Окно микротика сидит на всех внешних ip
Не могу привязать локальный ip к внешнему по той причине, что на всех внешних ip открывается стартовое окно микротика с формой логина и пароля. Где касяк в настрйоках?
# jan/16/2023 16:20:35 by RouterOS 6.39
# software id = 2W83-U2L7
#
/ip address
add address=185.174.195.6/24 interface=WAN network=185.174.195.0
add address=172.16.0.1/23 interface=LAN network=172.16.0.0
add address=10.0.25.100/12 interface=DMZ network=10.0.0.0
add address=185.174.195.7/24 interface=WAN network=185.174.195.0
add address=185.174.195.5/24 interface=WAN network=185.174.195.0
add address=10.0.25.130/24 interface=DMZ network=10.0.25.0
add address=185.174.195.15/27 interface=WAN network=185.174.195.0
add address=185.174.195.16/27 interface=ether5-lan network=185.174.195.0
/ip arp
add address=172.16.1.99 comment=Serv_Indigo interface=LAN mac-address=\
6C:4B:90:09:E5:F6
add address=172.16.1.11 interface=LAN mac-address=6C:4B:90:09:E3:94
add address=172.16.0.31 interface=LAN mac-address=00:C0:EE:92:91:23
add address=172.16.0.11 interface=LAN mac-address=00:E0:DB:0E:A2:B6
add address=172.16.0.187 interface=LAN mac-address=90:1B:0E:EB:61:04
add address=10.0.25.110 comment="room26 Keenetic" interface=DMZ mac-address=\
40:4A:03:79:2F:6D
add address=172.16.0.122 comment=Serv122 interface=LAN mac-address=\
52:54:00:4E:37:10
add address=172.16.0.123 comment=Serv123 interface=LAN mac-address=\
52:54:00:D7:C3:37
add address=172.16.0.24 interface=LAN mac-address=00:1D:92:2D:4E:DA
add address=172.16.0.13 interface=LAN mac-address=50:46:5D:0A:48:6E
add address=172.16.0.14 interface=LAN mac-address=74:D4:35:40:72:BF
add address=172.16.0.16 interface=LAN mac-address=D0:50:99:8A:57:6B
add address=172.16.0.18 interface=LAN mac-address=08:62:66:12:17:0C
add address=172.16.0.32 interface=LAN mac-address=B4:B6:86:C5:C1:3E
add address=172.16.0.40 interface=LAN mac-address=C4:A8:1D:8A:EC:A3
add address=172.16.0.121 interface=LAN mac-address=90:1B:0E:EB:61:04
add address=172.16.0.10 interface=LAN mac-address=C8:0A:A9:53:1C:AE
add address=172.16.0.130 interface=LAN mac-address=52:54:00:13:C8:A5
add address=172.16.0.15 interface=LAN mac-address=D0:50:99:8A:57:35
add address=172.16.0.126 interface=LAN mac-address=52:54:00:77:DD:CE
add address=172.16.0.20 interface=LAN mac-address=08:62:66:12:13:1F
add address=172.16.0.158 interface=LAN mac-address=84:2A:FD:04:98:D3
add address=172.16.0.106 interface=LAN mac-address=9C:93:4E:A5:CB:7A
/ip dhcp-server lease
add address=172.16.0.20 always-broadcast=yes comment="DalnovVN - IT" \
mac-address=08:62:66:12:13:1F server=DHCP-EMPLOYEES
add address=172.16.0.13 comment="OreshkinaNA - Consult 2" mac-address=\
50:46:5D:0A:48:6E server=DHCP-EMPLOYEES
add address=172.16.0.14 always-broadcast=yes comment="PakVE - Consult 1" \
mac-address=74:D4:35:40:72:BF server=DHCP-EMPLOYEES
add address=172.16.0.16 always-broadcast=yes comment=Buhgalter mac-address=\
D0:50:99:8A:57:6B server=DHCP-EMPLOYEES
add address=172.16.0.12 always-broadcast=yes comment=\
"ZlatogorskayaAS - Consult 3" mac-address=D0:50:99:8A:56:FB server=\
DHCP-EMPLOYEES
add address=172.16.0.18 always-broadcast=yes comment=Reception mac-address=\
04:92:26:5A:AD:9B server=DHCP-EMPLOYEES
