface=sfp-plus1
set 2 interface=sfp-plus2
set 3 interface=sfp-plus2
/system ntp client
set enabled=yes primary-ntp= secondary-ntp=
/system scheduler
add interval=1w name="auto backup" on-event="/system backup save name=October7 backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/09/2017 start-time=10:00:00
add comment="Auto backup send to This is also to have an off device backup." interval=1w name="autoback up send to email" on-event=\
"/tool email sent to=\"\" subject=(/system identity get name]\" backup\") file=today backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=oct/09/2017 \
add disabled=yes interval=1d name=backup_MT1 on-event="/export file=configuration_MT1 hide-sensitive ;\r\
\n/system backup save name=backup_MT1 ;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/10/2017 start-time=11:16:00
/tool graphing interface
add interface=ether1
/tool graphing queue
/tool sniffer
set filter-interface=ether1 filter-port=587 filter-stream=yes only-headers=yes

Request help! RouterOS Configuration screwed up. (2024)


Top Articles
Joanna Gaines' Mom's Bulgogi Recipe
Butterscotch Sauce Recipe
Calvert Er Wait Time
Encore Atlanta Cheer Competition
Diario Las Americas Rentas Hialeah
Guardians Of The Galaxy Showtimes Near Athol Cinemas 8
Craigslist Dog Sitter
Bernie Platt, former Cherry Hill mayor and funeral home magnate, has died at 90
Florida (FL) Powerball - Winning Numbers & Results
13 The Musical Common Sense Media
World History Kazwire
1Win - инновационное онлайн-казино и букмекерская контора
8 Ways to Make a Friend Feel Special on Valentine's Day
Top tips for getting around Buenos Aires
Nj State Police Private Detective Unit
Peraton Sso
Grab this ice cream maker while it's discounted in Walmart's sale | Digital Trends
Mission Impossible 7 Showtimes Near Marcus Parkwood Cinema Contract Marriage 2
Vandymania Com Forums
Grimes County Busted Newspaper
Happy Life 365, Kelly Weekers | 9789021569444 | Boeken | bol
Walmart Near South Lake Tahoe Ca
Ezel Detailing
Wemod Vampire Survivors
Hannaford To-Go: Grocery Curbside Pickup
Sister Souljah Net Worth
Bn9 Weather Radar
2015 Kia Soul Serpentine Belt Diagram
Biografie - Geertjan Lassche
Generator Supercenter Heartland
Used 2 Seater Go Karts
Swimgs Yuzzle Wuzzle Yups Wits Sadie Plant Tune 3 Tabs Winnie The Pooh Halloween Bob The Builder Christmas Autumns Cow Dog Pig Tim Cook’s Birthday Buff Work It Out Wombats Pineview Playtime Chronicles Day Of The Dead The Alpha Baa Baa Twinkle
Chadrad Swap Shop
Ripsi Terzian Instagram
Sun Haven Pufferfish
Murphy Funeral Home & Florist Inc. Obituaries
Weekly Math Review Q4 3
Aveda Caramel Toner Formula
Taylor University Baseball Roster
Riverton Wyoming Craigslist
O'reilly's Palmyra Missouri
The Wait Odotus 2021 Watch Online Free
Mychart Mercy Health Paducah
Tricare Dermatologists Near Me
Muni Metro Schedule
Zits Comic Arcamax
28 Mm Zwart Spaanplaat Gemelamineerd (U999 ST9 Matte | RAL9005) Op Maat | Zagen Op Mm + ABS Kantenband
Fetllife Com
Latest Posts
Article information

Author: Virgilio Hermann JD

Last Updated:

Views: 6512

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Virgilio Hermann JD

Birthday: 1997-12-21

Address: 6946 Schoen Cove, Sipesshire, MO 55944

Phone: +3763365785260

Job: Accounting Engineer

Hobby: Web surfing, Rafting, Dowsing, Stand-up comedy, Ghost hunting, Swimming, Amateur radio

Introduction: My name is Virgilio Hermann JD, I am a fine, gifted, beautiful, encouraging, kind, talented, zealous person who loves writing and wants to share my knowledge and understanding with you.