add address=172.16.0.11 comment=Polycom mac-address=00:E0:DB:0E:A2:B6 server=\
DHCP-EMPLOYEES
add address=172.16.0.25 comment="Security IP-Camera - Buhgalter" mac-address=\
28:10:7B:07:09:02
add address=172.16.1.99 always-broadcast=yes client-id=1:6c:4b:90:9:e5:f6 \
comment=Indigo mac-address=6C:4B:90:09:E5:F6 server=DHCP-EMPLOYEES
add address=172.16.0.26 comment="Security IP-Camera - Enter" mac-address=\
28:10:7B:07:09:B6
add address=172.16.1.1 client-id=1:0:23:24:bb:f4:7d comment=Class \
mac-address=00:23:24:BB:F4:7D server=DHCP-EMPLOYEES
add address=172.16.1.2 client-id=1:0:23:24:bc:41:7e mac-address=\
00:23:24:BC:41:7E server=DHCP-EMPLOYEES
add address=172.16.1.3 client-id=1:0:23:24:bb:f0:1d mac-address=\
00:23:24:BB:F0:1D server=DHCP-EMPLOYEES
add address=172.16.1.4 always-broadcast=yes client-id=1:0:23:24:bc:40:ce \
mac-address=00:23:24:BC:40:CE server=DHCP-EMPLOYEES
add address=172.16.1.6 client-id=1:6c:4b:90:9:e4:c mac-address=\
6C:4B:90:09:E4:0C server=DHCP-EMPLOYEES
add address=172.16.1.5 client-id=1:6c:4b:90:9:e4:30 mac-address=\
6C:4B:90:09:E4:30 server=DHCP-EMPLOYEES
add address=172.16.1.10 client-id=1:0:23:24:bb:ea:f7 mac-address=\
00:23:24:BB:EA:F7 server=DHCP-EMPLOYEES
add address=172.16.1.9 always-broadcast=yes client-id=1:64:31:50:2:85:67 \
mac-address=64:31:50:02:85:67 server=DHCP-EMPLOYEES
add address=172.16.1.12 client-id=1:0:1d:92:2d:4f:7b mac-address=\
00:1D:92:2D:4F:7B server=DHCP-EMPLOYEES
add address=172.16.1.11 always-broadcast=yes client-id=1:6c:4b:90:9:e3:94 \
mac-address=6C:4B:90:09:E3:94 server=DHCP-EMPLOYEES
add address=172.16.1.8 always-broadcast=yes client-id=1:64:31:50:2:84:39 \
mac-address=64:31:50:02:84:39 server=DHCP-EMPLOYEES
add address=172.16.0.31 always-broadcast=yes comment="Kyocera Taskalfa 221" \
mac-address=00:C0:EE:92:91:23 server=DHCP-EMPLOYEES
add address=172.16.0.27 comment="Security IP-Camera - Korridor" mac-address=\
28:10:7B:07:09:A8
add address=172.16.0.121 comment="Fujitsu Host" mac-address=90:1B:0E:EB:61:04
add address=172.16.0.122 comment="Fujitsu CentOStest1" mac-address=\
52:54:00:4E:37:10
add address=172.16.0.123 comment="Fujitsu CentOStest2" mac-address=\
52:54:00:D7:C3:37
add address=172.16.0.126 comment="Fujitsu Samba Files" mac-address=\
52:54:00:77:DD:CE
add address=172.16.0.24 always-broadcast=yes comment=\
"Security IP-Camera - Videoserver" mac-address=00:1D:92:2D:4E:DA
add address=172.16.0.40 comment=\
"D-link DIR 860L \F0\EE\F3\F2\E5\F0 \EA\E0\E1\E8\ED\E5\F2 5" mac-address=\
C4:A8:1D:8A:EC:A3 server=DHCP-EMPLOYEES
add address=172.16.0.1 comment="\CC\E8\EA\F0\EE\F2\E8\EA" mac-address=\
6C:3B:6B:B2:4F:CC
add address=172.16.0.32 always-broadcast=yes comment=\
"HP M426fdw \EA\E0\E1\E8\ED\E5\F2 7" mac-address=B4:B6:86:C5:C1:3E \
server=DHCP-EMPLOYEES
add address=172.16.0.130 client-id=1:52:54:0:13:c8:a5 comment=WinServer2016n1 \
mac-address=52:54:00:13:C8:A5 server=DHCP-EMPLOYEES
add address=172.16.0.21 comment="\CD\EE\F3\F2 HP SSD Admin" mac-address=\
1C:C1:DE:AD:D9:FF server=DHCP-EMPLOYEES
add address=172.16.1.22 client-id=1:70:85:c2:fe:88:0 comment=\
"Tests (\C2\F1\E5 \F2\E5\F1\F2\FB)" mac-address=70:85:C2:FE:88:00 server=\
DHCP-EMPLOYEES
add address=172.16.0.33 comment="Ricoh C261SFNw (\F6\E2\E5\F2\ED\EE\E9)" \
mac-address=58:38:79:0F:28:F0
add address=172.16.0.22 comment="\CA\EE\ED\F2\F0\E0\EA\F2\ED\FB\E9 \F3\EF\F0\
\E0\E2\EB\FF\FE\F9\E8\E9 (\F2\EE\F0\E3\E8)" mac-address=70:85:C2:FF:C1:6B \
server=DHCP-EMPLOYEES
add address=172.16.0.23 comment="\CA\EE\F1\F2\FE\EA\EE\E2\E0 \CE\EB\FC\E3\E0 \
\D1\E5\F0\E3\E5\E5\E2\ED\E0 4 \EA\E0\E1." mac-address=70:85:C2:FD:91:BF \
server=DHCP-EMPLOYEES
add address=172.16.0.34 comment="HP428 \EA\E0\E1\E8\ED\E5\F2 4" mac-address=\
84:2A:FD:04:98:71
add address=172.16.0.35 always-broadcast=yes comment=\
"HP402 \CA\EE\EC\EF \EA\EB\E0\F1\F1" mac-address=C8:D9:D2:B4:11:B3
add address=172.16.0.36 always-broadcast=yes client-id=1:c8:d9:d2:b4:f0:ae \
comment="HP402 \EA\E0\E1\E8\ED\E5\F2 5" mac-address=C8:D9:D2:B4:F0:AE \
server=DHCP-EMPLOYEES
add address=172.16.0.38 always-broadcast=yes client-id=1:fc:1:7c:13:55:38 \
comment="HP M426fdw \CF\F0\E8\E5\EC\ED\E0\FF" mac-address=\
FC:01:7C:13:55:38 server=DHCP-EMPLOYEES
add address=172.16.0.37 client-id=1:84:2a:fd:4:98:7d comment=\
"HP428 \EA\E0\E1\E8\ED\E5\F2 1" mac-address=84:2A:FD:04:98:7D server=\
DHCP-EMPLOYEES
add address=172.16.0.211 client-id=1:c:9d:92:cd:8b:14 comment="\CF\D4\D0 \CC\
\E0\F0\E8\FF \D6\E5\F0\E5\ED\EA\EE\E2\E0 \EA\E0\E1\E8\ED\E5\F2 5" \
mac-address=0C:9D:92:CD:8B:14 server=DHCP-EMPLOYEES
add address=172.16.0.176 client-id=1:18:c0:4d:51:d9:75 comment="\CA\EE\EC\EF \
\D1\D0\D0\D6 (\F1\E0\EC\EE\F1\E1\EE\F0) \EF\EE\E4 \CF\CE \D2\E0\E2\EE\EB\
\E3\E8 \E2 5 \EA\E0\E1." mac-address=18:C0:4D:51:D9:75 server=\
DHCP-EMPLOYEES
add address=172.16.0.177 client-id=\
ff:3f:2f:c0:30:0:2:0:0:ab:11:da:a1:43:f0:c1:73:60:4 comment="\CA\EE\EC\EF \
\EF\EE\E4 \CF\CE \D2\E0\E2\EE\EB\E3\E8 \E2 5 \EA\E0\E1. - \C2\E8\F0\F2\F3\
\E0\EB\EA\E0 \F1 \CF\CE" mac-address=00:15:5D:00:B0:01 server=\
DHCP-EMPLOYEES
add address=172.16.0.178 client-id=\
ff:26:47:88:41:0:2:0:0:ab:11:30:e1:53:2a:27:7f:5f:b6 comment="\CA\EE\EC\EF\
\_\EF\EE\E4 \CF\CE \D2\E0\E2\EE\EB\E3\E8 \E2 5 \EA\E0\E1. - \CF\EE\F7\F2\
\EE\E2\FB\E9 \F1\E5\F0\E2\E5\F0" mac-address=00:15:5D:00:B0:02 server=\
DHCP-EMPLOYEES
add address=172.16.0.50 comment="D-link dir 655 1 \EA\E0\E1\E8\ED\E5\F2 5" \
mac-address=1C:C1:DE:AD:D9:00
add address=172.16.0.222 client-id=1:d8:5e:d3:16:21:10 comment=\
"\D2\E0\E2\EE\EB\E3\E0 \C3\EE\EB\E5\E2 \C0.\C2. \EA\E0\E1.1" mac-address=\
D8:5E:D3:16:21:10 server=DHCP-EMPLOYEES
add address=172.16.0.223 client-id=1:d8:5e:d3:16:21:3f comment="\D2\E0\E2\EE\
\EB\E3\E0 \E1\F3\F5\E3\E0\EB\F2\E5\F0 \C5\EA\E0\F2\E5\F0\E8\ED\E0" \
mac-address=D8:5E:D3:16:21:3F server=DHCP-EMPLOYEES
add address=172.16.0.39 comment=\
"Kyocera 2030DN \EA\E0\E1\E8\ED\E5\F22, \E1\F3\F5\E3\E0\EB\F2\E5\F0" \
mac-address=00:17:C8:40:49:8D server=DHCP-EMPLOYEES
add address=172.16.0.221 client-id=1:d8:5e:d3:13:2e:53 comment="\D2\E0\E2\EE\
\EB\E3\E0 \D1\E5\EC\E5\ED\EE\E2 \CF\E0\E2\E5\EB \C2\E0\F1\E8\EB\FC\E5\E2\
\E8\F7 \EA\E0\E1\E8\ED\E5\F2 1 " mac-address=D8:5E:D3:13:2E:53 server=\
DHCP-EMPLOYEES
add address=172.16.0.72 client-id=1:e8:6a:64:8:fa:f3 comment=Lenovo-22 \
mac-address=E8:6A:64:08:FA:F3 server=DHCP-EMPLOYEES
add address=172.16.0.124 comment=\
"\D0\E5\E7\E5\F0\E2 \EF\EE\E4 \F1\E5\F0\E2\E5\F0 124" mac-address=\
00:00:00:00:00:01
add address=172.16.0.125 comment=\
"\D0\E5\E7\E5\F0\E2 \EF\EE\E4 \F1\E5\F0\E2\E5\F0 125" mac-address=\
00:00:00:00:00:02
add address=172.16.0.127 comment="Server 127 samaranews" mac-address=\
52:54:00:93:3A:0C
add address=172.16.0.128 comment=\
"\D0\E5\E7\E5\F0\E2 \EF\EE\E4 \F1\E5\F0\E2\E5\F0 128" mac-address=\
00:00:00:00:00:03
add address=172.16.0.129 comment=\
"\D0\E5\E7\E5\F0\E2 \EF\EE\E4 \F1\E5\F0\E2\E5\F0 129" mac-address=\
00:00:00:00:00:04
add address=172.16.0.30 client-id=1:84:2a:fd:4:98:d3 comment=\
"HP428 \EA\E0\E1\E8\ED\E5\F2 6" mac-address=84:2A:FD:04:98:D3 server=\
DHCP-EMPLOYEES
add address=172.16.0.41 client-id=1:84:2a:fd:4:f7:ac comment=\
"HP428 \EA\E0\E1\E8\ED\E5\F2 8" mac-address=84:2A:FD:04:F7:AC server=\
DHCP-EMPLOYEES
add address=172.16.0.17 client-id=1:4:42:1a:a9:a4:2 comment=Buhgalter2 \
mac-address=04:42:1A:A9:A4:02 server=DHCP-EMPLOYEES
add address=172.16.0.181 client-id=1:28:28:5d:7b:a8:4e comment=\
"Keenetic_Omni 6 \EA\E0\E1." mac-address=28:28:5D:7B:A8:4E server=\
DHCP-EMPLOYEES
add address=172.16.0.42 comment="Xerox DocuCentre SC2020" mac-address=\
9C:93:4E:A5:CB:7A
add address=172.16.0.183 always-broadcast=yes client-id=1:50:ff:20:71:72:a8 \
comment="Keenetic-8283 \F5\EE\EB\EB" mac-address=50:FF:20:71:72:A8 \
server=DHCP-EMPLOYEES
add address=172.16.0.67 client-id=1:b0:fc:36:be:aa:b1 comment=Lenovo-17 \
mac-address=B0:FC:36:BE:AA:B1 server=DHCP-EMPLOYEES
add address=172.16.0.60 always-broadcast=yes client-id=1:b0:fc:36:be:aa:b5 \
comment=Lenovo-10 mac-address=B0:FC:36:BE:AA:B5 server=DHCP-EMPLOYEES
add address=172.16.0.58 client-id=1:b0:fc:36:be:b6:37 comment=Lenovo-8 \
mac-address=B0:FC:36:BE:B6:37 server=DHCP-EMPLOYEES
add address=172.16.0.66 always-broadcast=yes client-id=1:b0:fc:36:c0:1:41 \
comment=Lenovo-16 mac-address=B0:FC:36:C0:01:41 server=DHCP-EMPLOYEES
add address=172.16.0.55 always-broadcast=yes client-id=1:b0:fc:36:c0:0:83 \
comment=Lenovo-5 mac-address=B0:FC:36:C0:00:83 server=DHCP-EMPLOYEES
add address=172.16.0.62 always-broadcast=yes client-id=1:b0:fc:36:be:76:f7 \
comment=Lenovo-12 mac-address=B0:FC:36:BE:76:F7 server=DHCP-EMPLOYEES
add address=172.16.0.70 client-id=1:b0:fc:36:be:71:e7 comment=Lenovo-20 \
mac-address=B0:FC:36:BE:71:E7 server=DHCP-EMPLOYEES
add address=172.16.0.64 client-id=1:b0:fc:36:c0:af:af comment=Lenovo-14 \
mac-address=B0:FC:36:C0:AF:AF server=DHCP-EMPLOYEES
add address=172.16.0.56 always-broadcast=yes client-id=1:b0:fc:36:be:81:69 \
comment=Lenovo-6 mac-address=B0:FC:36:BE:81:69 server=DHCP-EMPLOYEES
add address=172.16.0.65 always-broadcast=yes client-id=1:b0:fc:36:be:aa:cb \
comment=Lenovo-15 mac-address=B0:FC:36:BE:AA:CB server=DHCP-EMPLOYEES
add address=172.16.0.212 client-id=1:a8:a1:59:72:db:9d comment="\CA\F3\F2\E5\
\EF\EE\E2\E0 \EA\EE\EC\EF \D2\E0\E2\EE\EB\E3\E8 6 \EA\E0\E1." \
mac-address=A8:A1:59:72:DB:9D server=DHCP-EMPLOYEES
add address=172.16.0.43 always-broadcast=yes client-id=1:c8:d9:d2:b4:11:9b \
comment="HP402 \EA\E0\E1\E8\ED\E5\F2 4" mac-address=C8:D9:D2:B4:11:9B \
server=DHCP-EMPLOYEES
add address=172.16.0.19 always-broadcast=yes client-id=1:70:85:c2:ff:bd:97 \
comment="\CF\E5\F2\F3\E3\E0\ED\EE\E2\E0 \CB\FE\E1\EE\E2\FC \C2\EB\E0\E4\E8\
\EC\E8\F0\EE\E2\ED\E0 \EA\E0\E1\E8\ED\E5\F2 7" lease-time=10s \
mac-address=70:85:C2:FF:BD:97 server=DHCP-EMPLOYEES
add address=172.16.0.59 always-broadcast=yes client-id=1:b0:fc:36:c0:af:7b \
comment=Lenovo-9 mac-address=B0:FC:36:C0:AF:7B server=DHCP-EMPLOYEES
add address=172.16.0.68 always-broadcast=yes client-id=1:b0:fc:36:be:7b:a9 \
comment=Lenovo-18 mac-address=B0:FC:36:BE:7B:A9 server=DHCP-EMPLOYEES
add address=172.16.0.200 client-id=1:70:85:c2:db:79:ec comment=\
"\CA\EE\EB\EE\F2\E8\EB\EA\E8\ED 4 \EA\E0\E1." mac-address=\
70:85:C2:DB:79:EC server=DHCP-EMPLOYEES
add address=172.16.0.195 client-id=1:d8:5e:d3:10:6b:6e comment=\
"\CA\F0\FE\ED\FC\EA\E8\ED \C5\E3\EE\F0 \CD\E8\EA\EE\EB\E0\E5\E2\E8\F7" \
mac-address=D8:5E:D3:10:6B:6E server=DHCP-EMPLOYEES
add address=172.16.0.116 client-id=1:4:42:1a:a9:a3:fe comment=\
"\D2\E8\EC\EE\F8\E5\ED\EA\EE \C5\EB\E8\E7\E0\E2\E5\F2\E0" mac-address=\
04:42:1A:A9:A3:FE server=DHCP-EMPLOYEES
add address=172.16.0.196 client-id=1:4:42:1a:a9:a3:b8 comment=\
"\C5\EA\E0\F2\E5\F0\E8\ED\E0" mac-address=04:42:1A:A9:A3:B8 server=\
DHCP-EMPLOYEES
add address=172.16.0.202 client-id=1:52:54:0:33:ef:fd comment=Zabbix \
mac-address=52:54:00:33:EF:FD server=DHCP-EMPLOYEES
add address=172.16.0.110 client-id=1:f0:f:ec:dc:d9:30 mac-address=\
F0:0F:EC:DC:D9:30 server=DHCP-EMPLOYEES
add address=172.16.0.147 client-id=1:4:42:1a:a9:a3:eb mac-address=\
04:42:1A:A9:A3:EB server=DHCP-EMPLOYEES
add address=172.16.0.247 client-id=1:6a:32:9f:38:ad:93 mac-address=\
6A:32:9F:38:AD:93 server=DHCP-EMPLOYEES
add address=172.16.0.185 client-id=1:6c:5a:b0:c8:fa:68 mac-address=\
6C:5A:B0:C8:FA:68 server=DHCP-EMPLOYEES
add address=172.16.0.134 client-id=1:4a:62:92:db:85:cf mac-address=\
4A:62:92:DB:85:CF server=DHCP-EMPLOYEES
add address=172.16.0.108 client-id=1:0:17:c8:ba:e5:f1 mac-address=\
00:17:C8:BA:E5:F1 server=DHCP-EMPLOYEES
add address=172.16.0.171 client-id=1:c8:d9:d2:b4:11:bc mac-address=\
C8:D9:D2:B4:11:BC server=DHCP-EMPLOYEES
add address=172.16.0.145 always-broadcast=yes client-id=1:b4:b6:86:7a:95:aa \
mac-address=B4:B6:86:7A:95:AA server=DHCP-EMPLOYEES
add address=172.16.1.7 client-id=1:50:eb:f6:24:19:e9 comment="Office service" \
mac-address=50:EB:F6:24:19:E9 server=DHCP-EMPLOYEES
/ip dhcp-server network
add address=172.16.0.0/23 dns-server=77.88.8.8,77.88.8.1 gateway=172.16.0.1 \
netmask=23
/ip dns
set servers=10.10.10.2,185.174.193.2,185.174.192.2
/ip firewall filter
add action=add-dst-to-address-list address-list=Winupdate \
address-list-timeout=0s chain=forward disabled=yes dst-address-list=\
!Winupdate dst-port=80 layer7-protocol=WinUpl7 out-interface=WAN \
protocol=tcp
add action=accept chain=WAN-to-LAN dst-port=433 protocol=tcp
add action=accept chain=WAN-to-LAN dst-port=80 protocol=tcp
add action=drop chain=forward comment="Block Windows Update" \
dst-address-list=Winupdate
add action=accept chain=input comment="Allow Ping & VPN" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=forward comment="Allow Established Connections" \
connection-state=established
add action=accept chain=input connection-state=established
add action=accept chain=input comment="Allow Winbox from Internet" \
connection-state="" disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=WAN-to-LAN comment="access to Polycom" disabled=yes \
dst-address=172.16.1.7 dst-port=80 log-prefix="Polycom access" protocol=\
tcp
add action=accept chain=input comment="Allow Related Connections" \
connection-state=related
add action=accept chain=forward connection-state=related
add action=drop chain=input comment="Drop Invalid" connection-state=invalid \
log-prefix="Invalid drop"
add action=drop chain=forward connection-state=invalid log-prefix=\
"Invalid drop"
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=accept chain=forward comment="LAN to LAN Accept" in-interface=LAN \
out-interface=LAN
add action=jump chain=forward comment="Jump To Chains" in-interface=WAN \
jump-target=WAN-to-LAN out-interface=LAN
add action=jump chain=forward in-interface=LAN jump-target=LAN-to-WAN \
out-interface=WAN
add action=jump chain=forward in-interface=DMZ jump-target=DMZ-to-LAN \
out-interface=LAN
add action=jump chain=forward in-interface=LAN jump-target=LAN-to-DMZ \
out-interface=DMZ
add action=jump chain=forward in-interface=DMZ jump-target=DMZ-to-WAN \
out-interface=WAN
add action=jump chain=forward in-interface=WAN jump-target=WAN-to-DMZ \
out-interface=DMZ
add action=drop chain=LAN-to-WAN comment="Disable Internet For Class" \
disabled=yes src-address=172.16.1.1-172.16.1.7
add action=drop chain=LAN-to-WAN disabled=yes src-address=\
172.16.1.10-172.16.1.16
add action=drop chain=LAN-to-WAN disabled=yes src-address=172.16.0.104
add action=drop chain=LAN-to-WAN disabled=yes src-address=\
172.17.0.190-172.17.0.199
add action=accept chain=LAN-to-WAN comment="LAN to WAN"
add action=accept chain=WAN-to-LAN comment="access to Server122" dst-address=\
172.16.0.122
add action=accept chain=WAN-to-LAN comment=\
"WAN to LAN access to Indigo test" dst-port=85 log-prefix="port access" \
protocol=tcp
add action=accept chain=WAN-to-LAN comment="access to Server123" disabled=yes \
dst-address=172.16.0.123
add action=accept chain=WAN-to-LAN comment="access to Server127" dst-address=\
172.16.0.127
add action=accept chain=WAN-to-LAN comment=\
"access to Server177 \D2\E0\E2\EE\EB\E3\E0 \CF\CE" disabled=yes \
dst-address=172.16.0.177
add action=drop chain=WAN-to-LAN comment="Block other WAN-to-LAN" disabled=\
yes
add action=accept chain=LAN-to-DMZ comment="LAN to DMZ"
add action=accept chain=DMZ-to-LAN comment="DMZ to LAN" disabled=yes \
dst-address=172.16.0.11 log-prefix="Polycom access"
add action=accept chain=DMZ-to-LAN
add action=drop chain=DMZ-to-WAN comment="DMZ to WAN"
add action=drop chain=WAN-to-DMZ
add action=drop chain=input comment="Drop other input on Mikrotik" \
in-interface=WAN log-prefix="Drop Input"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mangle for polycom access" \
dst-address=!10.0.0.0/12 new-routing-mark=polycom-route passthrough=yes \
src-address=172.16.0.11
add action=mark-routing chain=prerouting dst-address=10.0.0.0/12 \
new-routing-mark=polycom-route-kspd passthrough=yes src-address=\
172.16.0.11
add action=mark-routing chain=prerouting comment="Mangle for indigo access" \
dst-address=!10.0.0.0/12 new-routing-mark=indigo-route passthrough=yes \
src-address=172.16.1.99
add action=mark-routing chain=prerouting comment=\
"Mangle for TavolgaServ access" dst-address=!10.0.0.0/12 \
new-routing-mark=TavolgaServ-route passthrough=yes src-address=\
172.16.0.177-172.16.0.178
/ip firewall nat
add action=accept chain=dstnat comment="> Server123 access to Wan x.7" \
disabled=yes dst-address=172.16.1.7 dst-port=80 protocol=tcp \
to-addresses=185.174.195.7
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=443 in-interface=WAN protocol=tcp to-addresses=172.16.1.7 \
to-ports=443
add action=redirect chain=dstnat comment="Redirect users to proxy" disabled=\
yes dst-address=!172.16.0.0/23 dst-port=80 log-prefix=DSTnAT protocol=tcp \
src-address=172.16.1.1-172.16.1.13 to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
to-addresses=172.16.0.11
add action=src-nat chain=srcnat comment="Polycom access from WAN & DMZ" \
disabled=yes dst-address=10.0.0.0/12 out-interface=DMZ routing-mark=\
polycom-route-kspd src-address=172.16.0.11 to-addresses=10.0.25.130
add action=src-nat chain=srcnat disabled=yes dst-address=!172.16.0.0/23 \
out-interface=WAN routing-mark=polycom-route src-address=172.16.0.11 \
to-addresses=185.174.195.6
add action=dst-nat chain=dstnat disabled=yes dst-address=10.0.25.130 \
to-addresses=172.16.0.11
add action=src-nat chain=srcnat dst-address=!172.16.0.0/23 out-interface=WAN \
routing-mark=indigo-route src-address=172.16.1.99 to-addresses=\
185.174.195.7
add action=dst-nat chain=dstnat comment="Indigo tests access" dst-address=\
185.174.195.7 dst-port=85 protocol=tcp to-addresses=172.16.1.99 to-ports=\
85
add action=src-nat chain=srcnat comment="Server Tavolga access Routing mark" \
disabled=yes out-interface=WAN routing-mark=TavolgaServ-route \
src-address=172.16.0.177-172.16.0.178 to-addresses=185.174.195.6
add action=src-nat chain=srcnat comment="> Server122 access to Wan x.5" \
dst-address=!172.16.0.0/23 out-interface=WAN src-address=172.16.0.122 \
to-addresses=185.174.195.5
add action=src-nat chain=srcnat comment="> Server127 access to Wan x.7" \
dst-address=!172.16.0.0/23 out-interface=WAN src-address=172.16.0.127 \
to-addresses=185.174.195.7
add action=dst-nat chain=dstnat comment=\
"Server127:8080 access from Wan x.5:80" dst-address=185.174.195.5 \
dst-port=80 protocol=tcp to-addresses=172.16.0.127 to-ports=8080
add action=dst-nat chain=dstnat comment=\
"Server122:1194 access from Wan x.5:13941" dst-address=185.174.195.5 \
dst-port=13941 protocol=tcp to-addresses=172.16.0.122 to-ports=1194
add action=dst-nat chain=dstnat comment="Server127:80 access from Wan x.7:80" \
dst-address=185.174.195.7 dst-port=80 protocol=tcp to-addresses=\
172.16.0.127 to-ports=80
add action=dst-nat chain=dstnat comment=\
"Server127:443 access from Wan x.7:443" dst-address=185.174.195.7 \
dst-port=443 protocol=tcp to-addresses=172.16.0.127 to-ports=443
add action=dst-nat chain=dstnat comment=\
"Server127:1194 access from Wan x.5:13942" dst-address=185.174.195.5 \
dst-port=13942 protocol=tcp to-addresses=172.16.0.127 to-ports=1194
add action=dst-nat chain=dstnat comment=\
"Server127:10000 access from Wan x.7:10000" dst-address=185.174.195.7 \
dst-port=10000 protocol=tcp to-addresses=172.16.0.127 to-ports=10000
add action=dst-nat chain=dstnat comment=\
"Server127:10002 access from Wan x.7:10002" dst-address=185.174.195.7 \
dst-port=10002 protocol=tcp to-addresses=172.16.0.127 to-ports=10002
add action=dst-nat chain=dstnat comment=\
"Server127:10004 access from Wan x.7:10004" dst-address=185.174.195.7 \
dst-port=10004 protocol=tcp to-addresses=172.16.0.127 to-ports=10004
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=443 protocol=tcp to-addresses=172.16.1.8 to-ports=443
add action=masquerade chain=srcnat disabled=yes dst-address=172.16.1.7 \
dst-port=443 protocol=tcp
add action=masquerade chain=srcnat comment=Masquerade out-interface=WAN
add action=masquerade chain=srcnat out-interface=DMZ
add action=masquerade chain=srcnat disabled=yes out-interface=WAN \
src-address=172.16.0.123 to-addresses=185.174.195.7
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.156.6 \
dst-port=25 protocol=tcp to-addresses=127.16.1.7 to-ports=25
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=110 protocol=tcp to-addresses=172.16.1.7 to-ports=110
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=143 protocol=tcp to-addresses=172.16.1.7 to-ports=143
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=3306 protocol=tcp to-addresses=172.16.1.7 to-ports=3306
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=587 protocol=tcp to-addresses=127.16.1.7 to-ports=587
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=5222 protocol=tcp to-addresses=127.16.1.7 to-ports=5222
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=5232 protocol=tcp to-addresses=127.16.1.7 to-ports=5232
add action=dst-nat chain=dstnat disabled=yes dst-address=185.174.195.6 \
dst-port=5432 protocol=tcp to-addresses=172.16.1.7 to-ports=5432
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des generate-policy=\
port-override passive=yes secret=SamaraRRC
/ip proxy
set anonymous=yes enabled=yes max-cache-size=10000KiB src-address=172.16.0.1
/ip proxy access
add action=deny dst-address=!172.16.0.0/23 dst-port=80,443 redirect-to=\
172.16.1.100 src-address=172.16.1.1-172.16.1.13
/ip route
add check-gateway=ping distance=2 gateway=185.174.195.1 pref-src=\
185.174.195.6 routing-mark=polycom-route
add check-gateway=ping distance=1 dst-address=185.174.195.0/24 gateway=WAN \
pref-src=185.174.195.6 routing-mark=polycom-route scope=10
add check-gateway=ping distance=1 gateway=10.0.25.1 pref-src=10.0.25.130 \
routing-mark=polycom-route-kspd
add check-gateway=ping distance=3 gateway=185.174.195.1 pref-src=\
185.174.195.7 routing-mark=indigo-route
add check-gateway=ping distance=1 gateway=185.174.195.1 pref-src=\
185.174.195.5
add comment="\E4\EE \EA\EE\EE\F0\E4\E8\ED\E0\F2\EE\F0\E0 \EF\F0\EE\E1\E01" \
distance=1 dst-address=10.100.5.5/32 gateway=DMZ pref-src=10.0.25.1 \
scope=10
add check-gateway=ping distance=2 dst-address=185.174.195.0/24 gateway=WAN \
pref-src=185.174.195.7 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=172.16.0.0/23
set ssh address=172.16.0.0/23
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=WAN
/ip traffic-flow target
add dst-address=10.1.10.20 port=1234
/snmp
set enabled=yes trap-interfaces=all trap-target=172.16.0.202 trap-version=2
/system clock
set time-zone-name=Europe/Samara
Источник: Stack Overflow на русском